MD5: c1efdf1d2f9d814dbdd620eadccd7ec2
SHA1: 21c8a1e1d26fe8eef0c40df8055a7004f208d129
SHA256: e42757369c28858b14739bd513fc9aeb691166a85e260e038f105adf7e40ad7e
SSDeep: 12288:bjlVIlOxOEwLxfBMiRMb67oo282ryHjglpJc7ilfs pdEbqBC8SRVUdz:bhVIlOkViiRMb6f282ODggvuduqw8SQz
Size: 717689 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Software sharing company
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

taskkill.exe:1040
taskkill.exe:1244
83506.exe:948
tasklist.exe:1176
tasklist.exe:1236
tasklist.exe:780
tasklist.exe:2040
tasklist.exe:1860
tasklist.exe:1076
tasklist.exe:1272
tasklist.exe:1156
tasklist.exe:304
tasklist.exe:1816
tasklist.exe:1276
tasklist.exe:1052
tasklist.exe:1920
tasklist.exe:560
tasklist.exe:520
tasklist.exe:1532
tasklist.exe:1376
tasklist.exe:1264
tasklist.exe:1036
tasklist.exe:284
109341.exe:1816
40512.exe:1016
52022.exe:792
26172.exe:1524
%original file name%.exe:1676
voracious.exe:1620
find.exe:1164
find.exe:1176
find.exe:1984
find.exe:1244
find.exe:1160
find.exe:1056
find.exe:1996
find.exe:1368
find.exe:1336
find.exe:1344
find.exe:1604
find.exe:624
find.exe:1936
find.exe:776
find.exe:1388
find.exe:1108
find.exe:1452
find.exe:264
find.exe:476
find.exe:492
find.exe:2012

The Application injects its code into the following process(es):

noo.exe:1520

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 83506.exe:948 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (123 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (0 bytes)

The process 109341.exe:1816 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\ShellLink.dll (4 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp (0 bytes)

The process 40512.exe:1016 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf6.tmp\SimpleFC.dll (5289 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf6.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf6.tmp (0 bytes)

The process 52022.exe:792 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\System.dll (11 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7.tmp (0 bytes)

The process 26172.exe:1524 makes changes in the file system.
The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (0 bytes)

The process %original file name%.exe:1676 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\AccessControl.dll (13 bytes)
%Program Files%\ozzie\voracious.exe (1056 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\109341.exe (10589 bytes)
%Program Files%\chapel\noo.exe (10845 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\40512.exe (3081 bytes)
%WinDir%\noo.exe (10845 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\26172.exe (1094 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\52022.exe (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\83506.exe (1082 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\knifing.lnk (451 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)

The process voracious.exe:1620 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskC.tmp\ExecCmd.dll (4 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC.tmp (0 bytes)

The process noo.exe:1520 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@trufflechores[1].txt (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[3].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\page-2[1].htm (3973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAEB45AN.xml (775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[6].xml (708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[2].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\flaD.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\analytics[1].js (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CACT6ZGP.xml (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CALBWO43.xml (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CASFPJMN.xml (811 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA4C1OL8.xml (815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA0XE74L.xml (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAPOJEJT.xml (782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA638XMB.xml (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[6].xml (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[8].xml (687 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (544 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\css1[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[5].xml (804 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (292 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (15228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8L49I5.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\abcd[1].mp4 (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAM0RPYJ.xml (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAA5IRW1.xml (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\player1[1].swf (17377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5S8Z1M.xml (777 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@trufflechores[2].txt (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (19901 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAKK5PCL.xml (714 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[7].xml (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[5].xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA23S1MZ.xml (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[8].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[7].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page-2[1].htm (3942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[7].xml (652 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6XDINC.xml (733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[6].xml (705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[7].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAUFC9QV.xml (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAUJM7MH.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (645 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jwplayer1[1].js (75873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAJX8CWV.xml (760 bytes)
%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ova-jw[1].swf (33929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAZDLL39.xml (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[6].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[2].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[2].js (1353 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@trufflechores[1].txt (0 bytes)
%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\page-2[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sol (0 bytes)

Registry activity

The process taskkill.exe:1040 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 9A B0 94 A5 7C F9 E2 EB B3 98 C6 1D 4C 93 7B"

The process taskkill.exe:1244 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 80 24 CA 52 80 56 09 E8 CB 69 F9 F6 D3 BC 26"

The process 83506.exe:948 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 F4 96 21 7C A1 5F 0E C2 FB 4C B3 F8 6D DF CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process tasklist.exe:1176 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 01 18 1C D3 18 F0 56 A9 78 CD D2 63 2A 94 AE"

The process tasklist.exe:1236 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C B2 C6 75 7C 3C 62 5D 00 B7 3A 62 A8 DA 5A AE"

The process tasklist.exe:780 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 D0 C8 2D 75 05 E2 FF D2 F4 31 1C 1B D9 02 AC"

The process tasklist.exe:2040 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 2D 2D 06 42 F6 17 AE 91 69 3A F1 D1 27 A8 AD"

The process tasklist.exe:1860 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 20 07 8A 35 67 BA 9B E1 F2 D0 A3 44 A2 8A D9"

The process tasklist.exe:1076 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 28 E7 C9 2C C4 AC 30 7E 6E 5E E9 5F 62 F4 BF"

The process tasklist.exe:1272 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 77 76 61 90 FC EC E5 6B 55 B6 AA DF 3A 60 B9"

The process tasklist.exe:1156 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 3E 5F 17 09 07 DB F7 29 A2 6D 80 C4 79 6A 12"

The process tasklist.exe:304 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 75 32 3F 1A 82 93 E9 47 42 B5 14 7B 83 EB 62"

The process tasklist.exe:1816 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 7A F8 AB 33 30 1A 2C 91 38 46 AD 78 0C 7D 44"

The process tasklist.exe:1276 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 14 C5 A7 53 A9 87 A3 FE F4 86 D0 4B 34 73 CE"

The process tasklist.exe:1052 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 79 CF CB 6A CE 25 16 D0 3A B6 11 39 3B 7C 6A"

The process tasklist.exe:1920 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 F4 E0 FB C2 D7 5E B4 95 C0 31 C4 71 2B 17 73"

The process tasklist.exe:560 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 F6 26 21 E0 D1 0D E3 1A 3E 80 0F 1E EC 66 8D"

The process tasklist.exe:520 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 10 C8 F0 B5 D3 6E 4A 64 B0 7F 26 4E 7B DC 1C"

The process tasklist.exe:1532 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 95 31 36 BF 79 B4 1B C4 AD 01 48 BD C1 EB E6"

The process tasklist.exe:1376 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F CB BD 94 05 6D 69 D1 0B B7 88 B5 17 CE 83 1A"

The process tasklist.exe:1264 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 84 08 E5 CF 36 9F 41 51 AC B3 59 76 C7 E8 8B"

The process tasklist.exe:1036 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A D8 4F A4 22 41 EF 87 E1 F9 9B F6 0A 61 D1 2C"

The process tasklist.exe:284 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 D6 17 50 64 AF 0B EE 42 8D 60 80 18 91 E3 78"

The process 109341.exe:1816 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE DE A6 52 1C 57 97 A7 C9 F0 55 EF 27 B2 CD 82"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 40512.exe:1016 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 87 0F 4E CA 9C 24 CD 2D B5 A2 8E 1A 2F A4 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 52022.exe:792 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 28 B8 44 F1 A9 D0 CE 44 7C B5 A3 1C B7 FD FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 26172.exe:1524 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 63 F9 23 A0 84 FE 01 B5 E2 18 8B 7A E4 50 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1676 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 B8 61 7E F1 89 7E 0A 5E E2 51 E6 FF 09 0E A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"firefighter" = "%Program Files%\chapel\noo.exe"

"neuwirth" = "%Program Files%\chapel\noo.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"coyne" = "%Program Files%\chapel\noo.exe"

"unsettling" = "%Program Files%\chapel\noo.exe"

The process voracious.exe:1620 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C1 DF 28 8F F8 F8 85 9C BD C8 17 8D DD 5E AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"voracious" = "%Program Files%\ozzie\voracious.exe"

"givers" = "%Program Files%\chapel\noo.exe"

The process noo.exe:1520 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "noo.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101220161013]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016101220161013\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101220161013]
"CachePrefix" = ":2016101220161013:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F9 26 5B AE 3F 05 FF 58 43 97 D9 E1 59 DF 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101220161013]
"CacheOptions" = "11"
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101220161013]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Control\VIDEO\{6CED940B-3310-4568-885E-22B19ACF6715}\0000]
"Attach.ToDesktop" = "1"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process find.exe:1164 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B D7 15 39 68 0A 1C 3C 4B 5E A9 09 83 69 62 61"

The process find.exe:1176 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 E0 9A 58 7E B6 68 CB F9 A6 8E BC 32 15 AB 49"

The process find.exe:1984 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 1B 65 78 9B 4F 17 0E AD 50 A9 0D 2F 8A 77 C2"

The process find.exe:1244 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 55 1F 7D 48 5E C2 1B 16 76 6F 43 87 A7 48 D2"

The process find.exe:1160 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 ED 0E E9 B5 DE E7 AA 5C 06 F5 89 67 B9 54 49"

The process find.exe:1056 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C A8 71 AF 0C A6 70 8D 5A 5E 0D 89 B9 7C AF 2D"

The process find.exe:1996 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 28 7F D2 86 B2 7B B6 73 72 1A 53 FE 64 9C E8"

The process find.exe:1368 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 3E 44 D3 F4 17 A6 F4 8D 89 8C 0E 2B 00 BA 12"

The process find.exe:1336 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 4D 22 7F 9F 87 B4 B0 3B 22 09 BD 00 88 DB BD"

The process find.exe:1344 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 DC 3F B7 AF 81 41 77 63 78 83 03 3E 1B 7C 6F"

The process find.exe:1604 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA F3 B8 FB 17 B5 F4 39 B0 53 D8 23 B2 D0 64 DC"

The process find.exe:624 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 35 26 96 9E ED 26 D9 31 A6 7A E0 33 85 B0 55"

The process find.exe:1936 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 AB CC B5 26 B2 2C 2B C2 E1 F5 B0 3C 34 DB 30"

The process find.exe:776 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 3A C2 AB 83 54 CE 42 99 95 DB 85 FB B3 55 59"

The process find.exe:1388 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 44 D4 45 B5 55 16 06 6E E5 16 33 4C 03 13 C1"

The process find.exe:1108 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B4 A7 2E 03 54 CC C3 C7 0D B0 A7 4A F9 D5 63"

The process find.exe:1452 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E CC 6F 61 3F 03 0B A0 A6 1C FC 73 EE 77 79 4E"

The process find.exe:264 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D CE 05 9A 2D 86 76 4F 70 39 10 A5 10 E7 E8 1B"

The process find.exe:476 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF A0 FB 4F 99 F6 B8 6D FE 5C 88 26 90 16 56 4F"

The process find.exe:492 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E FF C7 A1 A3 4C 5C 78 1E 6F 72 4F A4 C3 67 71"

The process find.exe:2012 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 A8 75 C2 7F CD A4 0D AB 67 C2 17 BD A3 46 93"

Dropped PE files

HOSTS file anomalies

The Application modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 465
87af60575e95350381303447cd2e0d96
3b59c9c06351fe2dc7ab07fbec5cf3f4
e20c2ee024fb4a3ea1b3416c7e39b340
a9efe494b8b83d12f5e17908c7efb634
786b1a641feab64bdb3604994a1555a7
e60a88037b13ef389b0883e46f245a1c
3f51c8788642751530132a9f3d027551
36f36ac1d61e3d88c9e20b1124209453
0dfa63e653b8e42ef88dfe0b87e0e998
4c59bb5c4cbbe5c13b67a5824b8d866e
17632b5c3594c6040fb5b2223b5c3c28
28a81e67c867325cea1f0383247d88aa
bd9726e2c29e002d07c80b3eb1dc880f
90b17f8eb0ef07b46f978fb7d58d6eae
bebf5e8b9bd776b72b05d6ea12763ba7
a93b6f7b8b3853465fb9b860a6412718
a359342d66abf0b2c8d6a28267967402
5471702b7080d35d18df683ffcea4e9e
2be50e91d783981e62ab1c4280e5ac5d
8370bc749888a1b73acee95d10e10244
dc4e95e1573314f4bbfd3a416b4e14c4
d73c265ce1b86f222455f719d016dfc5
742030e989fa9ab766154b01a7387081
7e319fc3a4d25226bcba86affd0a7991
73f369dc95839a9f01a64b29d8f972ec

URLs

URL	IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www.shanaluby.pw/count.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=&rand=	162.222.193.17
hxxp://cocomo.tremorhub.com/itd.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=&rand=
hxxp://c.statcounter.com/10114910/0/757d7213/1/	104.20.3.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.94
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=508514117&t=pageview&_s=1&dl=http://www.trufflechores.pw/index5.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=105333898&cid=1715124662.1476264957&tid=UA-74694740-5&_r=1&z=2048820847
hxxp://8c715ae47b.site.internapcdn.net/page-2.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=646&c=000000ffffff&p=	173.192.200.70
hxxp://109.201.148.40/report1.php?url=/govids/page-2.html?lid=937115
hxxp://govids.net/jwplayer1.js	162.222.194.11
hxxp://109.201.148.40/bck.php?1476264958000
hxxp://govids.net/1.js	162.222.194.11
hxxp://8c715ae47b.site.internapcdn.net/page-2.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-2.htm?lid=937115
hxxp://109.201.148.40/bck.php?1476264959000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://govids.net/player1.swf	162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=DFC313228BC44FF3C01A0DCC64F1B685&sc_random=0.8440365745267391&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.govids.net/page-2.html?lid=937115&u=http://www.govids.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	104.20.3.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1608029956&t=pageview&_s=1&dl=http://www.govids.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=672389418&cid=757982639.1476264960&tid=UA-74694740-2&_r=1&z=1226883924
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://govids.net/ova-jw.swf	162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 2&mediaDesc=Home videos, Funny Videos - 2&mediaId=2&mediaUrl=hxxp://www.govids.net/2.html&srcPageUrl=hxxp://www.govids.net/2.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=thetradedesk,conversant,_dmp_turbine,rocketfuel,mediamath,centro,audiencescience,Bidswitch,dataxu,videoamp,tremornet,beeswax,appnexus,SundaySky,google,TapAd,dynadmic,eyeview,TubeMogul-GP,BidTheatre,ignitionone,adapTV,Videology&uid=ccb1cc725c2d43108581cf70d4976e4e&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=google,conversant,TubeMogul-GP,ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=conversant,TubeMogul-GP,ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=TubeMogul-GP,ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.govids.net/crossdomain.xml	109.201.148.40
hxxp://vi.govids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.govids.net/2.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Home videos, Funny Videos - 2&LR_FORMAT=application/x-shockwave-flash	109.201.148.40
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 2&mediaDesc=Watch Home videos, Funny Videos - 2&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.govids.net/2.html&contentLength=[CONTENT_LENGTH]
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=beeswax,appnexus,TubeMogul-GP,_dmp_turbine,thetradedesk,rocketfuel,tremornet,BidTheatre,centro,adapTV,Bidswitch,videoamp,Videology,audiencescience,SundaySky,1,TapAd,dataxu,conversant,google,mediamath,eyeview,ignitionone&uid=ccb1cc725c2d43108581cf70d4976e4e&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 2&mediaDesc=Home videos, Funny Videos - 2&mediaId=2&mediaUrl=hxxp://www.govids.net/2.html&srcPageUrl=hxxp://www.govids.net/2.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash	52.206.162.106
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=TubeMogul-GP,ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/crossdomain.xml	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=conversant,TubeMogul-GP,ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://cdn.tremorhub.com/crossdomain.xml	52.85.184.188
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.govids.net/img/logo.png	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.trufflechores.pw/index5.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=	216.137.61.243
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1608029956&t=pageview&_s=1&dl=http://www.govids.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=672389418&cid=757982639.1476264960&tid=UA-74694740-2&_r=1&z=1226883924	173.194.32.136
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=beeswax,appnexus,TubeMogul-GP,_dmp_turbine,thetradedesk,rocketfuel,tremornet,BidTheatre,centro,adapTV,Bidswitch,videoamp,Videology,audiencescience,SundaySky,1,TapAd,dataxu,conversant,google,mediamath,eyeview,ignitionone&uid=ccb1cc725c2d43108581cf70d4976e4e&init=true	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 2&mediaDesc=Watch Home videos, Funny Videos - 2&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.govids.net/2.html&contentLength=[CONTENT_LENGTH]	52.206.162.106
hxxp://www.govids.net/page-2.html?lid=937115	69.88.149.137
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=508514117&t=pageview&_s=1&dl=http://www.trufflechores.pw/index5.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=105333898&cid=1715124662.1476264957&tid=UA-74694740-5&_r=1&z=2048820847	173.194.32.136
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml	52.206.162.106
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=thetradedesk,conversant,_dmp_turbine,rocketfuel,mediamath,centro,audiencescience,Bidswitch,dataxu,videoamp,tremornet,beeswax,appnexus,SundaySky,google,TapAd,dynadmic,eyeview,TubeMogul-GP,BidTheatre,ignitionone,adapTV,Videology&uid=ccb1cc725c2d43108581cf70d4976e4e&init=true	107.23.35.51
hxxp://cdn.tremorhub.com/static/noad.xml	52.85.184.188
hxxp://thm.vidvib.com/crossdomain.xml	108.161.189.160
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.govids.net/page-2.htm?lid=937115	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.govids.net/img/lbg.png	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml	52.206.162.106
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://thm.vidvib.com/abcd.mp4	108.161.189.160
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.google-analytics.com/analytics.js	173.194.32.136
hxxp://www.statcounter.com/counter/counter.js	151.249.89.7
hxxp://www.trufflechores.pw/func.js?r=5	216.137.61.243
hxxp://l.longtailvideo.com/5/10/logo.png	93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=google,conversant,TubeMogul-GP,ignitionone,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://www.govids.net/css1.css	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=c990bae92eea42e196e4a7b74cf54dc0&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=d074210cc7b84406bab32771bbf129cd&p=_dmp_turbine&uid=ccb1cc725c2d43108581cf70d4976e4e	107.23.35.51

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.757982639.1476264960; _gat=1

HTTP/1.1 200 OK

Date: Wed, 12 Oct 2016 17:42:23 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Wed, 13 Sep 2017 17:42:23 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-2.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 12 Oct 2016 17:42:22 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Wed, 12 Oct 2016 17:42:22 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: we1sb-wwcgk.ads.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=ccb1cc725c2d43108581cf70d4976e4e; tvrg_60409="1,1476264957"

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Wed, 12 Oct 2016 09:36:10 GMT

ETag: W/"144-1446243360000"

Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 2&mediaDesc=Watch Home videos, Funny Videos - 2&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.govids.net/2.html&contentLength=[CONTENT_LENGTH] HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://govids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: we1sb-wwcgk.ads.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=ccb1cc725c2d43108581cf70d4976e4e; tvrg_60409="1,1476264957"

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Encoding: gzip

Content-Type: text/xml;charset=ISO-8859-1

Date: Wed, 12 Oct 2016 09:36:11 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Pragma: no-cache

Server: Apache-Coyote/1.1

Set-Cookie: tvid=ccb1cc725c2d43108581cf70d4976e4e; Domain=.tremorhub.com; Expires=Thu, 12-Oct-2017 15:24:31 GMT; Path=/

Set-Cookie: tvrg_60409="2,1476264957"; Version=1; Domain=.tremorhub.com; Max-Age=46; Expires=Wed, 12-Oct-2016 09:36:57 GMT; Path=/

Vary: Accept-Encoding

x-tremorvideo-status: NO_AD

transfer-encoding: chunked

Connection: keep-alive
20a.............R.n.0... \..-.b'r.I...E..A... 0(r,..H..l.}...w...73...
y....n..6\.<.GQ0.A%........4.....\TgZ.ixQ.[...k.m.Z....W..lCcT0....
.L.|..*.." ...~h..h.-zc.-....b.....c..U.y..Pd...weU>..)[email protected].
Ls..(.$qDiZO'...&.8I....qrC.P.5.....d.....AX.......?=b.b.ZY.k..C......
f...t.v.`.kG1.,...U. .....Z.6..j..l......3..U....d.{.c...C..f.N0./...{
.D..OF,98.G.o..^A#e...Z`....^.C.a..7.[4T..:...u..J.h.&.8.^Mc.N#6.I.a.C
...j.//E..m...R....9..X.....!....tf.6j..->..c.#.O..{....{.xR..*../o
Xds........g.. ...nq..;4. ;.].....'..m..=M...)[email protected]..
HTTP/1.1 200 OK..Cache-Control: no-cache, no-store, must-revalidate..C
ontent-Encoding: gzip..Content-Type: text/xml;charset=ISO-8859-1..Date
: Wed, 12 Oct 2016 09:36:11 GMT..P3P: CP='This is not a P3P policy. Se
e hXXp://tremorvideo.com/en/privacy-policy'..Pragma: no-cache..Server:
 Apache-Coyote/1.1..Set-Cookie: tvid=ccb1cc725c2d43108581cf70d4976e4e;
 Domain=.tremorhub.com; Expires=Thu, 12-Oct-2017 15:24:31 GMT; Path=/.
.Set-Cookie: tvrg_60409="2,1476264957"; Version=1; Domain=.tremorhub.c
om; Max-Age=46; Expires=Wed, 12-Oct-2016 09:36:57 GMT; Path=/..Vary: A
ccept-Encoding..x-tremorvideo-status: NO_AD..transfer-encoding: chunke
d..Connection: keep-alive..20a.............R.n.0... \..-.b'r.I...E..A.
.. 0(r,..H..l.}...w...73...y....n..6\.<.GQ0.A%........4.....\TgZ.ix
Q.[...k.m.Z....W..lCcT0.....L.|..*.." ...~h..h.-zc.-....b.....c..U.y..
Pd...weU>..)[email protected]..(.$qDiZO'...&.8I....qrC.P.5.....d.....A
X.......?=b.b.ZY.k..C......f...t.v.`.kG1.,...U. .....Z.6..j..l....
<<< skipped >>>

GET /ova-jw.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://govids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.757982639.1476264960; _gat=1

HTTP/1.1 200 OK

Date: Wed, 12 Oct 2016 17:42:24 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT

ETag: "4403b3-39741-4fbe0551c3280"

Accept-Ranges: bytes

Content-Length: 235329

Cache-Control: max-age=2592000, public

Expires: Wed, 13 Sep 2017 17:42:24 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>

GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.trufflechores.pw/index5.php?id=01ARL47Q8x54AQuSmWmd&date=2016-10-10&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Wed, 12 Oct 2016 09:35:51 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/draw/?w=colored&n=646&c=000000ffffff&p=

Set-Cookie: uid=CgH9H1f A/esS1DChRW/Ag==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-2.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 12 Oct 2016 17:42:21 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Wed, 13 Sep 2017 17:42:21 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'