Application.Agent.RA_f6aff0b9b1

by malwarelabrobot on October 12th, 2016 in Malware Descriptions.

Application.Agent.RA (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f6aff0b9b146929b2c655288d5da55ed
SHA1: 93a6969c2198ef45145e0f4fd1d47d8642a127bc
SHA256: 492bcefe2a2ffd3a258d0f5f3ea64e933c1f40fb5d7f7de11b6e84040d489711
SSDeep: 24576:NCVIlcQJV45/6WMftzF2lgdxTWO6ACa4cA8:4VIlcQJV45/6W zrHWOC89
Size: 790521 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Xacti, LLC
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

taskkill.exe:440
taskkill.exe:1144
tasklist.exe:1348
tasklist.exe:1164
tasklist.exe:900
tasklist.exe:1268
tasklist.exe:936
tasklist.exe:1340
tasklist.exe:572
tasklist.exe:1336
tasklist.exe:564
tasklist.exe:616
tasklist.exe:1548
tasklist.exe:248
tasklist.exe:1956
tasklist.exe:260
tasklist.exe:168
tasklist.exe:136
tasklist.exe:228
tasklist.exe:348
tasklist.exe:1112
tasklist.exe:500
tasklist.exe:644
mantilla.exe:1884
%original file name%.exe:320
23460.exe:224
841810.exe:340
find.exe:1128
find.exe:404
find.exe:1628
find.exe:668
find.exe:1792
find.exe:1336
find.exe:1548
find.exe:492
find.exe:1928
find.exe:260
find.exe:476
find.exe:828
find.exe:648
find.exe:1384
find.exe:652
find.exe:816
find.exe:552
find.exe:572
find.exe:1368
find.exe:480

The Application injects its code into the following process(es):

ended.exe:656

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mantilla.exe:1884 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp\ExecCmd.dll (4 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (0 bytes)

The process %original file name%.exe:320 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Program Files%\svein\settings.dll (10991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\ShellLink.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\841810.exe (3100 bytes)
%Program Files%\dialogic\mantilla.exe (1052 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%System%\drivers\etc\hosts (123 bytes)
%WinDir%\settings.dll (10991 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\23460.exe (1094 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (11 bytes)
%Program Files%\svein\ended.exe (5160 bytes)
%Program Files%\svein\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\cacao.lnk (455 bytes)
%WinDir%\ended.exe (5160 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (0 bytes)

The process ended.exe:656 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\player1[1].swf (20029 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\page-4[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[1].htm (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\ova-jw[1].swf (42641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\css1[1].css (659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1491 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\CA3A6KAC.xml (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\CAMF85UB.xml (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[1].xml (805 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hydroponicallydressings[2].txt (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\CADC4NX9.gif (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[2].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[2].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\player1[1].swf (16909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\CAU161O7.xml (813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\analytics[1].js (1448 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hydroponicallydressings[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\CAAW1B9N.xml (761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\CAHGBYHU.xml (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[1].html (710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\CA6JN55H.xml (764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\CA2CC71F.xml (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\CAMJ8D23.xml (715 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[1].xml (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\CAWTQ34X.xml (761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[2].htm (960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[1].xml (694 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\jwplayer1[1].js (80179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[2].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\css1[2].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\syncnoad[1].xml (716 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[1].html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hydroponicallydressings[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (0 bytes)

The process 23460.exe:224 makes changes in the file system.
The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp (0 bytes)

The process 841810.exe:340 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (5289 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (0 bytes)

Registry activity

The process taskkill.exe:440 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 74 1F EA 06 E1 58 27 5D 84 0B 2C 46 0E 56 77"

The process taskkill.exe:1144 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 50 1E 9E 3B 06 28 30 B5 35 BE 28 9C 4A F2 9B"

The process tasklist.exe:1348 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 05 66 31 2E A2 FA 0C D3 17 8D A2 D8 59 B0 64"

The process tasklist.exe:1164 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 22 7C ED 46 35 47 9C 07 FB 7C 23 2E CE 4B 30"

The process tasklist.exe:900 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A BA EE BE A5 46 C4 13 6B CF B2 45 9A 5D FC 40"

The process tasklist.exe:1268 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 0B 77 5A 79 66 25 E5 70 24 87 28 E1 01 4E E7"

The process tasklist.exe:936 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 01 97 28 B1 67 4D C5 6B 2A 8B 48 2E 59 8B 5A"

The process tasklist.exe:1340 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 73 D7 0A BF BC EB C5 D9 D8 93 AF D1 F3 C8 1F"

The process tasklist.exe:572 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 B9 E7 08 B6 60 F5 41 F3 A1 1C DE 3F B8 CB 45"

The process tasklist.exe:1336 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 52 A6 37 30 5F 5E 47 EF BA 58 99 4F AB 13 FF"

The process tasklist.exe:564 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 DA 68 6F 54 1B 13 2C 54 AB 06 FB 48 20 92 09"

The process tasklist.exe:616 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE DF 9B 5E E5 07 CC 38 64 4B 3C 59 5A C4 E1 5B"

The process tasklist.exe:1548 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 55 99 29 7A C5 E0 49 64 65 CC 52 94 B9 C4 EF"

The process tasklist.exe:248 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 3B 91 18 73 C5 81 A2 B3 AE 12 0A B5 49 DE D3"

The process tasklist.exe:1956 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 84 7B BF 8D FF C9 D5 ED B3 53 56 C4 11 94 22"

The process tasklist.exe:260 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 54 3D 28 1E A2 4F 09 7A 6A 46 06 49 7C 39 7F"

The process tasklist.exe:168 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 81 AA 0D 42 07 7A 34 01 3A C5 D4 D7 A5 2C CD"

The process tasklist.exe:136 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 44 FB F9 B0 81 D4 F4 2D 90 8D B3 9D 1B 66 6B"

The process tasklist.exe:228 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 64 E5 DF 3A 25 89 60 97 76 31 A4 E0 35 D9 3D"

The process tasklist.exe:348 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 73 9F 9F 88 38 76 06 21 36 EF 8A 65 DB 8E B3"

The process tasklist.exe:1112 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 6A 29 9B F6 5C 65 8C D6 71 7F 70 3B 61 8D E2"

The process tasklist.exe:500 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 15 81 D9 85 E2 88 3A AB E9 26 C5 E0 C8 90 FF"

The process tasklist.exe:644 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 C3 FF 63 E8 3E 0D 09 84 65 29 CA 4F 32 DA C0"

The process mantilla.exe:1884 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 E9 D1 BE 7C 2B E6 ED E4 6E 49 BB 0F 62 D6 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"mantilla" = "%Program Files%\dialogic\mantilla.exe"

"reformation" = "%Program Files%\svein\ended.exe"

The process %original file name%.exe:320 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 2A 30 C4 76 56 65 45 43 AB 7A 90 1B 62 66 7C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rebel" = "%Program Files%\svein\ended.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWI" = "%Program Files%\svein\ended.exe"

"ramona" = "%Program Files%\svein\ended.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"thomases" = "%Program Files%\svein\ended.exe"

The process ended.exe:656 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101120161012]
"CacheRepair" = "0"
"CachePrefix" = ":2016101120161012:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D9 E7 1B BF 2E E5 45 F9 25 AB 7F D7 C4 9B 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101120161012]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016101120161012\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101120161012]
"CacheLimit" = "8192"
"CacheOptions" = "11"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 23460.exe:224 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 FB 3B 36 15 20 16 FD A4 4F 62 5F 35 21 1D 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 841810.exe:340 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 F3 41 0F E0 12 28 22 A7 C6 49 77 EA F1 21 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:1128 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 39 E2 80 F7 96 9A 19 DF B1 22 58 DF 9D 35 7B"

The process find.exe:404 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 28 97 96 94 7D 47 EE 02 3C 78 5B C9 F5 13 0E"

The process find.exe:1628 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 BB 04 1D F4 D3 24 87 70 AA 8A DD B8 2A 08 2D"

The process find.exe:668 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B6 FF EC 9B CD FF E4 45 0F 62 89 30 77 A5 0A"

The process find.exe:1792 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 37 CB ED 36 00 7F 50 FC 1F 9B B7 9B 0E 73 4A"

The process find.exe:1336 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 2A 34 33 2E 64 F4 22 C7 A6 DB A3 7B A2 64 4B"

The process find.exe:1548 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 BC 73 F0 75 02 FF 93 42 EA 99 E7 0F 1F D5 40"

The process find.exe:492 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 DF 49 38 B5 50 CD B8 8F 2D 3A 63 15 C5 3F 59"

The process find.exe:1928 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB CF 65 AF A9 FC 15 2B 73 41 DA C7 AA 61 BE 0A"

The process find.exe:260 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 D3 C8 C9 49 D0 51 A1 67 13 A4 1F DC 3B 48 C9"

The process find.exe:476 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 43 F1 09 36 8A 06 5E 64 DE 64 BB 5D 45 14 A5"

The process find.exe:828 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 FB DA 35 80 05 BB 52 25 97 0A 0F A7 A8 BA 5E"

The process find.exe:648 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 A5 0C 5F E7 0E 08 51 0B 78 80 0B 1E B7 4A 8E"

The process find.exe:1384 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 4A B2 31 2C E6 14 0D 42 1A 4D B5 65 83 7F 98"

The process find.exe:652 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 43 E6 9C A5 4F 19 DC DD 55 CF E5 FC 23 21 77"

The process find.exe:816 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 9C B6 51 F1 AF 62 AB 32 FA 00 47 B2 4B C6 28"

The process find.exe:552 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF AB E3 54 4B 48 7F 12 7A 02 93 27 BF 69 5E BE"

The process find.exe:572 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 0E CA 05 9D B4 67 E2 76 F4 0C 9E 0E 6A D6 C8"

The process find.exe:1368 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 0E 73 94 BD C6 04 30 3C 7F AD DB DF DE A3 C7"

The process find.exe:480 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 6D B4 65 AB AD BA D2 3C F3 A5 20 B1 93 71 77"

Dropped PE files

MD5 File path
4a70aa2020197bfad5237309b86ea3a7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\23460.exe
5620125fbbede2bf85d169217e450ddb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\841810.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz7.tmp\ExecCmd.dll
58df5efd23175a0309ac3611c1c7db97 c:\Program Files\dialogic\mantilla.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\svein\Microsoft.Win32.TaskScheduler.dll
115fada159f995491461859cf78d3aea c:\Program Files\svein\ended.exe
bf6eb07a06cba782b8075de94cc667e9 c:\Program Files\svein\settings.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
115fada159f995491461859cf78d3aea c:\WINDOWS\nothings.exe
bf6eb07a06cba782b8075de94cc667e9 c:\WINDOWS\settings.dll

HOSTS file anomalies

The Application modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 116
7bcde813c50a0b0e20e5f9f233bc3040
688987076a743b6ad9a21cdf72e88aef
096cc8ec1268a7a48f4e8e9acffd275c
868d60bfcfe02d05fecfcb3e44e2ccce
516401f3104d731ca24c600b7ae68d76
a8c97fb33db997aaf9411704474278a1
5bec3c6a9950cf902e71b84dc814c3f9
29de0a3a7170f7dd71267eee2449b462
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=&rand=
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.3.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.94
hxxp://www.shanaluby.pw/count.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=&rand= 162.222.193.17
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1355967418&t=pageview&_s=1&dl=http://www.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1091904005&cid=339865976.1476160828&tid=UA-74694740-5&_r=1&z=420842839
hxxp://a5f50dedef.site.internapcdn.net/page-4.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-4.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=994&c=000000ffffff&p= 50.23.131.235
hxxp://ivids.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1476160828000
hxxp://ivids.net/1.js 162.222.194.11
hxxp://a5f50dedef.site.internapcdn.net/page-4.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-4.htm?lid=937115
hxxp://109.201.148.40/bck.php?1476160829000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://ivids.net/player1.swf 162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=13E53A113E574F6A557940182A94ABE7&sc_random=0.18218559734387463&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.ivids.net/page-4.html?lid=937115&u=http://www.ivids.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.3.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1931745487&t=pageview&_s=1&dl=http://www.ivids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1871481127&cid=1015302293.1476160830&tid=UA-74694740-2&_r=1&z=777030696
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 4&mediaDesc=Entertainment videos ivids.net - 4&mediaId=2&mediaUrl=hxxp://www.ivids.net/4.html&srcPageUrl=hxxp://www.ivids.net/4.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=adapTV,SundaySky,BidTheatre,audiencescience,appnexus,thetradedesk,Videology,mediamath,beeswax,_dmp_turbine,google,conversant,centro,dataxu,dynadmic,tremornet,videoamp,TubeMogul-GP,Bidswitch,TapAd,rocketfuel,ignitionone,1&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f
hxxp://www.ivids.net/img/lbg.png 69.88.149.140
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 4&mediaDesc=Entertainment videos ivids.net - 4&mediaId=2&mediaUrl=hxxp://www.ivids.net/4.html&srcPageUrl=hxxp://www.ivids.net/4.html&contentLength=300 52.45.34.7
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/crossdomain.xml 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1355967418&t=pageview&_s=1&dl=http://www.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1091904005&cid=339865976.1476160828&tid=UA-74694740-5&_r=1&z=420842839 173.194.113.201
hxxp://www.statcounter.com/counter/counter.js 151.249.89.198
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=adapTV,SundaySky,BidTheatre,audiencescience,appnexus,thetradedesk,Videology,mediamath,beeswax,_dmp_turbine,google,conversant,centro,dataxu,dynadmic,tremornet,videoamp,TubeMogul-GP,Bidswitch,TapAd,rocketfuel,ignitionone,1&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f&init=true 52.204.77.173
hxxp://www.hydroponicallydressings.pw/func.js?r=5 216.137.61.234
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://www.ivids.net/css1.css 69.88.149.140
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1931745487&t=pageview&_s=1&dl=http://www.ivids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1871481127&cid=1015302293.1476160830&tid=UA-74694740-2&_r=1&z=777030696 173.194.113.201
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 52.45.34.7
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://www.ivids.net/img/logo.png 69.88.149.140
hxxp://www.ivids.net/page-4.html?lid=937115 69.88.149.140
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://www.ivids.net/page-4.htm?lid=937115 69.88.149.140
hxxp://www.google-analytics.com/analytics.js 173.194.113.201
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://www.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t= 216.137.61.234
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f 52.204.77.173


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 12:46:53 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Tue, 12 Sep 2017 12:46:53 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /draw/?w=colored&n=994&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: uid=CgH9JVf8bTdNVgiHkWHoAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Tue, 11 Oct 2016 04:40:24 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Thu, 10 Nov 2016 04:40:24 GMT
Cache-Control: max-age=2592000
55f...PNG........IHDR...Q...........p....CPLTE...EEEYYY???AAA...;<=
abdWXZ"""............GGG.........'((........................uvyEFGLLL.
.....zzz,,,...kln...NNN>>>...QQQqqq...............~~.vwx...hh
i.........OPQ.........ooo...............uvv...opp......UVV......bbb...
......bcc...ijj}~~......dee............SSS......]^^PPP.........TTTaaaR
RR...{{{......HHHrss.........kllJJJ|||BBB......FFFOOO......DDD......NO
O.........@@@tttkkkvvv:::WWW..............................?@@888666ppp
rrrCCC...111............MMM............000...lll......XYZ(((&&&hhhfff 
  cdeZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```gg
gxxxjjj...<[email protected].@[email protected].....*..-(^..K.
BA...QPVE.T<@..9Z.D).......M $..3...y.....t.P.Ey.Ny&'.e..C.R"^..S..
......c8.u.~S....q..W......~..sp``.9......n......|.......n..w.8.sv}$t}
.C........[..8...6N. ..Z[-........rin.H.45=...6J...>.(h...G.Y.}p_..
{W.v.R.j..2wjnK.e.o.d.TU.5.3..r..~...h..L.....!,........bS.f\,.7.^)...
.i..#Z.GK(.D.JX"[email protected]!t2;G..f8q|.!..,..j...(<..L.
'.......0.......~.Y....i5u.j!L...w...........F e..h...3.....m.....0.e.
..p..J.z.Y....k].............&....WK-a.6.t.N#.x....!...1>U...V.Jm..
x....,.....~....(.....B.-.~...%....h...E....-.p.mQ..f3.........A..R.Ul
:2=..5.D.p.m........B...J'q.....^..V.O.:..5 ...c......\[email protected]|..T...
."....7.P.?>.."..G~.....&......8]T.D.^U-.^.....0w.....=..j..O.9k...
..IEND.B`...0..
<<< skipped >>>


GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.1015302293.1476160830; _gat=1


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 12:46:55 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Tue, 12 Sep 2017 12:46:55 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /itd.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cocomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:40:24 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Tue, 11 Oct 2016 04:40:24 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.1015302293.1476160830; _gat=1


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 12:46:54 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Tue, 12 Sep 2017 12:46:54 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 03:18:55 GMT
Expires: Tue, 11 Oct 2016 05:18:55 GMT
Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11590
Age: 4888
Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j47&a=1355967418&t=pageview&_s=1&dl=http://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1091904005&cid=339865976.1476160828&tid=UA-74694740-5&_r=1&z=420842839 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Tue, 11 Oct 2016 04:40:23 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 11 Oct 2016 04:40:23 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j47&a=1931745487&t=pageview&_s=1&dl=http://VVV.ivids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1871481127&cid=1015302293.1476160830&tid=UA-74694740-2&_r=1&z=777030696 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Tue, 11 Oct 2016 04:40:26 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 11 Oct 2016 04:40:26 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /report1.php?url=/ivids/page-4.html?lid=937115 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:43:53 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 11 Oct 2016 04:43:53 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1476160828000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:43:54 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 11 Oct 2016 04:43:54 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/ivids/page-4.htm?lid=937115 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:43:55 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 11 Oct 2016 04:43:55 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1476160829000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:43:55 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 11 Oct 2016 04:43:55 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /counter/counter.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=ddae592eaee2914c351998569b60dc60c1476160823; is_unique=sc10114910.1476160823.0; is_visitor_unique=1476160823451098529


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:40:26 GMT
Server: PWS/8.1.41.3
X-Px: ht h0-s1153.p11-fra.cdngp.net
ETag: W/"576924c5-654e"
Cache-Control: max-age=43200
Expires: Tue, 11 Oct 2016 07:56:32 GMT
Age: 31434
Content-Length: 9529
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT
Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
[email protected]..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..][email protected].?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#[email protected].,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>


GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Tue, 11 Oct 2016 04:40:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=994&c=000000ffffff&p=
Set-Cookie: uid=CgH9JVf8bTdNVgiHkWHoAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Tue, 11 Oct 2016 04:40:30 GMT
ETag: W/"144-1446243360000"
Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=adapTV,SundaySky,BidTheatre,audiencescience,appnexus,thetradedesk,Videology,mediamath,beeswax,_dmp_turbine,google,conversant,centro,dataxu,dynadmic,tremornet,videoamp,TubeMogul-GP,Bidswitch,TapAd,rocketfuel,ignitionone,1&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f&init=true HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:30 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 503
Connection: keep-alive
...........R.o.0.~._."....)d(..h7U..jI.CU..}....l....3.e?^.`.;.......}
....X.d.D.a.C.........E...w..(.3m.i.(..e..9=.Cg.Uf......Z....:p...o.W.
U......O.Z..Vy....:.........I.^As..&O.?,...x8..`......=H&....<K0..Q
\OFP.1..$.L"..d...$...Q......)...tdT]._U.m/...).).)W.3#:.AWK....;./eH.
.K.QmUs...t.8r.O.Qk...z.qA.F......3..'...plC..$.C........F.E....y.W..*
....>[email protected]...
.....X;.2..vu6.....L...........0O......3..[R.....'....5..;|...........
.......................


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:30 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1fd.............R.n.0... \..-........I..i.T.{..aE.%..I..c.}W.k.q...,9.
..n....`...%..d4..(..BVs.).t.y..M.J..B..4J......9}...`.L..#.Z.Z....u.:
;..~ .[/.S>H....F.G..:l...;....?....<....}..}^..y.|*..8I.F...K&.
...|.a...A.N...(.0...\C8e.u8..9S.o..{7].]._T.5W..).....V.)....:_...`..
8V.....G..j.....p.h7}...w..a..Y...6:a(.Q.>.n_.c5..........%.V0.-r.-
[email protected]_aGh...V...N9..ou.:S......A..r....qP...Y.....Gl....%..?..3F
......j.UW6...6#...b...R.j..T..RqPV.......Y6...;.:).o.A.O...KCF.-..L..
j....`....-9m...../d..'....8..H~...d.......\(..,.....0..HTTP/1.1 200 O
K..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2
016 04:40:30 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremor
video.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-
Encoding..transfer-encoding: chunked..Connection: keep-alive..1fd.....
........R.n.0... \..-........I..i.T.{..aE.%..I..c.}W.k.q...,9...n....`
...%..d4..(..BVs.).t.y..M.J..B..4J......9}...`.L..#.Z.Z....u.:;..~ .[/
.S>H....F.G..:l...;....?....<....}..}^..y.|*..8I.F...K&....|.a..
.A.N...(.0...\C8e.u8..9S.o..{7].]._T.5W..).....V.)....:_...`..8V.....G
..j.....p.h7}...w..a..Y...6:a(.Q.>.n_.c5..........%.V0.-r.-..H.k..@
A.h_aGh...V...N9..ou.:S......A..r....qP...Y.....Gl....%..?..3F......j.
UW6...6#...b...R.j..T..RqPV.......Y6...;.:).o.A.O...KCF.-..L..j....`..
..-9m...../d..'....8..H~...d.......\(..,.....0......
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:30 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 490
Connection: keep-alive
...........RMo.0...Wd..[.|x........t[1...(.Zbb!.$Hr....N......G.Q.|`.8
......J&.d4..(..Bn....4..E.&^eyq.M;..J;w.W9.......TM9b..............m.
.xi..A..0.5...[..N..v.......E3^....]..}Z.dE.t..`...F....I.|a.O"...4(.)
.A.e.Fa8.k..,..'W:)....m..~~x7]....fT.).....X......8.Jt.W....m.. t.8r.
..Pk...v...\E...2..3..G...p.".7.C....x .........U'zQ!P.........].Pk...
.....^...B.UCf..dA.....8(...,...l.#6.h...........?....RG..q.T-z.Oy....
...Y....m.^~./..(.h/0..i. fa..h=o...%.........._..v.<c.S......9....
...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Da
te: Tue, 11 Oct 2016 04:40:30 GMT..P3P: CP='This is not a P3P policy. 
See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1
.1..Vary: Accept-Encoding..Content-Length: 490..Connection: keep-alive
.............RMo.0...Wd..[.|x........t[1...(.Zbb!.$Hr....N......G.Q.|`
.8......J&.d4..(..Bn....4..E.&^eyq.M;..J;w.W9.......TM9b..............
m..xi..A..0.5...[..N..v.......E3^....]..}Z.dE.t..`...F....I.|a.O"...4(
.).A.e.Fa8.k..,..'W:)....m..~~x7]....fT.).....X......8.Jt.W....m.. t.8
r...Pk...v...\E...2..3..G...p.".7.C....x .........U'zQ!P.........].Pk.
.......^...B.UCf..dA.....8(...,...l.#6.h...........?....RG..q.T-z.Oy..
.....Y....m.^~./..(.h/0..i. fa..h=o...%.........._..v.<c.S......9..
.........
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:31 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1fd.............R.o.0.....E..F I!CIP.TB.....CU.K|...X.C......~H.>X~
>..=..pv....*.k.Y.....(j.............M.fW...(Q.....1r.8FaU.}....r..
V.L.......m.,.8LX/.. ..UwJ[m...Kn/M.B.=x)...v..U.~|./.,yz 'A.A....mE!j
`3.Y.......].}..`...#[email protected]..!
C}....xnt....F..e.H.....-g...bO8m..6=t..V..xA.B......g{[email protected]........$
..L..[V..iT.......y..%...C?.1..~9d...b.A......./..._V ......]s...H.H..
.W.7mY..IV.?[c.e....[../...].......v..'.....".M....u7.N.....O..0.... f
..8.H/O..Ml...s%;.<...(...M.....d.........d.-.....0..HTTP/1.1 200 O
K..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2
016 04:40:31 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremor
video.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-
Encoding..transfer-encoding: chunked..Connection: keep-alive..1fd.....
........R.o.0.....E..F I!CIP.TB.....CU.K|...X.C......~H.>X~>..=.
.pv....*.k.Y.....(j.............M.fW...(Q.....1r.8FaU.}....r..V.L.....
..m.,.8LX/.. ..UwJ[m...Kn/M.B.=x)...v..U.~|./.,yz 'A.A....mE!j`3.Y....
...].}..`...#[email protected]..!C}....xn
t....F..e.H.....-g...bO8m..6=t..V..xA.B......g{[email protected]........$..L..[V.
.iT.......y..%...C?.1..~9d...b.A......./..._V ......]s...H.H...W.7mY..
IV.?[c.e....[../...].......v..'.....".M....u7.N.....O..0.... f..8.H/O.
.Ml...s%;.<...(...M.....d.........d.-.....0......
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:31 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 470
Connection: keep-alive
...........RM..0...W.H..b..l.....J Um.d.a.B.{ ...l........KO.<~...&
...n.Gc.V..?.x#T......S..6....d......4*Tv.R.vN..s.ek....V2k.7r3..u6..|
]..^..b.%?.h.fx..u(..T;*.o.{M.........,y.......2N.q....5.W\. ...i..{..
*...C..(.".. .xx..7:.......%......sO........M?.kt......Pk............e
8*gZ...a...5..S..b;[email protected]!......5@j.%.\P\..W.3U...#.S.x
X.q2.0........1......_^......1........=...vc.B...a....{.vi.(.A;.....!u
....f.g...,..-.......f.~...~k.^...."/.)@.............HTTP/1.1 200 OK..
Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016
 04:40:31 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvid
eo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Enc
oding..Content-Length: 470..Connection: keep-alive.............RM..0..
.W.H..b..l.....J Um.d.a.B.{ ...l........KO.<~...&...n.Gc.V..?.x#T..
....S..6....d......4*Tv.R.vN..s.ek....V2k.7r3..u6..|]..^..b.%?.h.fx..u
(..T;*.o.{M.........,y.......2N.q....5.W\. ...i..{..*...C..(.".. .xx..
7:.......%......sO........M?.kt......Pk............e8*gZ...a...5..S..b
;[email protected]!......5@j.%.\P\..W.3U...#.S.xX.q2.0........1...
..._^......1........=...vc.B...a....{.vi.(.A;.....!u....f.g...,..-....
...f.~...~k.^...."/.)@.................


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:32 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c3.............RMo.0...Wd..."..\/..xi..(.av.CQ....BjY..4.......e'>
RO......y...X.....|o...B.}.......*{.l......F..].....K....5uW.x.0k.7qK.
.u6..|...^..b.%?.h.f...:l.r.;).o.{-.MsQ....m..}X_.e.pn..8E..... .Z. #E
.c..........8..h.W..<...S...]n..k..N...=...F.l..}?.kt.....Ji.......
.LC..@......')..t.&\tJ@_..1. ........p.....h.J*D..'B.a.h4..t.(nE...3.T
8.h..T<.v./>.a.b..p...B.|....1K..........1#]5.i.. M..?..C.&g..F.
....,Y..J..^`....@...?.....6Kl...]..7..zAt-.......d........./.......0.
.HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date
: Tue, 11 Oct 2016 04:40:32 GMT..P3P: CP='This is not a P3P policy. Se
e hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1
..Vary: Accept-Encoding..transfer-encoding: chunked..Connection: keep-
alive..1c3.............RMo.0...Wd..."..\/..xi..(.av.CQ....BjY..4......
.e'>RO......y...X.....|o...B.}.......*{.l......F..].....K....5uW.x.
0k.7qK..u6..|...^..b.%?.h.f...:l.r.;).o.{-.MsQ....m..}X_.e.pn..8E.....
 .Z. #E.c..........8..h.W..<...S...]n..k..N...=...F.l..}?.kt.....Ji
........LC..@......')..t.&\tJ@_..1. ........p.....h.J*D..'B.a.h4..t.(n
E...3.T8.h..T<.v./>.a.b..p...B.|....1K..........1#]5.i.. M..?..C
.&g..F.....,Y..J..^`....@...?.....6Kl...]..7..zAt-.......d........./..
.....0......
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:32 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 482
Connection: keep-alive
[email protected].....\......b..Q6.Bv.O....=.#i.i....y.2..\
..'[email protected]..>.6..Ch..w.c..7......3.[.1..q...Ve[.X]9Z7.........
.e...$J. .. h.T}.u.`.....,..9o.......|['....2........$h...N2Y.. ......
.E.B..P.A....B.2..L.M.......k......X..}..K4.8r..JI..s.{.rA^.f.@.......
..E.V..Z....}3.I..`. ..*0. =/.H.%..~.3.S/...`.M.)ny.lM..!q....../v8.&g
t;....p....{.......s.9..y.T....7n....9]....c.O.mw.3mo.Y...-...........
.vU.....?/'.....'.7.D..2.3W..t..'r[......../-..{....... ....h.......HT
TP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: T
ue, 11 Oct 2016 04:40:32 GMT..P3P: CP='This is not a P3P policy. See h
ttp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..V
ary: Accept-Encoding..Content-Length: 482..Connection: keep-alive.....
[email protected].....\......b..Q6.Bv.O....=.#i.i....y.2..\..'
[email protected]..>.6..Ch..w.c..7......3.[.1..q...Ve[.X]9Z7..........e.
..$J. .. h.T}.u.`.....,..9o.......|['....2........$h...N2Y.. .......E.
B..P.A....B.2..L.M.......k......X..}..K4.8r..JI..s.{.rA^[email protected]
.V..Z....}3.I..`. ..*0. =/.H.%..~.3.S/...`.M.)ny.lM..!q....../v8.>.
...p....{.......s.9..y.T....7n....9]....c.O.mw.3mo.Y...-............vU
.....?/'.....'.7.D..2.3W..t..'r[......../-..{....... ....h.......t>....
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:33 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1db.............R...0.}.W.H..1..MQ.........m..*r..X.... ...K.^....g.33
.......w.mD-#g....HVs!w...>...Y.&|L..F.u4L.fj#..VM....Z.M...".(.g..
R......'.'.....o.*.....X.....K..!y=.4MxFw..*..>..I.<].)..DA..}[.
dM.L....M`......G...|.H..?b..?...%[.}7.?.......m.VS....C.,....6\.E`.e.
......G..IXV"N..i...b...W.!...ZQ[....(J...0'zFt.d.J!..J8.9.Tn.]...._6.
...-....^.A0`.v..c..!....qH~.o.u...Q.....h.Q..9Jc......Q.^~~X.u....m.m
V..Q~..#t..........U.4.n.H..5z.u....=:@..i..(xyD......r#._J...........
.d.. ......E.......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content
-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:33 GMT..P3P: CP='This is
 not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serv
er: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunk
ed..Connection: keep-alive..1db.............R...0.}.W.H..1..MQ........
.m..*r..X.... ...K.^....g.33.......w.mD-#g....HVs!w...>...Y.&|L..F.
u4L.fj#..VM....Z.M...".(.g..R......'.'.....o.*.....X.....K..!y=.4MxFw.
.*..>..I.<].)..DA..}[.dM.L....M`......G...|.H..?b..?...%[.}7.?..
.....m.VS....C.,....6\.E`.e.......G..IXV"N..i...b...W.!...ZQ[....(J...
0'zFt.d.J!..J8.9.Tn.]...._6....-....^.A0`.v..c..!....qH~.o.u...Q.....h
.Q..9Jc......Q.^~~X.u....m.mV..Q~..#t..........U.4.n.H..5z.u....=:@..i
..(xyD......r#._J............d.. ......E.......0......
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:34 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 499
Connection: keep-alive
...........R...0.}.W.H.V.I6..$(.EBZ.......9.@,........e.^..O>c...93
..$...h..L.a..t@R...&......q.!~...F.Z.~.fd........ ....O.p......Klc...
.u6u.8c.4..I].n..l,.........}...f. ..r....'.....r5.VbA..t..JE.Xs.D....
..G.  e.Fa8$.$.hp..{u..........V`5a...0."%.....q.....xCAZ..<pf....q
.HF...M...0.)B...Al.J/* X4.%.9...C[..5.....s.D......^.....A....y...D..
l...YD.$.......g3....:f....3{.Qm4.pTz.R.v.r4._Y1^-..?u{..'..J...s...6a
..v..V.l.^ ...gT....,D.......D.........=#.,4.;\....e.....7..S..}7q..v.
?......g..L%...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: 
text/xml..Date: Tue, 11 Oct 2016 04:40:34 GMT..P3P: CP='This is not a 
P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apa
che-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 499..Connection
: keep-alive.............R...0.}.W.H.V.I6..$(.EBZ.......9.@,........e.
^..O>c...93..$...h..L.a..t@R...&......q.!~...F.Z.~.fd........ ....O
.p......Klc....u6u.8c.4..I].n..l,.........}...f. ..r....'.....r5.VbA..
t..JE.Xs.D......G.  e.Fa8$.$.hp..{u..........V`5a...0."%.....q.....xCA
Z..<pf....q.HF...M...0.)B...Al.J/* X4.%.9...C[..5.....s.D......^...
..A....y...D..l...YD.$.......g3....:f....3{.Qm4.pTz.R.v.r4._Y1^-..?u{.
.'..J...s...6a..v..V.l.^ ...gT....,D.......D.........=#.,4.;\....e....
.7..S..}7q..v.?......g..L%.......
<<< skipped >>>

GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:34 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 457
Connection: keep-alive
[email protected]&..,..U....n.Qd....rXV..1...u.~\z..3o..<M
.95ON...V..b...J.r!.SwW......U.-/..-.i.(...nm.Z{.......9k....:vm,.....
.......;Y.].R..W1..MVN.NQ|I...$....w_......&/.....m%.4.Kw.L..7Z.4.p.AX
E.Ta.U..Q.. ...^E..Jm.V.G...&..`.O..a..Y..M.2...-.w..gaYM..$..8... .7.
[email protected]"...-4.`.*....Q{..JH.u...*.V....~X...,<.|..1[@|x
x...O.n.n.?v......d....H...3.....>m."...j.?.M.g..Fi4.uxY......\`.|.
.....v.....MCl.W.......^..N..m.C........zR....HTTP/1.1 200 OK..Content
-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:
34 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/
en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..
Content-Length: 457..Connection: [email protected].
1&..,..U....n.Qd....rXV..1...u.~\z..3o..<M.95ON...V..b...J.r!.SwW..
....U.-/..-.i.(...nm.Z{.......9k....:vm,............;Y.].R..W1..MVN.NQ
|I...$....w_......&/.....m%.4.Kw.L..7Z.4.p.AXE.Ta.U..Q.. ...^E..Jm.V.G
...&..`.O..a..Y..M.2...-.w..gaYM..$..8... [email protected]"...-4
.`.*....Q{..JH.u...*.V....~X...,<.|..1[@|xx...O.n.n.?v......d....H.
..3.....>m."...j.?.M.g..Fi4.uxY......\`.|......v.....MCl.W.......^.
.N..m.C........zR........


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:34 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 456
Connection: keep-alive
...........R.n.0... T....l..jH2T'...m.).!........AR...]9N...'..C..p..^
....Nv:.g.(.P.NH.......4\.o..eU.i..F..[.<l.7K..E...o..S.9..~.<..
......2,.R.E...1h..:8....w........h)j...^.....eY..'[email protected]..
...M2.&..I.4Ifp......lbrr.q..w.5.BR...q.......')....%\.Z..z<....BIN
P........E gT4......)..e..`JA.F(...m..IO......b....M.i..m$........."c.
.semg.....v....N;..........Rp.....C...N.....&.....I.Z..n..VdkK........
....G.4[W.E...^N...~{..................HP....HTTP/1.1 200 OK..Content-
Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:3
4 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/e
n/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..C
ontent-Length: 456..Connection: keep-alive.............R.n.0... T....l
..jH2T'...m.).!........AR...]9N...'..C..p..^....Nv:.g.(.P.NH.......4\.
o..eU.i..F..[.<l.7K..E...o..S.9..~.<........2,.R.E...1h..:8....w
........h)j...^.....eY..'[email protected].&..I.4Ifp......lbrr.
q..w.5.BR...q.......')....%\.Z..z<....BINP........E gT4......)..e..
`JA.F(...m..IO......b....M.i..m$........."c..semg.....v....N;.........
.Rp.....C...N.....&.....I.Z..n..VdkK............G.4[W.E...^N...~{.....
.............HP........


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:35 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
[email protected]@uR.@........>l.)).....;V...E..
%y9sy0YyT....Nv:...Y...:..>.7...iX....U.\l.....[.<l.7KB....mO..S
.9..~.<......mu..Y..".f..aO.zp^.....u.9#..c..7..|Y.....u.T..v....h.
W.A3../..y*.w".i...c.i.&... .X|..'&..K..pl\.D &.......'.Y...5..~.P.A.W
..T.KP.......qpC.pOpDu.\t....L.q.re...Tj1.1..(..N...g1.E:c.n.....9....
"#[email protected].\...b/<./_.Un....!&.CtLz..V..w..Rd .h.A..,.[...l,.G...
..w.&.n..L~ [email protected]/1.1 200 OK..Content
-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:
35 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/
en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..
transfer-encoding: chunked..Connection: keep-alive..1a6...............
[email protected]@uR.@........>l.)).....;V...E..%y9sy0YyT....Nv:..
.Y...:..>.7...iX....U.\l.....[.<l.7KB....mO..S.9..~.<......mu
..Y..".f..aO.zp^.....u.9#..c..7..|Y.....u.T..v....h.W.A3../..y*.w".i..
.c.i.&... .X|..'&..K..pl\.D &.......'.Y...5..~.P.A.W..T.KP.......qpC.p
OpDu.\t....L.q.re...Tj1.1..(..N...g1.E:c.n.....9...."#[email protected].\...b
/<./_.Un....!&.CtLz..V..w..Rd .h.A..,.[...l,.G.....w.&.n..L~ A.G...
[email protected]......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:36 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c6.............R.n.0... T...........N..iSDJ{..cE...."HJ......M{....,w
vv..N..F...e.GA.{L..ry_.7.....(..?..9..=.%J3...Y...Y.D....H/.1....X..)
..W.j..yE.2..A)...z2...9.zu.#G/.C..6p.s......U.T..r...NP.O.I...]hN...O
,.m.C.1.Y..i.g......L..I.........[.9\...T?L..I...8(.. .vO..c...K..y..C
#.....l@U...*.........*...v...s.[....mH..f$.l{wW..u..Z........f.!<.
...(.q. B!JP.$a.X}.\^-.WC:85s..nM......fo1. .(x-.ff.4......GfN../. ...
.....|t.1..._.......l....a...........j......0..HTTP/1.1 200 OK..Conten
t-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016 04:40
:36 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com
/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding.
.transfer-encoding: chunked..Connection: keep-alive..1c6.............R
.n.0... T...........N..iSDJ{..cE...."HJ......M{....,wvv..N..F...e.GA.{
L..ry_.7.....(..?..9..=.%J3...Y...Y.D....H/.1....X..)..W.j..yE.2..A)..
.z2...9.zu.#G/.C..6p.s......U.T..r...NP.O.I...]hN...O,.m.C.1.Y..i.g...
...L..I.........[.9\...T?L..I...8(.. .vO..c...K..y..C#.....l@U...*....
.....*...v...s.[....mH..f$.l{wW..u..Z........f.!<....(.q. B!JP.$a.X
}.\^-.WC:85s..nM......fo1. .(x-.ff.4......GfN../. ........|t.1..._....
...l....a...........j......0......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:36 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 429
Connection: keep-alive
...........RMo.0...Wd..."..\/..xi...."v.CQ...4B*Y..$..c....e'=R.||...A
=.vh.lu..Ga0@.[!.S........x.}/..B..4*.n..`...2.-..n.f.[..3..O....<.
v.*.." ...~X0..1.z.Q...vPUw.{M.DKQ.......>....|8...^[email protected]{.u.bf..S.
?`.7I.M.C.&i.......W.xh.OR...|...W...W....5.š.B....... .&.......N.lA
..5.R.....|g..q..0.hx..1.|..&.4..:...H.....c..?-/.m......GNzt....6... 
.?.......r..v9...8...n.....fE6.dW..]`.}[email protected]{Gl...].....u......
..........!....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: 
text/xml..Date: Tue, 11 Oct 2016 04:40:36 GMT..P3P: CP='This is not a 
P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apa
che-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 429..Connection
: keep-alive.............RMo.0...Wd..."..\/..xi...."v.CQ...4B*Y..$..c.
...e'=R.||...A=.vh.lu..Ga0@.[!.S........x.}/..B..4*.n..`...2.-..n.f.[.
.3..O....<.v.*.." ...~X0..1.z.Q...vPUw.{M.DKQ.......>....|8...^.
@..t{.u.bf..S.?`.7I.M.C.&i.......W.xh.OR...|...W...W....5.š.B.......
 .&.......N.lA..5.R.....|g..q..0.hx..1.|..&.4..:...H.....c..?-/.m.....
.GNzt....6... .?.......r..v9...8...n.....fE6.dW..]`.}[email protected]{Gl..
.].....u................!........


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:37 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
18d.............._o. ....)<K....x...D^.I..............#.i..G.....=q
..=..T......:9.:.'i........o..o.xE_U...;...-..n.....,....`..%|P.9.G~.&
lt;...../..2.U#"Z}.`......GE....mo*..x.mD..._.i..n}.t..)...:\(. w.\. V
V.....f9 2`y..,......../.......L...&[.I.P...PHP...?H...!'L..{.}P;)p.e.
..4".......I..1\`...l...}.......T,...s(....".b^Y;..h....=I..D.?b......
...=..._ c...Ih...N...%.>..........j....&.v..L~ A^..Zy..?...d......
...0:h.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: t
ext/xml..Date: Tue, 11 Oct 2016 04:40:37 GMT..P3P: CP='This is not a P
3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apac
he-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Conn
ection: keep-alive..18d.............._o. ....)<K....x...D^.I.......
.......#.i..G.....=q..=..T......:9.:.'i........o..o.xE_U...;...-..n...
..,....`..%|P.9.G~.<...../..2.U#"Z}.`......GE....mo*..x.mD..._.i..n
}.t..)...:\(. w.\. VV.....f9 2`y..,......../.......L...&[.I.P...PHP...
?H...!'L..{.}P;)p.e...4".......I..1\`...l...}.......T,...s(....".b^Y;.
.h....=I..D.?b.........=..._ c...Ih...N...%.>..........j....&.v..L~
 A^..Zy..?...d.........0:h.....0......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:37 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
18f.............R]o. .}...,.o...\/.....*M[...CUE..iP.F.....Di...=q..{.
.C...........t.....Ie.....tY........3-..b...P.......Pwn....4...I.....u
.....NY...U?.X.n_.F.P.....Vw.9m.D......[V.}X^7m.p.........;.a:...d]"}.
9.E..R.eQ........*........x./5J...6..J.[.8;.......AI.@..[....Zj......E
.Eg.....f.2.)....L.f..S(7...".Z.q.s.8.:;...0...d.... w..L......:......
..T..3d..h.".u ..'................jL..... ....6..!_.....0..HTTP/1.1 20
0 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oc
t 2016 04:40:37 GMT..P3P: CP='This is not a P3P policy. See hXXp://tre
morvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Acce
pt-Encoding..transfer-encoding: chunked..Connection: keep-alive..18f..
...........R]o. .}...,.o...\/.....*M[...CUE..iP.F.....Di...=q..{..C...
........t.....Ie.....tY........3-..b...P.......Pwn....4...I.....u.....
NY...U?.X.n_.F.P.....Vw.9m.D......[V.}X^7m.p.........;.a:...d]"}.9.E..
R.eQ........*........x./5J...6..J.[.8;.......AI.@..[....Zj......E.Eg..
...f.2.)....L.f..S(7...".Z.q.s.8.:;...0...d.... w..L......:........T..
3d..h.".u ..'................jL..... ....6..!_.....0......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:38 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 414
Connection: keep-alive
...........R.n.0... T...........I..E[.Js..c.p$....R../m.q.\r..w.3.K...
?.$...].Y....|..~......*^.w.w.j.........:..7s...j....>(...#?w......
.us.S....[..H{.V{.....m.Z.$...H....n~]S..ny........:.J^..5.....E]I.I..
.90..UeU..\@.s|Qf3S )zP.....K/.NBh..&.{.]..^....a....\.e.~...r6.....l#
..s...U..&.E!*.A................e..ko.GC v.Oht...".....*l.UT3?..~..i.5
.T] c.;l.Q..a(.$.9..[....Z...[.&...h....`...zZ.X.i*..........W(....HTT
P/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Tu
e, 11 Oct 2016 04:40:38 GMT..P3P: CP='This is not a P3P policy. See ht
tp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Va
ry: Accept-Encoding..Content-Length: 414..Connection: keep-alive......
.......R.n.0... T...........I..E[.Js..c.p$....R../m.q.\r..w.3.K...?.$.
..].Y....|..~......*^.w.w.j.........:..7s...j....>(...#?w.......us.
S....[..H{.V{.....m.Z.$...H....n~]S..ny........:.J^..5.....E]I.I...90.
.UeU..\@.s|Qf3S )zP.....K/.NBh..&.{.]..^....a....\.e.~...r6.....l#..s.
..U..&.E!*.A................e..ko.GC v.Oht...".....*l.UT3?..~..i.5.T] 
c.;l.Q..a(.$.9..[....Z...[.&...h....`...zZ.X.i*..........W(....
....


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:39 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
19a.............RQo.0.~...".....4E.Q.EB*.4.....K|@.9.l........4.......
....(~8.T......}....x.nS.....w.>...:....f.[=1..3FN.1.E.v.jXw.h-].L.
......K..][email protected]... %..S....-.-...4.gy.t.'A.........m.|...
&..1..8.*..J.$.Gp.qPG7.h ....;....f....G.......0..q{.\...U..8...!TuTm.
.o...0..h..0.I=.d...(y..^.N.e..<.`v........0%.m...@!oT.O.^..#.pQ,W 
/.{....,..E...t....r).B.O.0:S.I....2.`[... ._.....5.....r%.?R....q...~
...d.......i.........0..HTTP/1.1 200 OK..Content-Encoding: gzip..Conte
nt-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:39 GMT..P3P: CP='This 
is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Se
rver: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chu
nked..Connection: keep-alive..19a.............RQo.0.~...".....4E.Q.EB*
.4.....K|@.9.l........4...........(~8.T......}....x.nS.....w.>...:.
...f.[=1..3FN.1.E.v.jXw.h-].L.......K..][email protected]... %..S....
-.-...4.gy.t.'A.........m.|...&..1..8.*..J.$.Gp.qPG7.h ....;....f....G
.......0..q{.\...U..8...!TuTm..o...0..h..0.I=.d...(y..^.N.e..<.`v..
......0%.m...@!oT.O.^..#.pQ,W /.{....,..E...t....r).B.O.0:S.I....2.`[.
.. ._.....5.....r%.?R....q...~...d.......i.........0......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:39 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 379
Connection: keep-alive
...........Q]o.0.}..H#.o.Cp..9F.e...M#m..B....-.e.Z..L.`./}..}...a...G
.G..N.. I....T.7e.T..-.1.b......#,,j7.e.........nw".]K.3q.G....2..eU=.
.U*....1h....yly..F..WF...h.j.<}.qv..<Vu.8...^.C.?..-u.jl.U.H.0.
".@P....<..=..............l.o.v..0.`*...j....h4.......b...!..b.J.N.
p..9.b.\rF..=.....o..m...C"....!G..W.......Ie....X..lb.i.Gw.9...@@....
P.t....&....L.. ..BC..............?...HTTP/1.1 200 OK..Content-Encodin
g: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:39 GMT..
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priva
cy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-
Length: 379..Connection: keep-alive.............Q]o.0.}..H#.o.Cp..9F.e
...M#m..B....-.e.Z..L.`./}..}...a...G.G..N.. I....T.7e.T..-.1.b......#
,,j7.e.........nw".]K.3q.G....2..eU=..U*....1h....yly..F..WF...h.j.<
;}.qv..<Vu.8...^.C.?..-u.jl.U.H.0.".@P....<..=..............l.o.
v..0.`*...j....h4.......b...!..b.J.N.p..9.b.\rF..=.....o..m...C"....!G
..W.......Ie....X..lb.i.Gw.9...@@....P.t....&....L.. ..BC.............
.?.......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:39 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
17c..............KO.0............P9...HHhfD.,........l7..?nU(.lX.u.=..
!.W.'.....6..e.I..P.......M>.G..[..Y...B.....1.)B.Km.z..n5...Y...q.
....ew.S.......I.=-.B.....l..M......=<..^Sr.8....qo..G....|..7... .
6........1..n.z..PW.....k.%...N.y...i]...q..2r.Im&.8f YN.J..lJ.W..LD..
....(A_a....?f......(...P.qk_.<.b..gq....;.......y...!J.^BT...-%7iX
H....I._...........S...fJn..............W.....0..HTTP/1.1 200 OK..Cont
ent-Encoding: gzip..Content-Type: text/xml..Date: Tue, 11 Oct 2016 04:
40:39 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.c
om/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encodin
g..transfer-encoding: chunked..Connection: keep-alive..17c............
..KO.0............P9...HHhfD.,........l7..?nU(.lX.u.=..!.W.'.....6..e.
I..P.......M>.G..[..Y...B.....1.)B.Km.z..n5...Y...q.....ew.S.......
I.=-.B.....l..M......=<..^Sr.8....qo..G....|..7... .6........1..n.z
..PW.....k.%...N.y...i]...q..2r.Im&.8f YN.J..lJ.W..LD......(A_a....?f.
.....(...P.qk_.<.b..gq....;.......y...!J.^BT...-%7iXH....I._.......
....S...fJn..............W.....0......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=videoamp,TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:40 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
197.............RMO.0... B...u>.i..W..R.. ......]. .e;...q.....$...
.y......o. .i:Y..$.=!Y...\..r.#......My.%#..J3...b...`.h;.........{vf,
..)....,}...0z.T).....X..r?.m6..|......y{....q.$%y<.)..t.&...K&;...
.E..O..:Kh.!..,...Ni.08..P.%U.......l..F..w.)...w"J/"XC.G.."..<g1.w
OO..?.^i.................D...T. ..(....4b.oh.......#W.. Y...k\c....v}O
.t.L/.....L..wL./~Xu.*-.....B.j.A...._.O........j.......8.../.gJ\".V..
...d.........D.......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Conte
nt-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:40 GMT..P3P: CP='This 
is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Se
rver: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chu
nked..Connection: keep-alive..197.............RMO.0... B...u>.i..W.
.R.. ......]. .e;...q.....$....y......o. .i:Y..$.=!Y...\..r.#......My.
%#..J3...b...`.h;.........{vf,..)....,}...0z.T).....X..r?.m6..|......y
{....q.$%y<.)..t.&...K&;....E..O..:Kh.!..,...Ni.08..P.%U.......l..F
..w.)...w"J/"XC.G.."..<g1.wOO..?.^i.................D...T. ..(....4
b.oh.......#W.. Y...k\c....v}O.t.L/.....L..wL./~Xu.*-.....B.j.A...._.O
........j.......8.../.gJ\".V.....d.........D.......0......


GET /syncnoad?rid=8e45e24b62ab44ab868661a7a62c4761&p=TapAd,_dmp_turbine&uid=3abc4bfe03904b4e80c4f0d33d8c1a8f HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=3abc4bfe03904b4e80c4f0d33d8c1a8f; tvrg_60409="1,1476160829"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Tue, 11 Oct 2016 04:40:40 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1a6.............R...0.|.W.....c...d.5N....q...bd.d.4..$...W....(.z.eF3
g..<u.........4.=....|..].............F.#J....l.Z d5t.~..).;d..=.0.
..d...5-..P....fJ..O..c...3..n..t.<.RQ....2'..V....EN1m.34.K.Er.3..
..R..!.M...c..I.$36gI..<.MTV.N.v.M a28N....=....7....}(.X.|....cN..
..Z.._....S...gg...!8!...#,/#.N5..<y=.8...7..R.}.F]..4.6n.'. .....q
.D8...h].......`^L...9...e.4...(' .....m..;..s.J3..Uk}.i.C...t....@...
^\.........4 ........0..HTTP/1.1 200 OK..Content-Encoding: gzip..Conte
nt-Type: text/xml..Date: Tue, 11 Oct 2016 04:40:40 GMT..P3P: CP='This 
is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Se
rver: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chu
nked..Connection: keep-alive..1a6.............R...0.|.W.....c...d.5N..
..q...bd.d.4..$...W....(.z.eF3g..<u.........4.=....|..]............
.F.#J....l.Z d5t.~..).;d..=.0...d...5-..P....fJ..O..c...3..n..t.<.R
Q....2'..V....EN1m.34.K.Er.3....R..!.M...c..I.$36gI..<.MTV.N.v.M a2
8N....=....7....}(.X.|....cN....Z.._....S...gg...!8!...#,/#.N5..<y=
.8...7..R.}.F]..4.6n.'. .....q.D8...h]......



GET /page-4.html?lid=937115 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.hydroponicallydressings.pw/index5.php?id=23AyGXaCKnRH4r6StD2T&date=2016-09-08&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:40:24 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Content-Encoding: gzip
f20.............\mS.:.....?.z....N.$..I...e..L.....a.[N....r.......%v.
..){g.2.X....#..GG...!.......w.u..U...j...j....@h.?..D....c...>....
:......^...im.PG...LlS.zJC!#f.G..P.{.... ".YO..Z./..&.JI....1.1....@S/
C........i@.....).J....s..6b..%..6.r.L&.u*.....Q.....=e..B<.B'.f..3
.Hn{~..}d.&..L.?....A.T..Ql....r...m.....p.....H.. .^'?....e.P'.-Xmmo.
..M$.....`hp..=.o......a.S..B....C...c.0KL..k....._... .M.g....*n.j...
..e...}S.h...V.y....x..P"V.....T...G.Y....R..u.`sn......h4.w."0dn.....
..5.o.8..q.4.UxX..I#c.....$..'4G.UH..a..Z............3..b..'........Vd
..A!..1...8($..ym7..BR.]....B...k..v\H....5.#.T...B..O.F..<.%......
...k.a.P....j.,.aP6[...Ua).....n....9..gkNm...f..ipOP.c....2.....^....
2J.)e'...D..W8...W/...2Jy...E..X..n(..@#.CA...".....d1..V.r.z.Bac..!$.
,/....0.cx."O.\...$`.}.N.$.p ....4....PM...?.(.p.P..*!....^.:TK5.#..b.
."/~.2...1.. ..a..q.. ..Ym-...Z|a....:73a....!....7*.(8..w.4H4.......%
..`......L...N..a...U.aO.......n,@F..66.C..."17...`...\.O...3#..?.r...
...>....N:.8/.....1K;.....M...$I....(.`.......3....P..Z..../2.];V[.
.!U....(..f.2....7Yo..p.y5l..u2..J.b..N..'vE..H.N...i.].u..-..;...p...
G`.3..|..&i%..YhT.|l........B31.^.au...}..~ ...b...dn'#dQ......Y.8(..t
`f.~..`......d...8. [email protected]......./N...p|......a...4[.!
........X.B....61u...........O..N..N.......}.....R.B.$#..U$.......?...
.v.......Yj.c......{..\C..O.&....>}..W)K.!..nk....".d..W...P..2..G.
E.u6..>..n.......`..l....0..y...F...u......n...a.l...sS.`..7Di..u..
.^.l......_..l.........n..[..a..-).. .|..`^J..l....n....p.P...9<
<<< skipped >>>

GET /page-4.htm?lid=937115 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:40:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Content-Encoding: gzip
11bd.............\.O.L.....?..O..}.c..Ih.(.[V..B.ZUU5.'....N.....s..8.
..,.J_...x.g.<s..gf..rF,...2.".W..ZWmh...:jK.....HW...|....5.......
n...yn[f.............,3...Maca..H...g..X~....}%..Q..Oy..,. .P]..3....t
.<D..$wV....,...`}..P..3....F.^.0nD......f.\<...)Ga.....WF"R...t
2....#....O...-..n...S.....H...R..O.oV.>....y.j{.'9...P...y..`.gL..
F.,."Q.<..n.....3c6.....}....Ga......[.....#.j...b.... [{W...Gb...c
:.=.C.."PC...j.^.....G...}@.5.Y.ou...........2.V..|;.......\...Qlc0|/.
H.=>.={..=RDO./....'..^S.....F....hH..Z.T..A.CN.7...[......f..3..c.
.T...r.....i..^R.C..(u..<.V.........].x..d.....,..I....qcXHr.a..[Q!
........:..qa.sM..kX.Y(..=..G...d.7...4($.C..j.....s...dRH.6r.k...I.p4
t..X&.u.UH.|.j....T..r ..n.].Vm......T...e....a4vTX..5P.....!;. {..je=
.*[j(.._...1S..P...)....)I.\8.*.'......<xfL.P........'.P.....`". ..
.Rb...O.?R... [email protected]"%A....rS.Rf.GB5UX...Q*`[at.T.
....{.{UM5.g..R.."/~.2..xS..*...g<..ZI....4L.....ll...Y...5.......G
.].....D....<{..D.x.r3.$..(...J&.S|{...i>C.|....4......d.Y....R,
..4^[email protected]^.(>,....6:iK.<...#.),...B.8>*....$.
w.......A.a.Cz.Z,w.....rJ..E..K{..TtH.h...$..f...s..3E.&.p.}1jY..dj}..
.N..>.N..fGK.NR....:X.............:.0....|..6k%._..(....7.b..8.....
....N.P.......H..........l...t,.......fi../.......L.j...F.AmNv#.......
l.`.0tKz.Z.gt.....'._.9>}}.....~..i..".......>....=..eR.....'o..
...........%..:~y.....o6.....h..H.N.........([email protected]}
..M......,.k!K.!...k..NR.b....Oan(6.L....V......Z....0..e..'.5F...
<<< skipped >>>

GET /css1.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1476160830.13E53A113E574F6A557940182A94ABE7.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1015302293.1476160830; _gat=1


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:40:26 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Mon, 10 Nov 2014 09:13:53 GMT
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Content-Encoding: gzip
293.............U[O.0.~.R..G5.IM.B/.>.(..P..i......cG.{a...s..]7..0
..G....s..w<.........6 ...!..f.o3.||6...&...(...^{..F....t.>X.]L
of...zr.= _.aT....Ae.|[email protected].{97b.F_r...M~...9..........#H...W.oi(y.
.....B;[email protected].|.J..N...<8n.2...P.......>_.N...{U.....R
jb.<......oEF.I)..Bm.7...I..`.q28........Y......-P..y..V..rk.....$.
p}..z.2.I..sy..|.7..ehx..Nl..@.?9q...V<.......Z.D.8 TY`..9P..H3m,..
...A1.L..Ba.p.8..~.=m..~(@...Y...T.a..IT.X#.B...F/...50.3j..da...H..2.
.....f..s\..q.....k.I..4.2..6..4....;(. .Rb(.........Z.,/..S....lur.*.
. ..B.....X....Jc3.P.x...I.$...)..`..F..iZ..E.pK...{F...&.....i..ja1&g
t;..s.&X..Q..~....v...*m...3.Dq".|oo%.MpTn..qU..~..-.q......0..
....


GET /img/lbg.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1476160830.13E53A113E574F6A557940182A94ABE7.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1015302293.1476160830; _gat=1


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 04:40:26 GMT
Content-Type: image/png
Content-Length: 200
Connection: keep-alive
Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT
ETag: "a1c85-c8-4ebb56fac1880"
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
[email protected]#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Tue, 11 Oct 2016 04:40:26 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1c85-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: HIT..X-INAP-Server: cdce-ams002-001.ams002.interna
p.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......gAMA
....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b .....t
V.....Z&.'B..!.;......qn...h:[email protected]#......|..-..z...D..g.f.![...
..O...........IEND.B`...



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 11 Oct 2016 12:46:51 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Tue, 12 Sep 2017 12:46:51 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'
mantilla.exe_1884:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz7.tmp\ExecCmd.dll
"%Program Files%\svein\ended.exe"
.exe"
ecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz7.tmp
nsz7.tmp
rogram Files\svein\ended.exe"
q ended.exe" | %SystemRoot%\System32\find /I "ended.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz7.tmp
"%Program Files%\dialogic\mantilla.exe"
%Program Files%\dialogic
mantilla.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\dialogic\mantilla.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logic\mantilla.exe"
svein\ended.exe"


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskkill.exe:440
    taskkill.exe:1144
    tasklist.exe:1348
    tasklist.exe:1164
    tasklist.exe:900
    tasklist.exe:1268
    tasklist.exe:936
    tasklist.exe:1340
    tasklist.exe:572
    tasklist.exe:1336
    tasklist.exe:564
    tasklist.exe:616
    tasklist.exe:1548
    tasklist.exe:248
    tasklist.exe:1956
    tasklist.exe:260
    tasklist.exe:168
    tasklist.exe:136
    tasklist.exe:228
    tasklist.exe:348
    tasklist.exe:1112
    tasklist.exe:500
    tasklist.exe:644
    mantilla.exe:1884
    %original file name%.exe:320
    23460.exe:224
    841810.exe:340
    find.exe:1128
    find.exe:404
    find.exe:1628
    find.exe:668
    find.exe:1792
    find.exe:1336
    find.exe:1548
    find.exe:492
    find.exe:1928
    find.exe:260
    find.exe:476
    find.exe:828
    find.exe:648
    find.exe:1384
    find.exe:652
    find.exe:816
    find.exe:552
    find.exe:572
    find.exe:1368
    find.exe:480

  2. Delete the original Application file.
  3. Delete or disinfect the following files created/modified by the Application:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsz7.tmp\ExecCmd.dll (4 bytes)
    %Program Files%\svein\settings.dll (10991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\AccessControl.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\ShellLink.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\841810.exe (3100 bytes)
    %Program Files%\dialogic\mantilla.exe (1052 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %WinDir%\settings.dll (10991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\23460.exe (1094 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (11 bytes)
    %Program Files%\svein\ended.exe (5160 bytes)
    %Program Files%\svein\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\cacao.lnk (455 bytes)
    %WinDir%\ended.exe (5160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\player1[1].swf (20029 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\page-4[1].htm (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[1].htm (833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\ova-jw[1].swf (42641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\css1[1].css (659 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\logo[1].png (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1491 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[3].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1070 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\CA3A6KAC.xml (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\CAMF85UB.xml (767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[1].xml (805 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hydroponicallydressings[2].txt (361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\CADC4NX9.gif (49 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (364 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\logo[1].png (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[2].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[2].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\player1[1].swf (16909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\CAU161O7.xml (813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\analytics[1].js (1448 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hydroponicallydressings[1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\collect[1].gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\CAAW1B9N.xml (761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\CAHGBYHU.xml (727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[1].html (710 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\CA6JN55H.xml (764 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\CA2CC71F.xml (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\CAMJ8D23.xml (715 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[1].xml (696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\CAWTQ34X.xml (761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\lbg[1].png (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\page-4[2].htm (960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[1].xml (694 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\jwplayer1[1].js (80179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\syncnoad[2].xml (719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\syncnoad[2].xml (607 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5056 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q52X2LKB\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\L78LNIFA\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6HANEBKD\css1[2].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I5UZG3CH\syncnoad[1].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (5289 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "mantilla" = "%Program Files%\dialogic\mantilla.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "reformation" = "%Program Files%\svein\ended.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "rebel" = "%Program Files%\svein\ended.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TWI" = "%Program Files%\svein\ended.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ramona" = "%Program Files%\svein\ended.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "thomases" = "%Program Files%\svein\ended.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now