MD5: 3bb658d8842811f2bb1727abfc9e8886
SHA1: 22902bb69eb6862f74eb6c7ebc5675651087baec
SHA256: 31fc55592b77e2dc9d2802a14fab06e3be818e0489d0458e6109352329dfca35
SSDeep: 24576:N1sVXU77dr367nlH7k 3m3rYlgdgWO6ACa4mCeB:zsVXGJr365bB3 HOWOCGZB
Size: 790490 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:1912
taskkill.exe:360
%original file name%.exe:1832
login.exe:236
tasklist.exe:216
tasklist.exe:800
tasklist.exe:224
tasklist.exe:1640
tasklist.exe:1204
tasklist.exe:1940
tasklist.exe:1668
tasklist.exe:1752
tasklist.exe:936
tasklist.exe:1492
tasklist.exe:828
tasklist.exe:1888
tasklist.exe:436
tasklist.exe:1756
tasklist.exe:188
tasklist.exe:1912
tasklist.exe:452
tasklist.exe:1368
tasklist.exe:1936
41612.exe:1364
11984526.exe:1752
find.exe:1144
find.exe:884
find.exe:552
find.exe:1372
find.exe:1928
find.exe:492
find.exe:468
find.exe:624
find.exe:1960
find.exe:1856
find.exe:320
find.exe:404
find.exe:476
find.exe:500
find.exe:1312
find.exe:564
find.exe:1796
find.exe:240
find.exe:1912
find.exe:1552
find.exe:1808
find.exe:1748

The Dropped injects its code into the following process(es):

abounds.exe:1884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1832 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\shrewdness\login.exe (1050 bytes)
%Program Files%\officials\settings.dll (10101 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\11984526.exe (3071 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\41612.exe (1082 bytes)
%System%\drivers\etc\hosts (123 bytes)
%WinDir%\settings.dll (10101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\carli.lnk (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (4 bytes)
%Program Files%\officials\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Program Files%\officials\abounds.exe (4853 bytes)
%WinDir%\abounds.exe (4853 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)

The process login.exe:236 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp (0 bytes)

The process 41612.exe:1364 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (0 bytes)

The process 11984526.exe:1752 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\SimpleFC.dll (0 bytes)

The process abounds.exe:1884 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\player1[1].swf (12969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[4].xml (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[2].xml (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\player1[2].swf (17293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[7].xml (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\CATGC715.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[6].xml (708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\jwplayer1[1].js (77663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[3].xml (587 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CA49Y30D.xml (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\CACPKV0P.xml (803 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\CAEBSPYJ.xml (705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[1].xml (757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[6].xml (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAXSMC0W.xml (863 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\CAGP0ZA5.xml (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\CAFB10O8.xml (799 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (297 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\page-1[1].html (710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[7].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\syncnoad[1].xml (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\CAXB7F94.xml (702 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[4].xml (591 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\crossdomain[1].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\syncnoad[2].xml (625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\CALVA7OH.xml (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\syncnoad[5].xml (683 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[3].xml (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[5].xml (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[5].xml (754 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\analytics[1].js (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\syncnoad[2].xml (699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CADRRFV2.xml (717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKA8220.xml (714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAIFQDWT.xml (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\syncnoad[1].xml (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\css1[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\syncnoad[1].xml (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAP5NCCB.xml (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAOPGPQZ.xml (763 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\crossdomain[2].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\page-1[2].htm (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CA89I7GL.xml (748 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\page-1[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CACP2NOX.xml (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\syncnoad[6].xml (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\syncnoad[5].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\syncnoad[3].xml (567 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\syncnoad[2].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ova-jw[1].swf (37825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\syncnoad[3].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\syncnoad[4].xml (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\CAE74LMB.xml (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\page-1[1].htm (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\crossdomain[1].xml (82 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\page-1[1].html (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sol (0 bytes)

Registry activity

The process taskkill.exe:1912 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 B9 2B EA 05 5F 2C 82 F8 62 DD C2 A6 23 47 3F"

The process taskkill.exe:360 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 7A 26 97 5E 31 AD F5 D5 4C B4 B5 F5 0B 4D 6C"

The process %original file name%.exe:1832 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 1A 34 16 7E 11 32 80 93 4C A2 67 F4 BA 81 F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atrial" = "%Program Files%\officials\abounds.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"suborbital" = "%Program Files%\officials\abounds.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"perrot" = "%Program Files%\officials\abounds.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"lynde" = "%Program Files%\officials\abounds.exe"

The process login.exe:236 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 FA A7 EE 1C 59 5A F2 B0 E8 1E 4F 21 6C 7E 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Login" = "%Program Files%\shrewdness\login.exe"

"slimness" = "%Program Files%\officials\abounds.exe"

The process tasklist.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 73 E4 C8 21 DC 4F 5E 25 82 48 92 26 BC 50 A9"

The process tasklist.exe:800 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 96 59 03 B6 EE 05 CA 65 0F 9F 31 3E B0 40 2F"

The process tasklist.exe:224 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E C5 52 8F DC 75 0D 45 E7 CA 8B E7 2F 18 D5 D1"

The process tasklist.exe:1640 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 CF 93 B3 80 10 D2 96 EA 71 46 51 30 F7 A9 8C"

The process tasklist.exe:1204 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 08 F9 BB CA 9F DF D5 5A 6B E9 81 72 71 DC CB"

The process tasklist.exe:1940 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 DA 8D E6 15 56 44 17 FF DD 60 8B BC E6 B8 80"

The process tasklist.exe:1668 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 E4 2D 02 8B 28 0B BB A4 54 E0 C7 2A 4A FF AD"

The process tasklist.exe:1752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DE B5 6A 1A 68 E2 F6 AD BE 28 B4 24 04 74 E0"

The process tasklist.exe:936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 3C 49 FC C5 81 ED 1F F6 9A CD C4 C9 01 82 D0"

The process tasklist.exe:1492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 0E 8B 26 41 C2 90 A1 FA B0 D4 C9 AD 96 ED D7"

The process tasklist.exe:828 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 00 78 66 E3 D7 23 96 6A CC C0 65 7B AA 0A 51"

The process tasklist.exe:1888 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 87 D6 E8 45 11 10 C6 D5 59 CE C6 DD A6 39 4F"

The process tasklist.exe:436 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 2F 8E 7E 0D FF 6E 96 FF 67 87 06 35 F0 E6 50"

The process tasklist.exe:1756 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B BD F6 46 FA DC 30 62 AE 12 5A E5 55 33 37 79"

The process tasklist.exe:188 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 48 66 BF C8 56 6E 93 0D E0 3B 9C 75 14 D9 2D"

The process tasklist.exe:1912 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 93 94 FA 72 94 C0 88 3B A4 57 F2 E4 C8 6F B9"

The process tasklist.exe:452 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 FA 43 D7 1B B0 1A 86 E9 8C 66 20 84 E0 2E 88"

The process tasklist.exe:1368 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 91 37 A3 C3 28 1A 22 21 B5 DE 01 4D 67 91 6E"

The process tasklist.exe:1936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 4B B8 25 1D 4B AE AC AD 6C 52 E9 63 6A 80 29"

The process 41612.exe:1364 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C FE 48 0B 31 28 68 56 B8 23 98 CA A9 88 52 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 11984526.exe:1752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 52 A9 1E 98 8F DF D9 D3 25 0B D0 71 84 49 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process abounds.exe:1884 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090820160909]
"CachePrefix" = ":2016090820160909:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090820160909]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016090820160909\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090820160909]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090820160909]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 10 C9 9A F3 32 C4 36 9A 56 DF 39 41 8C FF E9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090820160909]
"CacheRepair" = "0"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process find.exe:1144 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 72 47 71 E4 31 6A 82 BE 9B 69 BA EC A9 F2 96"

The process find.exe:884 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 F2 97 09 F0 E5 7D 18 46 49 78 4B 21 AC E0 D1"

The process find.exe:552 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE F9 CC EA 15 C2 63 09 C7 B0 20 E2 BF D6 B7 54"

The process find.exe:1372 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 80 36 AD E2 65 36 39 08 0C B5 19 5A 6C 11 49"

The process find.exe:1928 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF A2 1B F4 C1 D1 5C 3F B0 D4 F7 16 A9 EE 8F E5"

The process find.exe:492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 5E B4 D2 45 7E E7 2C 32 D8 79 A4 F4 06 AB 90"

The process find.exe:468 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 81 D5 33 E0 BD B9 74 A4 9F FF 97 AA 67 A4 45"

The process find.exe:624 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 F4 10 FD E8 4F 90 BA D7 AB 9E E1 4E 4B 2F A2"

The process find.exe:1960 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 AE EF 26 9A 5F E0 7B E8 92 F7 4A 3F 86 A6 1C"

The process find.exe:1856 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 67 2B 08 89 BB DD D8 17 C9 A1 B3 BB E1 37 4B"

The process find.exe:320 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F9 56 2B 92 9B 35 13 BA 11 6B B3 AD A0 29 16"

The process find.exe:404 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 4A 6A 90 3F 23 57 9F AD 45 32 B6 D7 3E 29 20"

The process find.exe:476 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C FB 35 AE 98 89 E4 02 FC 51 CE 59 E9 69 5F FF"

The process find.exe:500 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 4C 03 68 CC 64 29 05 72 D6 B7 FD 00 2E B5 3E"

The process find.exe:1312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 67 31 EA F6 94 A2 5E EE F7 FD AE BA AA 3E 16"

The process find.exe:564 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 51 94 5F F3 65 10 7B 1E AD E5 DB 1C 5D 35 83"

The process find.exe:1796 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 7B 4C F0 95 51 12 5C A5 CE AD DE 39 4D AE CB"

The process find.exe:240 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 6B 80 D1 23 7C F8 8F 55 30 91 89 87 2E 66 81"

The process find.exe:1912 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 6A B8 B9 5C 4F C6 55 C5 86 2E CB 0C B2 EC 2F"

The process find.exe:1552 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 61 3A 52 4D 2A 31 B9 68 3F 32 AB 6F CA B5 DD"

The process find.exe:1808 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 0D 38 4D 2C 8F E0 19 ED 2A 2D C8 00 11 B4 C8"

The process find.exe:1748 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 F8 64 55 28 B3 58 BE F4 99 33 BB E4 22 A5 BB"

Dropped PE files

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 87
7bcde813c50a0b0e20e5f9f233bc3040
b1a5b5b97ab40559c62f27923a7322c1
830674c88d54f6aa3c6f1bcf72147f75
fb9b2e8e0616dc9aecab4078c571a0f8
f3636d03e448990429c0cd25a2f93345
9ff200ddc12202840ae4f1479dc80093
9ee71cc1c041d515cf6606b5a62b0fb4
637bb93dc73a24cf09b23978655b53c2
461ec31a2d9f4cb4629e19d90afcd885
d39b2060fb5d686cd00740d95d66da28
8c5c729b23092d8327ee3d3e3c6f9555
d50e432a8fdaf70f58f6827e9e9a127a
39eda76caa561e614ad56c9fd3a56795
920b0a615f533fe5b5a303884784b337
687103e1b99753a9b29adb563dda87e2
a03424bc22092f0c5dd55690515bdaec
c4739131eb465158fc0fe9a507243ae5
a330a483c6310b89bfb063478eaebb6d
db5758991e0deed7870c5e00ac1784f9
6fbb8fb46337e3f62482246f42d9b043
54f561eda86f1e84fc86247e6f2c8430
49839380f2b5206da8310e3e7a06a5ae
b341a56684c065e107316fd0df7f6581
c09676623f77c5767f18b933aaba2b62
acaa641b943db17b0caaf35156d8830d

URLs

URL	IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www.clangburkitt.info/count.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=&rand=	162.222.194.132
hxxp://cocomo.tremorhub.com/itd.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=&rand=
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.93
hxxp://c.statcounter.com/10114910/0/757d7213/1/	216.59.38.124
hxxp://widgets.amung.us/draw/?w=colored&n=1381&c=000000ffffff&p=	50.23.131.235
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=1209679827&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=935957912&cid=868745746.1473282938&tid=UA-74694740-5&_r=1&z=21672047
hxxp://8c715ae47b.site.internapcdn.net/page-1.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-1.html?lid=937115
hxxp://govids.net/jwplayer1.js	162.222.194.11
hxxp://109.201.148.40/bck.php?1473282939000
hxxp://govids.net/1.js	162.222.194.11
hxxp://8c715ae47b.site.internapcdn.net/page-1.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-1.htm?lid=937115
hxxp://109.201.148.40/bck.php?1473282940000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://govids.net/player1.swf	162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=1189258277&t=pageview&_s=1&dl=http://www.govids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1722919336&cid=336549416.1473282941&tid=UA-74694740-2&_r=1&z=307528681
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=19C6AC8E74C24FC4F8CBC53BEB7EB6BB&sc_random=0.6606831011682974&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.govids.net/page-1.html?lid=937115&u=http://www.govids.net/page-1.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	216.59.38.124
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://govids.net/ova-jw.swf	162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 1&mediaDesc=Home videos, Funny Videos - 1&mediaId=2&mediaUrl=hxxp://www.govids.net/1.html&srcPageUrl=hxxp://www.govids.net/1.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=dataxu,thetradedesk,eyeview,_dmp_turbine,adapTV,centro,SundaySky,1,tremornet,dynadmic,ignitionone,videoamp,BidTheatre,appnexus,conversant,Bidswitch,Videology,audiencescience,google,beeswax,rocketfuel,TubeMogul-GP&uid=649ea7c690dc4437b3247d781b53384b&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.govids.net/page-1.htm?lid=937115	69.88.149.137
hxxp://www.google-analytics.com/analytics.js	216.58.214.206
hxxp://www.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=	54.230.45.95
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/crossdomain.xml	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://cdn.tremorhub.com/crossdomain.xml	52.85.173.85
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.govids.net/img/logo.png	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=dataxu,thetradedesk,eyeview,_dmp_turbine,adapTV,centro,SundaySky,1,tremornet,dynadmic,ignitionone,videoamp,BidTheatre,appnexus,conversant,Bidswitch,Videology,audiencescience,google,beeswax,rocketfuel,TubeMogul-GP&uid=649ea7c690dc4437b3247d781b53384b&init=true	107.21.30.191
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=1189258277&t=pageview&_s=1&dl=http://www.govids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1722919336&cid=336549416.1473282941&tid=UA-74694740-2&_r=1&z=307528681	216.58.214.206
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.govids.net/page-1.html?lid=937115	69.88.149.137
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 1&mediaDesc=Home videos, Funny Videos - 1&mediaId=2&mediaUrl=hxxp://www.govids.net/1.html&srcPageUrl=hxxp://www.govids.net/1.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash	52.87.42.156
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=1209679827&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=935957912&cid=868745746.1473282938&tid=UA-74694740-5&_r=1&z=21672047	216.58.214.206
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.govids.net/img/lbg.png	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml	52.87.42.156
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.bruindorsett.pw/func.js?r=5	54.230.45.95
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.statcounter.com/counter/counter.js	151.249.89.202
hxxp://l.longtailvideo.com/5/10/logo.png	93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://www.govids.net/css1.css	69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191
hxxp://partners.tremorhub.com/syncnoad?rid=68e9a0e7b6ff4c4da3a022d9fb47d8f4&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=649ea7c690dc4437b3247d781b53384b	107.21.30.191

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Date: Wed, 07 Sep 2016 19:25:48 GMT

Expires: Wed, 07 Sep 2016 21:25:48 GMT

Last-Modified: Mon, 15 Aug 2016 04:25:11 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11590

Cache-Control: public, max-age=7200

Age: 6606
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j46&a=1209679827&t=pageview&_s=1&dl=http://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=935957912&cid=868745746.1473282938&tid=UA-74694740-5&_r=1&z=21672047 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Wed, 07 Sep 2016 21:15:54 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Wed, 07 Sep 2016 21:15:54 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j46&a=1189258277&t=pageview&_s=1&dl=http://VVV.govids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1722919336&cid=336549416.1473282941&tid=UA-74694740-2&_r=1&z=307528681 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Wed, 07 Sep 2016 21:15:57 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Wed, 07 Sep 2016 21:15:57 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..

GET /ova-jw.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://govids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.336549416.1473282941; _gat=1

HTTP/1.1 200 OK

Date: Thu, 08 Sep 2016 05:21:35 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT

ETag: "4403b3-39741-4fbe0551c3280"

Accept-Ranges: bytes

Content-Length: 235329

Cache-Control: max-age=2592000, public

Expires: Thu, 10 Aug 2017 05:21:35 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>

GET /img/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.govids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473282941.19C6AC8E74C24FC4F8CBC53BEB7EB6BB.1.1.1.1.1.1.1.1.1; _ga=GA1.2.336549416.1473282941; _gat=1

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:15:57 GMT

Content-Type: image/png

Content-Length: 3856

Connection: keep-alive

Last-Modified: Tue, 10 Jun 2014 14:29:28 GMT

ETag: "a1bf2-f10-4fb7c27bc2200"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-003.ams002.internap.com

Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx..].O....V^.....rI........c..F..M.y0..-H..
..P.KH\.-.%-....J.[...5..S.... R...c....K/O.w...........93svY..i..e..w
...}..}gvy..E?.Q..%....J...(Q.V.DaZ....JN........(.fL...cM.....Z...'..
...A.....k.x....8....E..O..;.W...f.q.X..l..=.....k................%...
fd)........,..J..G...!...m.Q...J.../..................Y,0.......%...S6
R..=..t.0..%...|(..?T.V.DaZ...i%.b>..6:.~.=..7.-*.g....y<.,4>
....W..jv.(...}...8..YdF.l. .,,~5s..X<..h~.p...'......b...[6.0.D.Ci
........ Bo.C]....g..........y.i.........]N....p$.-~}8..... .....n.z..
.$~.9.).........P.....g....!.':.J..O...X.U.?:..#.g.{ .^......L..0..I..
"H<.5.u0...n^.3.ER.<......ZI......*f..... .fN.......q.n.........
.........Z.0.A.m|@.v. .uI......u........Y...u.t..........db...L.......
T.=21...8.(......i.$......y4...t:....(.`sG.H..Q...&...u.<..2L..Wl..
5...9...<. I....d...P.._h..n....MA7Y.....'..FsZ?....kH.l.s.<.QD.
...$q>lK...`1....x.Ha ^....L..W.#.C....._1...."^..6..WRz...4..z`.Ch
|R..H....:1..C..o. ........8..8.$...;..,..N.....S..O......W":.).}...IR
!.F8`=..lc..9n...O~a.....k7^[email protected].....
.............2..NmX...&.h.......f) ....;?...b8.~.>L..../.....C.l.Pf
g..............0..4k>.f.k-....X.9!a>.0.i.b.....$h.;.b.....`.32.T
r...bx.".:5K00..9..h...a........l....U..M..Z3..v..:....<:E........ 
#./...4p.y.....b....u.f.#[*e%.%p....|RO.dP\[email protected]......
....X.{.m0.k..T.O.?<&.M....C...6o.9..C..Pd.,.......O..`5.L.xP,.
<<< skipped >>>

GET /index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.bruindorsett.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 906

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Encoding: gzip

Date: Wed, 07 Sep 2016 21:15:53 GMT

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 1xVu9YC2kTGFwI8a1xPDcAq8ea1o2bgFgH_K5Pank0HYdNVjwpB-Sg==
...........UMo.6../....!.ZY..$......l.........hi,1 .Zrd.H..KRq.oOE}...
r8o......Y.k..b..rR.\.@F{\M>....5b7...X3........v....J.%...su... .j
.Z`9]......S....(..I......<...t.k...i`.-....f...........d...^K.....
]..7. .[ F...dN.t...h.....&..!W*-T/1...T.,.x._..g...}. ^.}.R.....g..$;
.d.{..J...=.e.(.D.5.9%5..F.../..A..M.U..Y1*.......u..o..o.H../.u..Q..d
L.5.b.P....U.V%..U...........-....$:..5..k(....Fg.....zY.P2...U\.:.q.=
....RU.g.7.........;.g.V.1....r?z...5........(.zS..Gz..h...;...$a .,.0
.qf.B..\4...*.]..:*.g.9..........n..n6.`.]..V.6...kU..%...a.4.........
...R.>.8.........>.[.......' .D3WbB*..c.AL......... ..:..Q...I..
t..W..0<....T=SFp...NN.=_..J.v*\Y..5oBB.C.F4&...D.-!.;..*..LDk.4...
...%...w....` .Z.........U.e"...j.u.S.f......i@~..:.....'[email protected]
).....H....h.nNjQ. m .."....>I.;<.k.N...Q............)..<?8..
4K...r...H..Zm.qB..W.n...//.>_...0".......{/2$n....,x.4...~`:....P.
p........v......!..:...HTTP/1.1 200 OK..Content-Type: text/html..Conte
nt-Length: 906..Connection: keep-alive..Server: Apache/2.2.22 (Win64) 
PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: We
d, 07 Sep 2016 21:15:53 GMT..Vary: Accept-Encoding..X-Cache: Miss from
 cloudfront..Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfront.net 
(CloudFront)..X-Amz-Cf-Id: 1xVu9YC2kTGFwI8a1xPDcAq8ea1o2bgFgH_K5Pank0H
YdNVjwpB-Sg==.............UMo.6../....!.ZY..$......l.........hi,1 .Zrd
.H..KRq.oOE}...r8o......Y.k..b..rR.\.@F{\M>....5b7...X3........v...
.J.%...su... .j.Z`9]......S....(..I......<...t.k...i`.-....f...
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.bruindorsett.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 597

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT

ETag: "90000001e1520-f7a-537ea953f7333"

Accept-Ranges: bytes

Content-Encoding: gzip

Date: Fri, 19 Aug 2016 01:35:05 GMT

Vary: Accept-Encoding

X-Cache: RefreshHit from cloudfront

Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2VmMbbqmWtZ79Tb7G3-gwP4Frpab9l6HFzEK8ejM5Q4jSXKdzueBpg==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fr
i, 19 Aug 2016 01:35:05 GMT..Vary: Accept-Encoding..X-Cache: RefreshHi
t from cloudfront..Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfron
t.net (CloudFront)..X-Amz-Cf-Id: 2VmMbbqmWtZ79Tb7G3-gwP4Frpab9l6HFzEK8
[email protected]/vJ.8....U U.R.q.z..N.....
..DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$......
..AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.&
lt;......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&].
.~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V
:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V
<<< skipped >>>

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.govids.net/page-1.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.336549416.1473282941; _gat=1

HTTP/1.1 200 OK

Date: Thu, 08 Sep 2016 05:21:33 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Thu, 10 Aug 2017 05:21:33 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=649ea7c690dc4437b3247d781b53384b; tvrg_60409="1,1473282961"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 130

Connection: keep-alive

Date: Sun, 24 Jul 2016 04:41:02 GMT

Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT

ETag: "2cf4c5e3d4c1206209355ac1065b0efc"

Accept-Ranges: bytes

Server: AmazonS3

Age: 8739

X-Cache: Hit from cloudfront

Via: 1.1 c3e32c3c6fc2de06cadacd3ef5ca2730.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xPG5FtHshCC5a8reRxfPyO09-mVykmAtJDFQHyK96r9gWKqvDvp01g==
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" />.</cro
ss-domain-policy>..

GET /report1.php?url=/govids/page-1.html?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:19:25 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Wed, 07 Sep 2016 21:19:25 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1473282939000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:19:26 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Wed, 07 Sep 2016 21:19:26 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/govids/page-1.htm?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:19:26 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
....


GET /bck.php?1473282940000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:19:27 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Wed, 07 Sep 2016 21:19:27 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..

GET /10114910/0/757d7213/1/ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:15:54 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1473282954.0; expires=Mon, 06-Sep-2021 21:15:54 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1473282954122714614; expires=Fri, 07-Sep-2018 21:15:54 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif
GIF89a...................!.......,...........T..;..

GET /draw/?w=colored&n=1381&c=000000ffffff&p= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cookie: uid=CgH9IFfQg4pxhRQQObx0Ag==

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.9.6

Date: Wed, 07 Sep 2016 21:15:54 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Content-Disposition: filename=wau-widget.png

Expires: Fri, 07 Oct 2016 21:15:54 GMT

Cache-Control: max-age=2592000
606...PNG........IHDR...Q...........p.....PLTE...EEE...???AAA......"""
...............;<=CCC...***.........abdWXZ..................GGG...'
((.....................uvyEFG...,,,......kln...NNN>>>........
.~~.vwx...hhi.........OPQ...............VVV......uvv...opp......UVV...
RRR..................bcc...ijj}~~......dee..................QQQ...]^^P
PP.........TTTaaa...............___......HHHrss.........kllJJJDDD|||..
....YYY........................LLLNOO.........@@@tttkkkvvv:::qqq......
..............................FFF.........?@@888666ppprrrSSS..........
..BBB.........uuu......111............000...lll......XYZ(((&&&hhhfff  
 cdeZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```ggg
[email protected]...,IDATH....W.A........)../$..K;.....K.6S.2..R
(...H..& .....*MJm *c6...ifYMX.......ww...fvy.R.E....hw..g./.M....g.p.
=.....'V..m...^.7.........>...Z[..[Z?....>P6[..&Lc.;....^..-G...
.Z..._.^....Vk'....[....c..G8Z..>......(w.=......ms...V.=T.....;..&
..:...]5V....x...9..E.a...9......O...%e...'.,..`1...8.....k....=B8...=
..#........}j_..^<.Q.\k..i.1.f.....E..iz...;hB.v..o.}(.[...]...-.=T
.Q..y........Z......df .r.....t0..V..{.\..G.!.rE*fy.2v.Rv...)[email protected]]r
............v.Q4...)....]Z.....Y.@9S .......i..3..'.....;..i.. .....rr
0..d..1.h..q....'.x.....h....2.TO..qJa$.<.$.L..5..:...e.......f..P&
gt;...X)[email protected]"c%..............C.l.G.F.#i.
J5iD.d..8....WY...."%...0'?.-...m...g........j..1.'F.~...Fd.S..E..... 
>..l.G.@&QH.=.......HH.....a..F.*.S,...C#..GB...FE.G..-.E.LH..e
<<< skipped >>>

GET /count.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18A1NmP0nMB2rKtNAUOc&date=2016-09-04&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.clangburkitt.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 21:15:55 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 47

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Wed, 07 Sep 2016 21:15:55 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.govids.net/page-1.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: govids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 08 Sep 2016 05:21:31 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Thu, 10 Aug 2017 05:21:31 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'