MD5: 4dcee49e18c9446479d1e36cc017f822
SHA1: 6a32a8406164541d96c7eedc34aaaa102e593100
SHA256: 04210c8e539636d6ae9cba167ef7280acac5019c8066fb03e1a42604729d10c4
SSDeep: 24576:N38c VVmu59mHwO6uMYllgdXKRWO6ACa4f:dj VVVqQO6u6BKRWOC/
Size: 790499 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Speedbit Ltd.
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:1744
taskkill.exe:340
69582.exe:164
tasklist.exe:1084
tasklist.exe:1344
tasklist.exe:276
tasklist.exe:1488
tasklist.exe:832
tasklist.exe:1540
tasklist.exe:1852
tasklist.exe:1692
tasklist.exe:652
tasklist.exe:1676
tasklist.exe:500
tasklist.exe:1700
tasklist.exe:240
tasklist.exe:1880
tasklist.exe:784
tasklist.exe:1636
tasklist.exe:1556
tasklist.exe:1724
tasklist.exe:1288
tasklist.exe:1364
tasklist.exe:1688
tasklist.exe:2008
wearily.exe:460
%original file name%.exe:312
20943149.exe:456
find.exe:576
find.exe:660
find.exe:136
find.exe:832
find.exe:1984
find.exe:1612
find.exe:340
find.exe:1392
find.exe:1860
find.exe:1864
find.exe:1496
find.exe:224
find.exe:480
find.exe:1700
find.exe:1620
find.exe:780
find.exe:1800
find.exe:968
find.exe:424
find.exe:1680
find.exe:828
find.exe:2008
find.exe:516

The Dropped injects its code into the following process(es):

uncorroborated.exe:1064

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process uncorroborated.exe:1064 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAY9EDUL.xml (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4LMNO5.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[3].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\abcd[1].mp4 (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[7].xml (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[8].xml (591 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jwplayer1[1].js (76309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\css1[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\page-3[1].htm (3953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6BKDAN.xml (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAH3E7VM.xml (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAA3GZYL.xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAIA5GXD.xml (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (626 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (597 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[6].xml (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[8].xml (679 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (609 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[5].xml (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CACP0V2V.xml (804 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\player1[1].swf (22077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (556 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[6].xml (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (12941 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8ROLMN.xml (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[2].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[7].xml (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[5].xml (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAMFURQD.xml (752 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\analytics[1].js (1557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[8].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-3[1].htm (4309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA6NW1QR.xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU3G96R.xml (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAWTOXEZ.xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAKBSTKH.xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[6].xml (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[7].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYEJNZ0.xml (767 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAJMBGIP.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fla8.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ova-jw[1].swf (29005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACJQGXK.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[6].xml (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CANKAOOZ.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\count[1].htm (47 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (0 bytes)

The process 69582.exe:164 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)

The process wearily.exe:460 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)

The process %original file name%.exe:312 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\ShellLink.dll (4 bytes)
%WinDir%\uncorroborated.exe (4952 bytes)
%Program Files%\orignal\settings.dll (11076 bytes)
%Program Files%\orignal\uncorroborated.exe (4952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\AccessControl.dll (13 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\possessor.lnk (511 bytes)
%WinDir%\settings.dll (11076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\69582.exe (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\20943149.exe (3125 bytes)
%Program Files%\athough\wearily.exe (1036 bytes)
%Program Files%\orignal\Microsoft.Win32.TaskScheduler.dll (8850 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\System.dll (0 bytes)

The process 20943149.exe:456 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

Registry activity

The process taskkill.exe:1744 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 53 6A 34 84 38 49 4A 4F 96 F0 C4 85 F1 DA 49"

The process taskkill.exe:340 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 12 EE E9 E7 96 0D 20 30 E4 2E A4 CC 60 9D 9B"

The process uncorroborated.exe:1064 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CachePrefix" = ":2016090620160907:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C FF 5A 85 E1 01 09 E5 45 20 80 19 31 F0 33 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016090620160907\"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 69582.exe:164 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D2 77 D4 45 B9 71 93 98 80 4A A3 D6 B1 FA E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process tasklist.exe:1084 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 32 EA D4 53 5B 08 9C D3 01 5F FC 34 03 8F 68"

The process tasklist.exe:1344 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD FD 8E 12 8B EC 78 7B B7 DB 7D 6B 5D 13 51 F0"

The process tasklist.exe:276 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 5B DC 7E 4E 82 86 91 9F D7 8C 97 03 E0 A5 E8"

The process tasklist.exe:1488 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 93 27 5D 6D CC C8 A2 7C C3 77 1A FD DE 83 97"

The process tasklist.exe:832 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 A2 81 62 C9 44 4C 5E C6 0B CA 9A 8B 84 78 25"

The process tasklist.exe:1540 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 CE DB 09 65 6E 77 72 73 F7 6A 76 43 A0 39 B3"

The process tasklist.exe:1852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 D6 23 04 E2 55 CD E9 36 05 C4 61 ED 37 8D FE"

The process tasklist.exe:1692 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 6B 64 83 EE 1A FF A8 0A 02 2E FB 7C C6 5C 69"

The process tasklist.exe:652 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8E CE C7 75 57 1D E4 02 A3 23 82 37 AB 14 35"

The process tasklist.exe:1676 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 70 97 55 21 A3 BE 07 0C A0 BC C7 42 BA 23 33"

The process tasklist.exe:500 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 37 53 85 4A 1B 57 45 13 EE A9 D9 33 06 A4 56"

The process tasklist.exe:1700 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C A7 7E AA 2B 23 B1 01 D3 A0 1C 5D 7F E6 57 AC"

The process tasklist.exe:240 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 E1 B0 8F ED 8E 00 1E 85 EB F4 BD AB 14 A3 D5"

The process tasklist.exe:1880 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 DA E2 F7 60 E2 90 0E DC 8E AA E4 F6 07 92 71"

The process tasklist.exe:784 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 42 09 B3 69 7D 10 27 6E 3F 37 99 68 81 50 44"

The process tasklist.exe:1636 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 57 3C AB E2 47 6A A9 A7 26 36 95 58 60 C4 5F"

The process tasklist.exe:1556 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 34 D0 AD 4A 68 DE A9 72 A2 0D 76 5D AA 89 9D"

The process tasklist.exe:1724 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 B5 19 BD 73 8F E7 80 E7 CD FE 17 9B D5 81 1A"

The process tasklist.exe:1288 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB AF BB 1F 36 D5 5E 34 9E 7E 98 ED B4 FD 48 AD"

The process tasklist.exe:1364 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 FC 2C 60 98 22 C9 88 AD BB A9 F5 FB 4C 89 56"

The process tasklist.exe:1688 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 FE 71 7B 82 3E 5C FA 08 4D 75 8A 06 CE EB 17"

The process tasklist.exe:2008 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA D4 3A 54 B7 DB 07 40 3C 0A 38 6C 5E CD C9 D7"

The process wearily.exe:460 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 02 0A 86 78 41 6B 8E B0 33 F7 EF 92 54 FF 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wearily" = "%Program Files%\athough\wearily.exe"

"linkages" = "%Program Files%\orignal\uncorroborated.exe"

The process %original file name%.exe:312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 04 B3 24 5B 20 7A 70 CF FD 33 79 9F 63 EA 4A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adjournment" = "%Program Files%\orignal\uncorroborated.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"trappers" = "%Program Files%\orignal\uncorroborated.exe"

"midwestern" = "%Program Files%\orignal\uncorroborated.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"platzer" = "%Program Files%\orignal\uncorroborated.exe"

The process 20943149.exe:456 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 5B EE 05 23 6A A1 B4 0B BC 5A DD 98 09 7C 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:576 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E A9 EE 0F 30 1E A5 93 D2 6F E1 85 BA EE 61 A3"

The process find.exe:660 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE C1 DE 1D FF F8 E9 83 43 63 9C 57 A7 4B 7A A2"

The process find.exe:136 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 23 40 A6 1F 46 28 D4 9C 26 4A B7 19 DE A9 EF"

The process find.exe:832 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 5C 7E 71 A8 6E 9D 98 E5 87 F9 BF 13 D6 62 6C"

The process find.exe:1984 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 CB 97 85 BC 59 EB 2A 87 56 40 D1 72 B8 D0 14"

The process find.exe:1612 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 0E E9 D1 DB 7E C5 A6 2C AF E7 A0 47 12 2C 73"

The process find.exe:340 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 EE 3C FC EB 9C 8C CE C7 9E D3 E5 C6 DC C6 D2"

The process find.exe:1392 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 81 A2 FF 70 35 48 FA F2 84 A2 5C 5C 06 C6 9C"

The process find.exe:1860 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 E8 83 01 39 3E 16 B3 BB 96 DC 08 36 30 9A FD"

The process find.exe:1864 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 49 15 AE 16 87 FE 76 93 A5 3F 8F CD DF 26 3C"

The process find.exe:1496 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 E9 F1 E8 0F 3C 8C 3C D0 59 8A FA EF 6F 55 04"

The process find.exe:224 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 5D 2D 07 80 16 65 62 50 ED D1 D8 6B D2 A2 83"

The process find.exe:480 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E CB 62 DB 4B F7 12 B4 EF 08 73 20 7D 7F 65 D2"

The process find.exe:1700 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 3C DF 11 C1 27 27 A1 90 CF 71 6A F3 0F 78 9A"

The process find.exe:1620 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 80 D6 AC 03 EB B8 78 EF 07 71 6C 71 B3 6B 12"

The process find.exe:780 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 7F 7B C0 D3 DC 98 0D 82 C3 94 DC 69 BA 87 32"

The process find.exe:1800 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 C1 A6 AA 3A A5 B9 AA CA 10 4E AC 6D 66 8A 79"

The process find.exe:968 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 69 94 50 41 C2 67 3A 8D A8 48 E2 6A 50 93 54"

The process find.exe:424 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC F9 A5 02 38 2F 7F 79 AB 2C B3 06 73 D4 64 E8"

The process find.exe:1680 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 47 DE 98 E8 00 D7 A1 A1 E8 FB 33 5C 6C D9 5C"

The process find.exe:828 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 65 4A B2 8A 34 CE BD 02 1D B6 A2 7B 29 36 75"

The process find.exe:2008 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 72 10 89 E7 7B 73 71 11 01 30 9E B3 30 1C 68"

The process find.exe:516 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE B0 93 3A CA E6 AF BF 7F 69 9D 34 BF AF E5 F7"

Dropped PE files

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 69
7bcde813c50a0b0e20e5f9f233bc3040
3bb658d8842811f2bb1727abfc9e8886
6fbb8fb46337e3f62482246f42d9b043
54f561eda86f1e84fc86247e6f2c8430
49839380f2b5206da8310e3e7a06a5ae
b341a56684c065e107316fd0df7f6581
c09676623f77c5767f18b933aaba2b62
acaa641b943db17b0caaf35156d8830d
bbfa9010ebef7ef8e0573cefda04c850
728ff14118449483f419515f9c0986a8
5ec17924d5a5120ceda2664f1b218ecb
4ad0fc6d5ebd598a467812b0f9740221
8ff5ebdddc64d38db37572540e7a1d7a
6cd19462f1f0d052f2737cc36afbcdf3
a14d0db7bb09e828c386a7ec35354e20
b1f342022972160628e55f97bc8be5cc
c3043b5ee111da57d2d1ca9bba8aef9a
838f1004aec0bf9f8092cb2bf33ace3b
d2ee31e9f93c861fb0f46832cf9cacca
4451756512961de3738d9540bafa34b3
7ad91245eac497f0b7bf8e9d2a01925d
3685385d957d8b037aed66637286a898
3e6648981ae491c49a84171eb2f8ffea
723ff258db1000397db7689ef61e55e3
050ec6260d617046e92eb82a47e46a76

URLs

URL	IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www.clangburkitt.info/count.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&rand=	162.222.194.132
hxxp://cocomo.tremorhub.com/itd.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&rand=
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.94
hxxp://c.statcounter.com/10114910/0/757d7213/1/	216.59.38.123
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=735763056&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1914398824&cid=167001551.1473180239&tid=UA-74694740-5&_r=1&z=227060018
hxxp://a5f50dedef.site.internapcdn.net/page-3.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=1114&c=000000ffffff&p=	50.23.131.235
hxxp://109.201.148.40/report1.php?url=/ivids/page-3.html?lid=937115
hxxp://ivids.net/jwplayer1.js	162.222.194.11
hxxp://109.201.148.40/bck.php?1473180240000
hxxp://ivids.net/1.js	162.222.194.11
hxxp://a5f50dedef.site.internapcdn.net/page-3.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-3.htm?lid=937115
hxxp://109.201.148.40/bck.php?1473180241000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://ivids.net/player1.swf	162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=116491976&t=pageview&_s=1&dl=http://www.ivids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=659244252&cid=1782559488.1473180242&tid=UA-74694740-2&_r=1&z=1176070523
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=11F02FAE42BB4FA83FEB842D21424A13&sc_random=0.3472518227683497&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.ivids.net/page-3.html?lid=937115&u=http://www.ivids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	216.59.38.123
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf	162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 3&mediaDesc=Entertainment videos ivids.net - 3&mediaId=2&mediaUrl=hxxp://www.ivids.net/3.html&srcPageUrl=hxxp://www.ivids.net/3.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Bidswitch,thetradedesk,google,eyeview,BidTheatre,ignitionone,dynadmic,mediamath,SundaySky,dataxu,conversant,_dmp_turbine,1,tremornet,appnexus,Videology,beeswax,adapTV,rocketfuel,TubeMogul-GP,centro,audiencescience&uid=575b8f7ad5d64d24a58ac20715400d3b&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.ivids.net/crossdomain.xml	109.201.148.40
hxxp://vi.ivids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.ivids.net/3.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash	109.201.148.40
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.ivids.net/3.html&contentLength=[CONTENT_LENGTH]
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=cc730cd37857478e93f07a08d2307af7&p=SundaySky,ignitionone,centro,Videology,google,TubeMogul-GP,eyeview,dataxu,videoamp,adapTV,mediamath,beeswax,thetradedesk,_dmp_turbine,1,audiencescience,dynadmic,Bidswitch,conversant,rocketfuel,BidTheatre,tremornet&uid=575b8f7ad5d64d24a58ac20715400d3b&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=cc730cd37857478e93f07a08d2307af7&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b
hxxp://www.ivids.net/img/lbg.png	69.88.149.139
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 3&mediaDesc=Entertainment videos ivids.net - 3&mediaId=2&mediaUrl=hxxp://www.ivids.net/3.html&srcPageUrl=hxxp://www.ivids.net/3.html&contentLength=300	52.205.82.36
hxxp://www.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=	54.230.45.95
hxxp://www.ivids.net/page-3.html?lid=937115	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.google-analytics.com/analytics.js	216.58.209.174
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/crossdomain.xml	52.2.99.223
hxxp://cdn.tremorhub.com/crossdomain.xml	52.85.173.114
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml	52.200.216.188
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=cc730cd37857478e93f07a08d2307af7&p=SundaySky,ignitionone,centro,Videology,google,TubeMogul-GP,eyeview,dataxu,videoamp,adapTV,mediamath,beeswax,thetradedesk,_dmp_turbine,1,audiencescience,dynadmic,Bidswitch,conversant,rocketfuel,BidTheatre,tremornet&uid=575b8f7ad5d64d24a58ac20715400d3b&init=true	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.ivids.net/css1.css	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=116491976&t=pageview&_s=1&dl=http://www.ivids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=659244252&cid=1782559488.1473180242&tid=UA-74694740-2&_r=1&z=1176070523	216.58.209.174
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.ivids.net/page-3.htm?lid=937115	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://cdn.tremorhub.com/static/noad.xml	52.85.173.114
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml	52.205.82.36
hxxp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.ivids.net/3.html&contentLength=[CONTENT_LENGTH]	52.200.216.188
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Bidswitch,thetradedesk,google,eyeview,BidTheatre,ignitionone,dynadmic,mediamath,SundaySky,dataxu,conversant,_dmp_turbine,1,tremornet,appnexus,Videology,beeswax,adapTV,rocketfuel,TubeMogul-GP,centro,audiencescience&uid=575b8f7ad5d64d24a58ac20715400d3b&init=true	52.2.99.223
hxxp://www.bruindorsett.pw/func.js?r=5	54.230.45.95
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.ivids.net/img/logo.png	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=735763056&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1914398824&cid=167001551.1473180239&tid=UA-74694740-5&_r=1&z=227060018	216.58.209.174
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://www.statcounter.com/counter/counter.js	151.249.90.215
hxxp://l.longtailvideo.com/5/10/logo.png	93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=cc730cd37857478e93f07a08d2307af7&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223
hxxp://partners.tremorhub.com/syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b	52.2.99.223

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:54 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Wed, 09 Aug 2017 00:49:54 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:53 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Wed, 07 Sep 2016 00:49:53 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /counter/counter.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10114910.1473180257.0; is_visitor_unique=1473180257124270528

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Server: PWS/8.1.38

X-Px: ht h0-s1072.p11-fra.cdngp.net

ETag: W/"576924c5-654e"

Cache-Control: max-age=43200

Expires: Tue, 06 Sep 2016 23:24:54 GMT

Age: 19166

Content-Length: 9529

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT

Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
[email protected]..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..][email protected].?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#[email protected].,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>

GET /page-3.html?lid=937115 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:17 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com
e5c..<img src="hXXp://109.201.148.40/report1.php?url=/ivids/page-3.
html?lid=937115" alt="" width="0" height="0"><script type="text/
javascript" src="hXXp://ivids.net/jwplayer1.js"></script><
script>var thecc ="ok";</script><script type="text/javascr
ipt" src="hXXp://ivids.net/1.js"></script><form action="ht
tp://VVV.ivids.net/page-2.php" method="get" name="redirect"><inp
ut type="hidden" name="lid" value="937115"></form>..<scrip
t type="text/javascript"> if (top.location!= self.location) { docum
ent.write('<head></head><body bgcolor="#ffffff" class="
body" topmargin="0" leftmargin="0">');}</script>..<form ac
tion="hXXp://VVV.ivids.net/page-3.htm" method="get" name="redirect1"&g
t;<input type="hidden" name="lid" value="937115"></form>&l
t;script type="text/javascript"> if (top.location!= self.location) 
{ document.forms['redirect1'].submit();}</script><script type
='text/javascript'>..var cb = Math.round(new Date().getTime() / 100
0);..var items = Array('mp4:lqbyul0x.mp4','mp4:hc6lawyi.mp4','mp4:ibls
dh2f.mp4','mp4:nbsyph4t.mp4','mp4:peyjpa0x.mp4','mp4:9mzecklt.mp4','mp
4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4','mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp
4','mp4:romfc7uu.mp4','mp4:qgmcib5y.mp4','mp4:ifgfn0gh.mp4');..var ite
m = items[Math.floor(Math.random()*items.length)];..var ffile = "http:
//thm.vidvib.com/abcd.mp4";..jwplayer('ova-jwplayer-container').setup(
{.. "flashplayer": "hXXp://ivids.net/player1.swf",.."file": ffile,
<<< skipped >>>

GET /page-3.htm?lid=937115 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com
e5d..<img src="hXXp://109.201.148.40/report1.php?url=/ivids/page-3.
htm?lid=937115" alt="" width="0" height="0"><script type="text/j
avascript" src="hXXp://ivids.net/jwplayer1.js"></script><s
cript>var thecc ="ok";</script><script type="text/javascri
pt" src="hXXp://ivids.net/1.js"></script><form action="htt
p://VVV.ivids.net/page-2.php" method="get" name="redirect"><inpu
t type="hidden" name="lid" value="937115"></form>..<script
 type="text/javascript"> if (top.location!= self.location) { docume
nt.write('<head></head><body bgcolor="#ffffff" class="b
ody" topmargin="0" leftmargin="0">');}</script>..<script t
ype="text/javascript"> if (top.location!= self.location) { var rc =
 document.referrer.split('/')[2];if (rc == window.location.hostname) {
document.write('<div id="ova-jwplayer-container" style="position:ab
solute; top:0px; left:0px;width:300px;height:250px;"></div>')
;}}</script>..<script type='text/javascript'>..var cb = Ma
th.round(new Date().getTime() / 1000);..var items = Array('mp4:lqbyul0
x.mp4','mp4:hc6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t.mp4','mp4:p
eyjpa0x.mp4','mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4',
'mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','mp4:qgmcib5y
.mp4','mp4:ifgfn0gh.mp4');..var item = items[Math.floor(Math.random()*
items.length)];..var ffile = "hXXp://thm.vidvib.com/abcd.mp4";..jwplay
er('ova-jwplayer-container').setup({.. "flashplayer": "hXXp://ivid
<<< skipped >>>

GET /css1.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473180242.11F02FAE42BB4FA83FEB842D21424A13.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Content-Type: text/css

Content-Length: 1963

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Mon, 10 Nov 2014 09:13:53 GMT

ETag: "a1af7-7ab-5077d94d75640"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes
A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: 
#000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DE
CORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: 
none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY:
 Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-
SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Ari
al, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt
}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 10%;..margin-righ
t: 10%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR:
 #eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topme
nufont..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:l
ink ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans
-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smooth
ing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.00
4);..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdan
a, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 1
2px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1p
x 1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B
5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATI
ON: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !impo
rtant;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..b
<<< skipped >>>

GET /img/lbg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473180242.11F02FAE42BB4FA83FEB842D21424A13.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Content-Type: image/png

Content-Length: 200

Connection: keep-alive

Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT

ETag: "a1c85-c8-4ebb56fac1880"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes
.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
[email protected]#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Tue, 06 Sep 2016 16:44:20 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1c85-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-001.ams002.int
ernap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......
gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b ..
...tV.....Z&.'B..!.;......qn...h:[email protected]#......|..-..z...D..g.f.!
[.....O...........IEND.B`...

GET /count.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.clangburkitt.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:18 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 47

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Tue, 06 Sep 2016 16:44:18 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..

GET /10114910/0/757d7213/1/ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:17 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1473180257.0; expires=Sun, 05-Sep-2021 16:44:17 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1473180257124270528; expires=Thu, 06-Sep-2018 16:44:17 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif
GIF89a...................!.......,...........T..;..

GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=11F02FAE42BB4FA83FEB842D21424A13&sc_random=0.3472518227683497&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.ivids.net/page-3.html?lid=937115&u=http://VVV.ivids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10114910.1473180257.0; is_visitor_unique=1473180257124270528

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1473180257.0-10675947.1473180260.0; expires=Sun, 05-Sep-2021 16:44:20 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1473180257124270528; expires=Thu, 06-Sep-2018 16:44:20 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif
GIF89a...................!.......,...........T..;..

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:53 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Wed, 07 Sep 2016 00:49:53 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /img/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473180242.11F02FAE42BB4FA83FEB842D21424A13.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Content-Type: image/png

Content-Length: 2536

Connection: keep-alive

Last-Modified: Thu, 10 Jul 2014 23:39:15 GMT

ETag: "a1c81-9e8-4fddf55270ec0"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...zIDATx..]]S.W..N.......7.NE.........(...H.8S..V.
....H;j.v..%.3...^.`...3...3....7.6......>..r..n...$....a`M.ys.9.y.
.,..U.[..a.a9M..8M .....4.`..8..4...i...:M2MXd.&J..{..K....=.?........
m.....!sX...M!.5.}...){.....].r..l.U..Vv9.afH.......Wr.i[FEX..v...;...
. Y.=."d.bjy..L,.......Ph..$..I.B...]W...}.3*.B.....-..&....!..gT..{.q
.`...hv.........i..8M ....#~z.|]......}a.......5y..!..&...NzV........&
gt;1....wb..A.E.|g..j....J7m./.w].Df.v.N.FN.}.%...#........g.7...G.wW.
.8"............SGe...x...M..%kV.%.B...7........gz.....K.....d.Da......
../........=).....G?. ..<...Q...k0...v.B.....fn4.:._a...|...J7.g.(:
...&..k.1.i......&.;[email protected]..|[....w-....}.......c5....I=..J.
..j...5...."MV..[..8.Qw....w..........Ec}..~J.9m...A..v.?...m...FvU.; 
....~...r...g..x=....... .....>V....9...~.....!.u.J.FZ.iB.L.T..S./L
..*.q1..|..8.2.z1..5{[email protected]|. 
o.2.6.B...6..)m.T..Y........).O..........Q.'`.M.*J..p.tGW.....FO.C.=..
....b...*[email protected]*].h..Z.}.~....*G.....n$...D.....Q..4Y..8L..;...K...
Z..H1...ai.t.*yL...`-)2E..ip..C.d.&$*....p..[{.......4Ez..Gf.V..T.D[..
..g....Rm......u(Y.o@HT.*>?;}..D2ks...6>-\.)}Rb..ky......Pc.....
.-.\..?..s......319....^..D.i.C.....s.z.[..\...GJ...'8...Hi.s......-.S
.#...1...)..._S.V.ocE.\..cB.*Y.Z..B..%..r..73.8..p....P.U..\......2.2u
....S.....iQ.............P.y...{ 7i......v.s..N..-....K]\v.%..Vo$.P..&
lt;....}....Wb..9..7.p..$4=N Mj..0..4gj..Hie..5;-......6...8..m.(.
<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 130

Connection: keep-alive

Date: Sun, 24 Jul 2016 04:41:02 GMT

Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT

ETag: "2cf4c5e3d4c1206209355ac1065b0efc"

Accept-Ranges: bytes

Server: AmazonS3

Age: 78843

X-Cache: Hit from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Uz05uryR34hC-ggWG3NA2zmosS3DJwBp1yS-TjzeM6CdWr8laBoQFA==
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" />.</cro
ss-domain-policy>....


GET /static/noad.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 73

Connection: keep-alive

Date: Sun, 24 Jul 2016 05:41:23 GMT

Last-Modified: Thu, 04 Dec 2014 23:38:15 GMT

ETag: "074455bdeaf186ffa7b220bc14965cd5"

Accept-Ranges: bytes

Server: AmazonS3

Age: 24712

X-Cache: Hit from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: sVVjYEcceYkOmuOi_3jDCS2BE0AJ8pa_sDP12355xCQcA-2T9CAdWg==
<VAST version="2.0" t:status="NO_AD" xmlns:t="hXXp://tremorhub.com/
ssp"/>HTTP/1.1 200 OK..Content-Type: text/xml..Content-Length: 73..
Connection: keep-alive..Date: Sun, 24 Jul 2016 05:41:23 GMT..Last-Modi
fied: Thu, 04 Dec 2014 23:38:15 GMT..ETag: "074455bdeaf186ffa7b220bc14
965cd5"..Accept-Ranges: bytes..Server: AmazonS3..Age: 24712..X-Cache: 
Hit from cloudfront..Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfr
ont.net (CloudFront)..X-Amz-Cf-Id: sVVjYEcceYkOmuOi_3jDCS2BE0AJ8pa_sDP
12355xCQcA-2T9CAdWg==..<VAST version="2.0" t:status="NO_AD" xmlns:t
="hXXp://tremorhub.com/ssp"/>..

GET /index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.bruindorsett.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 906

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Encoding: gzip

Date: Tue, 06 Sep 2016 16:44:17 GMT

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Ve6bY_ReGknHhXCro8OuRV5ECBYHKHegJ-SKMAix-IxvzWv_u0qI4w==
...........UMo.8..... x.....$N..t...&....b..9..Xb*..9..M..KR.r..X.lr..
..7o<..m...x......5.....W..tAFs..M...kF.M.:.|Tm.Q,...P.A.;.g.......
.....okXi0..[{.YfO.....,.....c^KUnH. l...d4..U.j.....[..{.{-..7.ft...\
.4o..]0..9N.a.....Z...@L.\..P......Q...i..?......?..ln.......f..$;.d{;
..J.....e.(.D.5.9%5..F.../..A..M.U..Y1*.......u..?.._].j ^...M......k.
........P.JPC.t./..M.....k....Ith.k...P..Q.....!$\[email protected](b....u..6..W.g
...N%o6(........... }..........s....?..W.Q....m...).D..w6,.'a .,.0.qf.
B...5...*.]..:*.G..............O.....v.*[........l/....VJC.....Q8.Y.!.
U.....JA...Yy.........1.d..h.JLH..`.>.I`Uy..p....M...{T..x..,......
..a..#U....t...Sz..|......Vdz..........n.>......wb.>.LDk.4../...
%.........I..2.o{Y%.I....D*`..`.....l.?I'......u..._.NP}Em..F.....k)..
...H....h.n.kQ. m .."....>I.=<.k.N...Q............)..<.?..4K.
....n...)......./>].[...]|>.t.`D2..c.K?..eH...m.Y.Bi02...t.s....
.N4......v...?..[J0:...HTTP/1.1 200 OK..Content-Type: text/html..Conte
nt-Length: 906..Connection: keep-alive..Server: Apache/2.2.22 (Win64) 
PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Tu
e, 06 Sep 2016 16:44:17 GMT..Vary: Accept-Encoding..X-Cache: Miss from
 cloudfront..Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net 
(CloudFront)..X-Amz-Cf-Id: Ve6bY_ReGknHhXCro8OuRV5ECBYHKHegJ-SKMAix-Ix
vzWv_u0qI4w==.............UMo.8..... x.....$N..t...&....b..9..Xb*..9..
M..KR.r..X.lr....7o<..m...x......5.....W..tAFs..M...kF.M.:.|Tm.Q,..
.P.A.;.g............okXi0..[{.YfO.....,.....c^KUnH. l...d4..U.j...
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.bruindorsett.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 597

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT

ETag: "90000001e1520-f7a-537ea953f7333"

Accept-Ranges: bytes

Content-Encoding: gzip

Date: Fri, 19 Aug 2016 01:35:05 GMT

Vary: Accept-Encoding

Age: 402

X-Cache: Hit from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6rrRgBKGcPg4Pc5hvabRpWttMPUsV_ft1UAa7qQmVc0RqPujrjimAg==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fr
i, 19 Aug 2016 01:35:05 GMT..Vary: Accept-Encoding..Age: 402..X-Cache:
 Hit from cloudfront..Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudf
ront.net (CloudFront)..X-Amz-Cf-Id: 6rrRgBKGcPg4Pc5hvabRpWttMPUsV_ft1U
[email protected]/vJ.8....U U.R.q.z..N..
.....DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$...
.....AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.Br
B.<......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v
&]..~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>.
..V:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. 
<<< skipped >>>

GET /5/10/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: l.longtailvideo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=604800

Content-Type: image/png

Date: Tue, 06 Sep 2016 16:44:21 GMT

Etag: "3015243340"

Expires: Tue, 13 Sep 2016 16:44:21 GMT

Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT

Server: ECAcc (arn/46B0)

X-Cache: HIT

Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>

GET /report1.php?url=/ivids/page-3.html?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:48 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:47:48 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1473180240000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:49 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:47:49 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/ivids/page-3.htm?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:50 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
....


GET /bck.php?1473180241000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:50 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:47:50 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..

GET /itd.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cocomo.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:18 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 1118

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Tue, 06 Sep 2016 16:44:18 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:52 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Wed, 09 Aug 2017 00:49:52 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'