Dropped.Trojan.Generic.17338822_688987076a

by malwarelabrobot on October 11th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Dapato.ondy (Kaspersky), Dropped:Trojan.Generic.17338822 (B) (Emsisoft), Dropped:Trojan.Generic.17338822 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 688987076a743b6ad9a21cdf72e88aef
SHA1: e4c1347b38cb17dede27f41331bce7ccbb8d6808
SHA256: 09917c51b8d0c4e470251ee3854a66b7f5db84d158ae66f238674d7fa3b87530
SSDeep: 24576:NhcWVVFbCt7QKEh4EUZ6ilgdGWO6ACa4U1T:TtVVFetWO6hwWOC0N
Size: 790531 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:1976
taskkill.exe:1252
tasklist.exe:1160
tasklist.exe:884
tasklist.exe:452
tasklist.exe:1928
tasklist.exe:856
tasklist.exe:1424
tasklist.exe:1772
tasklist.exe:1112
tasklist.exe:936
tasklist.exe:1012
tasklist.exe:448
tasklist.exe:1312
tasklist.exe:244
tasklist.exe:1868
tasklist.exe:1880
tasklist.exe:1804
tasklist.exe:1932
tasklist.exe:908
tasklist.exe:500
tasklist.exe:1100
tasklist.exe:1668
tasklist.exe:1740
57630973.exe:224
%original file name%.exe:1756
tonawanda.exe:308
36921.exe:136
find.exe:1160
find.exe:1204
find.exe:276
find.exe:1832
find.exe:1076
find.exe:1112
find.exe:2012
find.exe:1752
find.exe:516
find.exe:568
find.exe:1408
find.exe:1092
find.exe:1932
find.exe:1492
find.exe:240
find.exe:1916
find.exe:936
find.exe:1472
find.exe:648
find.exe:512
find.exe:1368
find.exe:376

The Dropped injects its code into the following process(es):

aegis.exe:1384

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process aegis.exe:1384 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CAUVGXEF.xml (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\crossdomain[2].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[4].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[5].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\analytics[1].js (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[2].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[2].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[7].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\css1[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[1].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAQV6JYH.gif (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[5].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[5].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\crossdomain[3].xml (144 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CA435TJQ.xml (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\jwplayer1[1].js (62963 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CAOL2NWL.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAEQSWHS.xml (810 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[2].xml (616 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[1].xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CA6ZEV01.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\page-4[1].htm (2336 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\player1[1].swf (18045 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CA49I9MH.xml (815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAABG1YV.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CAIV09YN.xml (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\logo[2].png (723 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CAEJCLIV.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[5].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[6].xml (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[1].xml (716 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CA3RG4K1.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CA1AAS1Z.xml (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[1].xml (704 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\page-4[1].htm (3953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\ova-jw[1].swf (43153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CAGRWTGF.xml (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CARWW7CC.xml (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[6].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CALD808N.xml (725 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ortaconde[1].txt (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\player1[1].swf (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CASDW1Q5.xml (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CADZIO1V.xml (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[7].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ortaconde[2].txt (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CAOTYROD.xml (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[6].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAIPOTED.xml (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\desktop.ini (67 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ortaconde[1].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\page-4[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\bck[1].htm (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\css1[1].css (0 bytes)

The process 57630973.exe:224 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\SimpleFC.dll (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%WinDir%\aegis.exe (11888 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\oregano.lnk (471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\57630973.exe (3057 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Program Files%\verbiage\settings.dll (6 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Program Files%\verbiage\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%WinDir%\settings.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (13 bytes)
%Program Files%\perfect\tonawanda.exe (1040 bytes)
%Program Files%\verbiage\aegis.exe (11888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\36921.exe (1082 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)

The process tonawanda.exe:308 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)

The process 36921.exe:136 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)

Registry activity

The process taskkill.exe:1976 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F FC 8C AF D7 B1 76 A3 7C FF 1E 56 F4 00 45 D8"

The process taskkill.exe:1252 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB A8 85 BC 4E 3C 6C B8 EC 4C 0F A4 46 18 8E AB"

The process aegis.exe:1384 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161011]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016101020161011\"

"CachePrefix" = ":2016101020161011:"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A E9 1B F2 28 0E 0F 27 B7 C1 8C AA 46 AC D6 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161011]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161011]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161011]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tasklist.exe:1160 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 BC 04 17 DD 44 56 64 09 23 C3 3A 2D 16 DA DA"

The process tasklist.exe:884 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB D3 14 3C 97 CA CA 7F CD D0 53 10 BB 37 89 56"

The process tasklist.exe:452 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E B6 68 67 1C B9 F4 B3 92 15 C4 BF 46 C6 74 73"

The process tasklist.exe:1928 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 07 7A 31 38 24 55 CC A4 3A FD 5E 1E 64 D8 DE"

The process tasklist.exe:856 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E DD 27 4F 02 58 C1 40 4A 37 7F 3C 72 B5 54 BC"

The process tasklist.exe:1424 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 D2 28 62 8F 76 9D D6 42 38 BB D0 DB C9 39 2A"

The process tasklist.exe:1772 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 75 6E FD 4C 00 46 E6 B0 16 11 8E 10 B8 A7 94"

The process tasklist.exe:1112 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 FE 82 49 E6 41 4F 3B 9F 4F 52 A1 82 60 67 35"

The process tasklist.exe:936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 F6 52 C8 DB 2D D1 E6 08 96 EE 09 E8 02 A9 9E"

The process tasklist.exe:1012 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 19 C7 B7 4F 76 2E 4F 14 0B C9 0C 75 85 A2 8F"

The process tasklist.exe:448 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 61 3A C3 E9 E8 2B AC 2B 9D 35 FF 1C C3 A8 7B"

The process tasklist.exe:1312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 F2 7B 09 94 D8 4C 24 2F FA DC C4 91 DA 92 2A"

The process tasklist.exe:244 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 93 91 6D AD C4 FA E9 F3 BE C7 C8 FF 98 84 62"

The process tasklist.exe:1868 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 04 1F 34 95 C8 22 2D 32 69 9D BA 5E A4 D2 B6"

The process tasklist.exe:1880 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 12 F7 32 4A 95 A3 67 24 5D E2 03 7E 73 77 18"

The process tasklist.exe:1804 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 74 54 65 3C AD 95 05 54 7D F4 A6 AA 47 39 E7"

The process tasklist.exe:1932 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD BA 35 60 CF 80 A0 66 71 7F 63 84 BA CE 97 7E"

The process tasklist.exe:908 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 66 E3 79 F4 08 63 A8 D8 3B D3 EA FE D0 4E 5B"

The process tasklist.exe:500 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F A3 A6 2F 14 F4 6E 0F 34 50 3B FA A5 1F 9E 36"

The process tasklist.exe:1100 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 0F 7F F9 FC C3 C6 DD DA 05 3A F4 36 E6 75 B0"

The process tasklist.exe:1668 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E CC D6 39 1C 48 6A F0 70 63 AA 75 3F 9F 42 37"

The process tasklist.exe:1740 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 4C CF 0F 30 AC 45 F6 3C F1 58 56 73 D5 9E 99"

The process 57630973.exe:224 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC A3 43 AF CF 0F 5C CC 24 26 26 81 20 F2 E0 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1756 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 22 43 3E C6 86 B1 C4 14 58 AD C0 67 3B 7A 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"southpaw" = "%Program Files%\verbiage\aegis.exe"

"medal" = "%Program Files%\verbiage\aegis.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hern" = "%Program Files%\verbiage\aegis.exe"

"manzano" = "%Program Files%\verbiage\aegis.exe"

The process tonawanda.exe:308 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 56 11 47 00 0A 12 5B 99 72 A7 C4 87 1E CF 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"swampscott" = "%Program Files%\verbiage\aegis.exe"

"tonawanda" = "%Program Files%\perfect\tonawanda.exe"

The process 36921.exe:136 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 71 10 3F E9 7C 02 96 78 B9 A6 D4 26 2E 35 F1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:1160 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 EC 39 30 2A A3 DB A7 9C 0E A2 D2 7C C5 E8 90"

The process find.exe:1204 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 24 68 DF 12 72 BB 0A 4B BF FA DC 0E 21 AC F2"

The process find.exe:276 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 78 44 B2 29 04 9D 52 12 45 B2 E7 99 B3 1A EF"

The process find.exe:1832 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D7 88 28 A3 E6 6D 49 F8 99 76 70 F0 16 63 10"

The process find.exe:1076 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 54 7C BA 86 8E 9F 0B 79 6A 9B 8F 25 B3 65 85"

The process find.exe:1112 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D D0 4F BB 81 18 F8 FD 8D AF E5 E8 E4 77 F8 A7"

The process find.exe:2012 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 0B E3 12 FD E7 59 61 C8 F4 8E 84 07 9C 9C C1"

The process find.exe:1752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D A8 43 E6 90 59 B3 34 C7 83 C2 68 25 E3 11 F3"

The process find.exe:516 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 7B EC D9 FB 2F B7 45 A7 93 9D 49 D1 6A 27 50"

The process find.exe:568 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA D5 49 19 CC E6 A6 73 6A 47 01 1B F1 04 F2 68"

The process find.exe:1408 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 06 12 A3 41 DE 27 05 6C 0A 92 9D D4 2D 84 19"

The process find.exe:1092 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 1D E4 32 07 DD C7 BD 93 47 19 98 68 DA A0 F2"

The process find.exe:1932 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 B1 D7 CF 66 AA 66 85 0D 8E A3 D1 5A 04 6B 60"

The process find.exe:1492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 CE 3B E1 E1 CF B3 2C F8 F9 1F 85 36 14 15 94"

The process find.exe:240 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 16 03 51 19 76 8A 32 DB 71 6B 76 6F 32 8E 45"

The process find.exe:1916 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 28 F6 8A 53 40 87 2C 19 6C 44 05 5C 83 1A 08"

The process find.exe:936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 8B F3 B0 33 40 24 B8 F8 AC 83 70 64 F1 00 5D"

The process find.exe:1472 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 9B A1 CE B9 20 CD 7D 4A 92 04 EE B9 AE C9 2A"

The process find.exe:648 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 1F 5E 18 14 D6 18 2C 93 BF 93 AE 0E B4 CA 4C"

The process find.exe:512 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 80 87 1E 2B 7A 37 F7 A9 3E A2 CA 0A 07 1C 86"

The process find.exe:1368 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 D2 C6 F5 2D 53 40 F2 E3 CB 69 60 01 F7 27 F5"

The process find.exe:376 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D6 2D B7 19 0F F1 19 40 96 28 9F 07 5E 0D F9"

Dropped PE files

MD5 File path
6351426f5922b23dd580621eee7b681c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\36921.exe
772e2894d131e979a2d04b9f0ba15ae1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\57630973.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd7.tmp\ExecCmd.dll
d8eb8d23ed1598756f81ef45e24e2e73 c:\Program Files\perfect\tonawanda.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\verbiage\Microsoft.Win32.TaskScheduler.dll
b54f171c779133f76dbac42b0c681fb2 c:\Program Files\verbiage\aegis.exe
70b015969ecda6a73f8ca9c9451e1a4f c:\Program Files\verbiage\settings.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
b54f171c779133f76dbac42b0c681fb2 c:\WINDOWS\fonds.exe
70b015969ecda6a73f8ca9c9451e1a4f c:\WINDOWS\settings.dll

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 116
7bcde813c50a0b0e20e5f9f233bc3040
f6aff0b9b146929b2c655288d5da55ed
096cc8ec1268a7a48f4e8e9acffd275c
868d60bfcfe02d05fecfcb3e44e2ccce
516401f3104d731ca24c600b7ae68d76
a8c97fb33db997aaf9411704474278a1
5bec3c6a9950cf902e71b84dc814c3f9
29de0a3a7170f7dd71267eee2449b462
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www.shanaluby.pw/count.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&rand= 162.222.193.17
hxxp://cocomo.tremorhub.com/itd.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&rand=
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.2.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=502135443&t=pageview&_s=1&dl=http://www.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=105937041&cid=1804277147.1476108736&tid=UA-74694740-5&_r=1&z=1491126877
hxxp://widgets.amung.us/draw/?w=colored&n=825&c=000000ffffff&p= 50.23.131.235
hxxp://a5f50dedef.site.internapcdn.net/page-4.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-4.html?lid=937115
hxxp://ivids.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1476108738000
hxxp://ivids.net/1.js 162.222.194.11
hxxp://a5f50dedef.site.internapcdn.net/page-4.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-4.htm?lid=937115
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://ivids.net/player1.swf 162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=988BBF935A314F24CB8B433DF0A0F47C&sc_random=0.4984301936053392&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.ivids.net/page-4.html?lid=937115&u=http://www.ivids.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.2.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=428035676&t=pageview&_s=1&dl=http://www.ivids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=571548201&cid=898047264.1476108739&tid=UA-74694740-2&_r=1&z=335293882
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 4&mediaDesc=Entertainment videos ivids.net - 4&mediaId=2&mediaUrl=hxxp://www.ivids.net/4.html&srcPageUrl=hxxp://www.ivids.net/4.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=1,centro,thetradedesk,SundaySky,rocketfuel,beeswax,appnexus,adapTV,dataxu,eyeview,google,ignitionone,BidTheatre,Bidswitch,audiencescience,_dmp_turbine,dynadmic,videoamp,mediamath,conversant,tremornet,TapAd,TubeMogul-GP&uid=e14d064d7c6f4cd5a1b394203ad968a4&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.ivids.net/crossdomain.xml 109.201.148.40
hxxp://vi.ivids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.ivids.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://www.ivids.net/img/lbg.png 69.88.149.139
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=428035676&t=pageview&_s=1&dl=http://www.ivids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=571548201&cid=898047264.1476108739&tid=UA-74694740-2&_r=1&z=335293882 173.194.32.162
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/crossdomain.xml 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://www.ivids.net/css1.css 69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://cdn.tremorhub.com/crossdomain.xml 52.85.184.219
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 4&mediaDesc=Entertainment videos ivids.net - 4&mediaId=2&mediaUrl=hxxp://www.ivids.net/4.html&srcPageUrl=hxxp://www.ivids.net/4.html&contentLength=300 54.164.191.235
hxxp://www.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t= 216.137.61.20
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://cdn.tremorhub.com/static/noad.xml 52.85.184.219
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://www.ivids.net/page-4.html?lid=937115 69.88.149.139
hxxp://www.ivids.net/page-4.htm?lid=937115 69.88.149.139
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 54.164.191.235
hxxp://www.ivids.net/img/logo.png 69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=1,centro,thetradedesk,SundaySky,rocketfuel,beeswax,appnexus,adapTV,dataxu,eyeview,google,ignitionone,BidTheatre,Bidswitch,audiencescience,_dmp_turbine,dynadmic,videoamp,mediamath,conversant,tremornet,TapAd,TubeMogul-GP&uid=e14d064d7c6f4cd5a1b394203ad968a4&init=true 52.71.68.213
hxxp://www.google-analytics.com/analytics.js 173.194.32.162
hxxp://www.statcounter.com/counter/counter.js 151.249.89.80
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=502135443&t=pageview&_s=1&dl=http://www.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=105937041&cid=1804277147.1476108736&tid=UA-74694740-5&_r=1&z=1491126877 173.194.32.162
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://www.ortaconde.pw/func.js?r=5 216.137.61.20
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
hxxp://partners.tremorhub.com/syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 52.71.68.213
we1sb-wwcgk.ads.tremorhub.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 22:18:43 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Mon, 11 Sep 2017 22:18:43 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 22:18:44 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Mon, 11 Sep 2017 22:18:44 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:13 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=d3ff0cde4a728de158ea17165e832100c1476108733; expires=Tue, 10-Oct-17 14:12:13 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1476108733.0; expires=Sat, 09-Oct-2021 14:12:13 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1476108733343882628; expires=Wed, 10-Oct-2018 14:12:13 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 2efaaa8130934002-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Mon, 10 Oct 2016 14:12:13 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d3ff0cde4a728de15
8ea17165e832100c1476108733; expires=Tue, 10-Oct-17 14:12:13 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.147
6108733.0; expires=Sat, 09-Oct-2021 14:12:13 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1476108733343882628; expire
s=Wed, 10-Oct-2018 14:12:13 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 2efaaa8130934002-SOF..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=988BBF935A314F24CB8B433DF0A0F47C&sc_random=0.4984301936053392&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.ivids.net/page-4.html?lid=937115&u=http://VVV.ivids.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d3ff0cde4a728de158ea17165e832100c1476108733; is_unique=sc10114910.1476108733.0; is_visitor_unique=1476108733343882628


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:16 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1476108733.0-10675947.1476108736.0; expires=Sat, 09-Oct-2021 14:12:16 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1476108733343882628; expires=Wed, 10-Oct-2018 14:12:16 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 2efaaa9411664002-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Mon, 10 Oct 2016 14:12:16 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.147610873
3.0-10675947.1476108736.0; expires=Sat, 09-Oct-2021 14:12:16 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14761087333
43882628; expires=Wed, 10-Oct-2018 14:12:16 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 2efaaa9411664002-SOF..GI
F89a...................!.......,...........T..;..



GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1476108739.988BBF935A314F24CB8B433DF0A0F47C.1.1.1.1.1.1.1.1.1; _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:16 GMT
Content-Type: image/png
Content-Length: 2536
Connection: keep-alive
Last-Modified: Thu, 10 Jul 2014 23:39:15 GMT
ETag: "a1c81-9e8-4fddf55270ec0"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...zIDATx..]]S.W..N.......7.NE.........(...H.8S..V.
....H;j.v..%.3...^.`...3...3....7.6......>..r..n...$....a`M.ys.9.y.
.,..U.[..a.a9M..8M .....4.`..8..4...i...:M2MXd.&J..{..K....=.?........
m.....!sX...M!.5.}...){.....].r..l.U..Vv9.afH.......Wr.i[FEX..v...;...
. Y.=."d.bjy..L,.......Ph..$..I.B...]W...}.3*.B.....-..&....!..gT..{.q
.`...hv.........i..8M ....#~z.|]......}a.......5y..!..&...NzV........&
gt;1....wb..A.E.|g..j....J7m./.w].Df.v.N.FN.}.%...#........g.7...G.wW.
.8"............SGe...x...M..%kV.%.B...7........gz.....K.....d.Da......
../........=).....G?. ..<...Q...k0...v.B.....fn4.:._a...|...J7.g.(:
...&..k.1.i......&.;[email protected]..|[....w-....}.......c5....I=..J.
..j...5...."MV..[..8.Qw....w..........Ec}..~J.9m...A..v.?...m...FvU.; 
....~...r...g..x=....... .....>V....9...~.....!.u.J.FZ.iB.L.T..S./L
..*.q1..|..8.2.z1..5{[email protected]|. 
o.2.6.B...6..)m.T..Y........).O..........Q.'`.M.*J..p.tGW.....FO.C.=..
....b...*[email protected]*].h..Z.}.~....*G.....n$...D.....Q..4Y..8L..;...K...
Z..H1...ai.t.*yL...`-)2E..ip..C.d.&$*....p..[{.......4Ez..Gf.V..T.D[..
..g....Rm......u(Y.o@HT.*>?;}..D2ks...6>-\.)}Rb..ky......Pc.....
.-.\..?..s......319....^..D.i.C.....s.z.[..\...GJ...'8...Hi.s......-.S
.#...1...)..._S.V.ocE.\..cB.*Y.Z..B..%..r..73.8..p....P.U..\......2.2u
....S.....iQ.............P.y...{ 7i......v.s..N..-....K]\v.%..Vo$.P..&
lt;....}....Wb..9..7.p..$4=N Mj..0..4gj..Hie..5;-......6...8..m.(.
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vi.ivids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:16:03 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 11 Nov 2014 03:08:25 GMT
ETag: "a1b01-52-5078c97abfc40"
Accept-Ranges: bytes
Content-Length: 82
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hXXp://VVV.ivids.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vi.ivids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:16:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=bfff7d77abbalj4hu7pe2tq825; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Length: 654
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>..<VAST version="2.0"&g
t;..<Ad id="1"><Wrapper><AdSystem>1</AdSystem>
<VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/a
d/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPositi
on=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Enterta
inment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageU
rl=hXXp://VVV.ivids.net/4.html&contentLength=[CONTENT_LENGTH]]]><
;/VASTAdTagURI><Impression><![CDATA[hXXp://z.frightenedomn
iscient.info/chki.php?ww=tremor&aa=hXXp://VVV.ivids.net/4.html&lrp=937
115&TIMESTAMP=2700345958]]></Impression><Creatives><
/Creatives></Wrapper></Ad>..</VAST>HTTP/1.1 200 O
K..Date: Mon, 10 Oct 2016 14:16:03 GMT..Server: Apache/2.2.15 (CentOS)
..X-Powered-By: PHP/5.3.3..Set-Cookie: PHPSESSID=bfff7d77abbalj4hu7pe2
tq825; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: 
private..Pragma: no-cache..Content-Length: 654..Keep-Alive: timeout=5.
.Connection: Keep-Alive..Content-Type: text/xml..<?xml version="1.0
" encoding="UTF-8"?>..<VAST version="2.0">..<Ad id="1">
<Wrapper><AdSystem>1</AdSystem><VASTAdTagURI>&
lt;![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fs
pan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Enter
tainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.n
et&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.ivi
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 10 Oct 2016 14:12:19 GMT
ETag: W/"144-1446243360000"
Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 4&mediaDesc=Entertainment videos ivids.net - 4&mediaId=2&mediaUrl=hXXp://VVV.ivids.net/4.html&srcPageUrl=hXXp://VVV.ivids.net/4.html&contentLength=300 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/xml;charset=ISO-8859-1
Date: Mon, 10 Oct 2016 14:12:19 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; Domain=.tremorhub.com; Expires=Tue, 10-Oct-2017 20:00:40 GMT; Path=/
Set-Cookie: tvrg_60409="1,1476108740"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Mon, 10-Oct-2016 14:13:20 GMT; Path=/
Vary: Accept-Encoding
x-tremorvideo-status: NO_AD
Content-Length: 528
Connection: keep-alive
............Ko.0.........8I.4.l.^....(f.;.EA.l"$..IN.o?...=.;.G......c
....X.U.....GJh.j......,X.g.C..'[email protected].*m6M9.......[X...I...s
v..q..4.n...x o..*-..^.....eW4....owi....: ...r5...C....J(..4.....h.A9
 #.F.9.........r<......J.rF3..9.HHv.f.(.6...F.-...vl.D..G&nD.......
.....a.....Lk..;b.k%..P o}.Xl.....=H'6>W..e  ..o....]cJ.Eb.. )...IC
U3V..*p>..........).\@..?..>.u.;...7<-.E8.Fx)./......y4.^...3
.....8...S....sc.6.....8..s.N.[b..XY2....9........?.u._..U.!.w2L. ...{
.'L.O<.`.....N..Yk.........."|[R^..n.........yu../...HTTP/1.1 200 O
K..Cache-Control: no-cache, no-store, must-revalidate..Content-Encodin
g: gzip..Content-Type: text/xml;charset=ISO-8859-1..Date: Mon, 10 Oct 
2016 14:12:19 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremo
rvideo.com/en/privacy-policy'..Pragma: no-cache..Server: Apache-Coyote
/1.1..Set-Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; Domain=.tremo
rhub.com; Expires=Tue, 10-Oct-2017 20:00:40 GMT; Path=/..Set-Cookie: t
vrg_60409="1,1476108740"; Version=1; Domain=.tremorhub.com; Max-Age=60
; Expires=Mon, 10-Oct-2016 14:13:20 GMT; Path=/..Vary: Accept-Encoding
..x-tremorvideo-status: NO_AD..Content-Length: 528..Connection: keep-a
live..............Ko.0.........8I.4.l.^....(f.;.EA.l"$..IN.o?...=.;.G.
.....c....X.U.....GJh.j......,X.g.C..'[email protected].*m6M9.......[X..
.I...sv..q..4.n...x o..*-..^.....eW4....owi....: ...r5...C....J(..4...
..h.A9 #.F.9.........r<......J.rF3..9.HHv.f.(.6...F.-...vl.D..G&nD.
...........a.....Lk..;b.k%..P o}.Xl.....=H'6>W..e  ..o....]cJ.E
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 22:18:43 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Mon, 11 Sep 2017 22:18:43 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /report1.php?url=/ivids/page-4.html?lid=937115 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:15:43 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Mon, 10 Oct 2016 14:15:43 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1476108738000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:15:44 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Mon, 10 Oct 2016 14:15:44 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/ivids/page-4.htm?lid=937115 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:15:45 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
....


GET /bck.php?1476108738000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:15:45 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Mon, 10 Oct 2016 14:15:45 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /count.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.shanaluby.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:14 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Mon, 10 Oct 2016 14:12:14 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Mon, 10 Oct 2016 14:12:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=825&c=000000ffffff&p=
Set-Cookie: uid=CgH9I1f7ob07UHhcUQKPAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /draw/?w=colored&n=825&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: uid=CgH9I1f7ob07UHhcUQKPAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Mon, 10 Oct 2016 14:12:14 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Wed, 09 Nov 2016 14:12:14 GMT
Cache-Control: max-age=2592000
615...PNG........IHDR...Q...........p.....PLTE...EEE???...AAA.........
;<=$$$......***abdWXZ444........................GGG......'((..."""2
22...............uvyEFGLLL...<<<......,,,......kln...NNN>&
gt;>.....................~~.vwx...hhi.........OPQ.........iii......
............uvv...opp......UVV...RRRWWW...............bcc...ijj}~~....
..dee...~~~........................]^^PPP.........TTTaaazzz{{{III.....
....HHHrss.........kllJJJDDD|||eeeCCC.........YYY...NOO.........@@@ttt
kkkvvv:::..................;;;qqq..................FFF.........?@@666p
pprrr.........888......SSS............BBB............000...lll......XY
Z(((&&&hhhfff   cdeZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm
^^^\\\]]]```[email protected]....[[email protected]
.....wQ...R.b.....sP*.....GE."#.".B....]Zh.E}......{w.<wi.6.EQ.._m.
[email protected]........ .kS...]~.5..IF}.O}.j..TWUU..z...J.b..R.)/.,RV^.
._Jy.R..l6.|[email protected]]\$...W..../.0/.]..)!.9...<#<es.%'.u%.
.)......>|..?....l .o4.3.......T.an.........W2`..\.v.aR....l4..K0..
D.E..4..B2.<.z......\8.%.....&........D.'...`I?y"..G..i.....h......
u..?..B.C.......<.B............{...!'.....x.q...oC.....Q...}.OE".e.
&........:.7EpN,k......w W,... ...2.........%j.z.!.`X.^...7...'.L..j..
.{7[..13k.......3.QE...$)..Y..L...@.&<.4..S.3...3.8....Q.......f.?.
......X.9..;..Q......P..,..Mj......!.x.(m.'.H...aT)..bT..2.....1z..C.4
u......EH...8n.. V.......q.. ....8......*l.M..w...el..Y.....M..n...ic.
.pH.!O!.d...>6.>.........?".....q. ..........2...~;.G.=.X"..
<<< skipped >>>


GET /page-4.html?lid=937115 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:14 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
e5c..<img src="hXXp://109.201.148.40/report1.php?url=/ivids/page-4.
html?lid=937115" alt="" width="0" height="0"><script type="text/
javascript" src="hXXp://ivids.net/jwplayer1.js"></script><
script>var thecc ="ok";</script><script type="text/javascr
ipt" src="hXXp://ivids.net/1.js"></script><form action="ht
tp://VVV.ivids.net/page-2.php" method="get" name="redirect"><inp
ut type="hidden" name="lid" value="937115"></form>..<scrip
t type="text/javascript"> if (top.location!= self.location) { docum
ent.write('<head></head><body bgcolor="#ffffff" class="
body" topmargin="0" leftmargin="0">');}</script>..<form ac
tion="hXXp://VVV.ivids.net/page-4.htm" method="get" name="redirect1"&g
t;<input type="hidden" name="lid" value="937115"></form>&l
t;script type="text/javascript"> if (top.location!= self.location) 
{ document.forms['redirect1'].submit();}</script><script type
='text/javascript'>..var cb = Math.round(new Date().getTime() / 100
0);..var items = Array('mp4:lqbyul0x.mp4','mp4:hc6lawyi.mp4','mp4:ibls
dh2f.mp4','mp4:nbsyph4t.mp4','mp4:peyjpa0x.mp4','mp4:9mzecklt.mp4','mp
4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4','mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp
4','mp4:romfc7uu.mp4','mp4:qgmcib5y.mp4','mp4:ifgfn0gh.mp4');..var ite
m = items[Math.floor(Math.random()*items.length)];..var ffile = "http:
//thm.vidvib.com/abcd.mp4";..jwplayer('ova-jwplayer-container').setup(
{.. "flashplayer": "hXXp://ivids.net/player1.swf",.."file": ffile,
<<< skipped >>>

GET /page-4.htm?lid=937115 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
e5d..<img src="hXXp://109.201.148.40/report1.php?url=/ivids/page-4.
htm?lid=937115" alt="" width="0" height="0"><script type="text/j
avascript" src="hXXp://ivids.net/jwplayer1.js"></script><s
cript>var thecc ="ok";</script><script type="text/javascri
pt" src="hXXp://ivids.net/1.js"></script><form action="htt
p://VVV.ivids.net/page-2.php" method="get" name="redirect"><inpu
t type="hidden" name="lid" value="937115"></form>..<script
 type="text/javascript"> if (top.location!= self.location) { docume
nt.write('<head></head><body bgcolor="#ffffff" class="b
ody" topmargin="0" leftmargin="0">');}</script>..<script t
ype="text/javascript"> if (top.location!= self.location) { var rc =
 document.referrer.split('/')[2];if (rc == window.location.hostname) {
document.write('<div id="ova-jwplayer-container" style="position:ab
solute; top:0px; left:0px;width:300px;height:250px;"></div>')
;}}</script>..<script type='text/javascript'>..var cb = Ma
th.round(new Date().getTime() / 1000);..var items = Array('mp4:lqbyul0
x.mp4','mp4:hc6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t.mp4','mp4:p
eyjpa0x.mp4','mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4',
'mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','mp4:qgmcib5y
.mp4','mp4:ifgfn0gh.mp4');..var item = items[Math.floor(Math.random()*
items.length)];..var ffile = "hXXp://thm.vidvib.com/abcd.mp4";..jwplay
er('ova-jwplayer-container').setup({.. "flashplayer": "hXXp://ivid
<<< skipped >>>

GET /css1.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1476108739.988BBF935A314F24CB8B433DF0A0F47C.1.1.1.1.1.1.1.1.1; _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:16 GMT
Content-Type: text/css
Content-Length: 1963
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Mon, 10 Nov 2014 09:13:53 GMT
ETag: "a1af7-7ab-5077d94d75640"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: 
#000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DE
CORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: 
none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY:
 Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-
SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Ari
al, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt
}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 10%;..margin-righ
t: 10%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR:
 #eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topme
nufont..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:l
ink ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans
-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smooth
ing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.00
4);..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdan
a, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 1
2px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1p
x 1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B
5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATI
ON: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !impo
rtant;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..b
<<< skipped >>>

GET /img/lbg.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1476108739.988BBF935A314F24CB8B433DF0A0F47C.1.1.1.1.1.1.1.1.1; _ga=GA1.2.898047264.1476108739; _gat=1


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:16 GMT
Content-Type: image/png
Content-Length: 200
Connection: keep-alive
Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT
ETag: "a1c85-c8-4ebb56fac1880"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
[email protected]#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Mon, 10 Oct 2016 14:12:16 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1c85-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-001.ams002.int
ernap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......
gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b ..
...tV.....Z&.'B..!.;......qn...h:[email protected]#......|..-..z...D..g.f.!
[.....O...........IEND.B`...



GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 13:18:51 GMT
Expires: Mon, 10 Oct 2016 15:18:51 GMT
Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11590
Age: 3202
Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j47&a=502135443&t=pageview&_s=1&dl=http://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=105937041&cid=1804277147.1476108736&tid=UA-74694740-5&_r=1&z=1491126877 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 10 Oct 2016 14:12:14 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Mon, 10 Oct 2016 14:12:14 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j47&a=428035676&t=pageview&_s=1&dl=http://VVV.ivids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=571548201&cid=898047264.1476108739&tid=UA-74694740-2&_r=1&z=335293882 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Mon, 10 Oct 2016 14:12:16 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Mon, 10 Oct 2016 14:12:16 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /itd.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cocomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:14 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Mon, 10 Oct 2016 14:12:14 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>


GET /index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ortaconde.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 902
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Mon, 10 Oct 2016 14:12:13 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 9e2316f9bf6c03b8640526708b3cdb00.cloudfront.net (CloudFront)
X-Amz-Cf-Id: BCFY2rSsAbVXCsj2YQ75krUjqtDoMQKZRcXLQgutTw4oTpSbJeMhlQ==
...........UMo.6../....!...>.N..M.I7...n.6E..r....T".rd.H..KR...T..
.........5..rQ./.........2..z...........b........U.q...().D....9......
j..t......L.....,.;Q`.K^..t.....J.[...[. !..(A...)....-..]...d...s.|.n
[email protected]`..t....\.._m.nH..KL..;.%...9..vw........~....#..,?.d.&..^...
..lOsY2J.Qb.hNI....... .K...).j.! F........c..9I...T;...%[email protected]\.,..u
.K.P.jU..Z..~..i*.._....4,&...o.&XCQ.F._t...!.....%C..X.U.c.......(U5p
j5..(...[(0.az....s_../..{..E.;6.<<\.DI..:......M.......$...e.Fs
.LRh......PE.......)j..W..f.....f..n..`....V.6...o..DH...`.4...K......
..R..U..U..`|...>....0..[cwV<.....T<.F.AL.k....h:.f....=*.w.i
@.....6...4..I.'..n;`.9)...>F..6.K./..MH.f....d?s.h.,....b.>.LDk
/4........m..WB.H...Z.........u.U"...j.u.S.g......I@~..:.....'.~Gm..F.
....k)6....L7...h.n.kQ. .S.mE....z.t.o.W..............}...%..<...Y.
...Y9..?.yJ..m;.....W......_..\..................Ug.....t......8A..;..
 X...=..w.....$5...HTTP/1.1 200 OK..Content-Type: text/html..Content-L
ength: 902..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/
5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Mon, 1
0 Oct 2016 14:12:13 GMT..Vary: Accept-Encoding..X-Cache: Miss from clo
udfront..Via: 1.1 9e2316f9bf6c03b8640526708b3cdb00.cloudfront.net (Clo
udFront)..X-Amz-Cf-Id: BCFY2rSsAbVXCsj2YQ75krUjqtDoMQKZRcXLQgutTw4oTpS
bJeMhlQ==.............UMo.6../....!...>.N..M.I7...n.6E..r....T".rd.
H..KR...T...........5..rQ./.........2..z...........b........U.q...().D
....9......j..t......L.....,.;Q`.K^..t.....J.[...[. !..(A...)....-
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ortaconde.pw/index5.php?id=14A1a7RqqX69MveTBK2t&date=2016-08-21&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.ortaconde.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 597
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT
ETag: "90000001e1520-f7a-537ea953f7333"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Sun, 09 Oct 2016 21:02:22 GMT
Vary: Accept-Encoding
X-Cache: RefreshHit from cloudfront
Via: 1.1 9e2316f9bf6c03b8640526708b3cdb00.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xXLU3WE4cqH0KIFJGJqZDEjsZU7gIAYG66tBRnLHRQKV2xC5Tr9tJQ==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Su
n, 09 Oct 2016 21:02:22 GMT..Vary: Accept-Encoding..X-Cache: RefreshHi
t from cloudfront..Via: 1.1 9e2316f9bf6c03b8640526708b3cdb00.cloudfron
t.net (CloudFront)..X-Amz-Cf-Id: xXLU3WE4cqH0KIFJGJqZDEjsZU7gIAYG66tBR
[email protected]/vJ.8....U U.R.q.z..N.....
..DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$......
..AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.&
lt;......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&].
.~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V
:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 22:18:42 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Mon, 10 Oct 2016 22:18:42 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 130
Connection: keep-alive
Date: Wed, 21 Sep 2016 06:31:31 GMT
Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT
ETag: "2cf4c5e3d4c1206209355ac1065b0efc"
Accept-Ranges: bytes
Server: AmazonS3
Age: 70753
X-Cache: Hit from cloudfront
Via: 1.1 6625a25624e2ac55fd07e02ce5789976.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _-AlpewskLRZ-WBYc1xeoxX-BD9G9sVR5tDYDuH36FMxTqiG5C47sg==
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" />.</cro
ss-domain-policy>....


GET /static/noad.xml HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 73
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:04:53 GMT
Last-Modified: Thu, 04 Dec 2014 23:38:15 GMT
ETag: "074455bdeaf186ffa7b220bc14965cd5"
Accept-Ranges: bytes
Server: AmazonS3
Age: 70752
X-Cache: Hit from cloudfront
Via: 1.1 6625a25624e2ac55fd07e02ce5789976.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Z-dkb5dlZ9IyX8lJf2Ld39ia9OQhspkJbFC73sNO1Ld9AoqKaykrzg==
<VAST version="2.0" t:status="NO_AD" xmlns:t="hXXp://tremorhub.com/
ssp"/>HTTP/1.1 200 OK..Content-Type: text/xml..Content-Length: 73..
Connection: keep-alive..Date: Wed, 21 Sep 2016 09:04:53 GMT..Last-Modi
fied: Thu, 04 Dec 2014 23:38:15 GMT..ETag: "074455bdeaf186ffa7b220bc14
965cd5"..Accept-Ranges: bytes..Server: AmazonS3..Age: 70752..X-Cache: 
Hit from cloudfront..Via: 1.1 6625a25624e2ac55fd07e02ce5789976.cloudfr
ont.net (CloudFront)..X-Amz-Cf-Id: Z-dkb5dlZ9IyX8lJf2Ld39ia9OQhspkJbFC
73sNO1Ld9AoqKaykrzg==..<VAST version="2.0" t:status="NO_AD" xmlns:t
="hXXp://tremorhub.com/ssp"/>..



GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Mon, 10 Oct 2016 14:12:18 GMT
Etag: "3015243340"
Expires: Mon, 17 Oct 2016 14:12:18 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 10 Oct 2016 14:12:21 GMT
ETag: W/"144-1446243360000"
Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=1,centro,thetradedesk,SundaySky,rocketfuel,beeswax,appnexus,adapTV,dataxu,eyeview,google,ignitionone,BidTheatre,Bidswitch,audiencescience,_dmp_turbine,dynadmic,videoamp,mediamath,conversant,tremornet,TapAd,TubeMogul-GP&uid=e14d064d7c6f4cd5a1b394203ad968a4&init=true HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:20 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1e9.............R.n.0... \..-.by.$Cu."@..R.C..#q"..H..l..;r.......Qo8.
f&Z...`..p)b..y..E)..U.......*y.=.Y~......Y....UK..........q.Q........
..}.^;I..A.......e...$.)v.ew..vyJ.......I..q}....9..m..4. o'J!..4gq...
1....!......t...{.Y..U\IY..C.......D.....jwW....JpK....>}[email protected]..
^............(v..x....xlM.[...h...W..jI.#g..mY..Z....].....^.l.qh../..
F.......GB{.PB.z;.RF..5jc[]p.....~..i.f..9,...b...o.l1.C...D..c..Z...1
...u.e.."...-...O..3.S......h.]s.h.......$.B.....rK.z....R..........m.
h...._...d.......G.........0......


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:20 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 521
Connection: keep-alive
...........R...0.}.W.H.m.........Z..U..>.V.....b[....;.............
..}..m.X.d......d..Y'.S..f.-.7.s..W...Q..s.x ..<...F.U[.L5......u.Z
.x_..........w.Z....`.6iq....c.\..../.~....o_.wY....4.'. ./..dR._.....
.q.A5.">..3......p0....:aJvm.t............G.E-....D.BZ.A...88...N..
.t.Bg.#G............om.[..`.....C..".^p........p...N. .7..l..h..N.b.@.
PP!....m.G......q.K........-..a..........1..h...#.......4..t...e......
.U[m.m.[.dD...7.Z.z..$..G....WM.|..........s%..6h.y..xi...E{.i....b...
...~KN[b..n. 9....2.4.g'.........^>.*...HTTP/1.1 200 OK..Content-En
coding: gzip..Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:20 
GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/
privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Con
tent-Length: 521..Connection: keep-alive.............R...0.}.W.H.m....
.....Z..U..>.V.....b[....;...............}..m.X.d......d..Y'.S..f.-
.7.s..W...Q..s.x ..<...F.U[.L5......u.Z.x_..........w.Z....`.6iq...
.c.\..../.~....o_.wY....4.'. ./..dR._......q.A5.">..3......p0....:a
Jvm.t............G.E-....D.BZ.A...88...N...t.Bg.#G............om.[..`.
....C..".^p........p...N. [email protected]!....m.G......q.K........-
..a..........1..h...#.......4..t...e.......U[m.m.[.dD...7.Z.z..$..G...
.WM.|..........s%..6h.y..xi...E{.i....b......~KN[b..n. 9....2.4.g'....
.....^>.*.......
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:21 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 488
Connection: keep-alive
...........R.n.0... \......c....I..}......X.[.pD.$e[.....}\z 8.....6Y.
......J.^8...J.....{(?.g.2{.<.Ey.E=...].......w..e...1...jo....km.}
...o.,.. K....M...u.d..vP.....<........,y.......,..8I.....$......V.
&.Q.....4..1.....0._G..N....j...?...Vb#....D.B:.A...888..N..].kt.8r.[.
....}_...Ck{.rA..e..2..3..{..^8V..Z.. .]..I..`.....p..^...........NpT.
h.%......^..TB.UKV`..`..k6..3>.....(...Og.??g......(.........G\9...
........G...]...~..,Y..Q..^`.|.A.................B......6.....O......p
`R.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml
..Date: Mon, 10 Oct 2016 14:12:21 GMT..P3P: CP='This is not a P3P poli
cy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyo
te/1.1..Vary: Accept-Encoding..Content-Length: 488..Connection: keep-a
live.............R.n.0... \......c....I..}......X.[.pD.$e[.....}\z 8..
...6Y.......J.^8...J.....{(?.g.2{.<.Ey.E=...].......w..e...1...jo..
..km.}...o.,.. K....M...u.d..vP.....<........,y.......,..8I.....$..
....V.&.Q.....4..1.....0._G..N....j...?...Vb#....D.B:.A...888..N..].kt
.8r.[.....}_...Ck{.rA..e..2..3..{..^8V..Z.. .]..I..`.....p..^.........
..NpT.h.%......^..TB.UKV`..`..k6..3>.....(...Og.??g......(.........
G\9...........G...]...~..,Y..Q..^`.|.A.................B......6.....O.
.....p`R.........
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:22 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 519
Connection: keep-alive
...........R...0.}.W.H...B.*... !......j.&....... ...K.^......g<.g&
..........,..Z..E...E.:..4.f...)I...oi.(..D...9u.......{EU:ZK.c....ud}
..I.V.&.....H....F.,....I...y?..MX....*.?>..I.<_.IPF....u.Q...Lq
..X.....q..a0.....~.....nWF|'..OU.m.....2{"....&.VA.i........Bl.....I)
.\.........F'...*.w...7..pZ..Mzh.Z..V..`..C.f.F...$...Q..L...VPJ......
a...Z.\`.....0w..Q1.......'....M.c.^^......R...heX..9Y.._/...;.3....A.
...IV.?.c...5v.~..........n...7..=Zt..a..W..R*..@:q8W..?...8.L^.13....
zy.6hb;?o.......}Bi..6.?......,.V. ...HTTP/1.1 200 OK..Content-Encodin
g: gzip..Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:22 GMT..
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priva
cy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-
Length: 519..Connection: keep-alive.............R...0.}.W.H...B.*... !
......j.&....... ...K.^......g<.g&..........,..Z..E...E.:..4.f...)I
...oi.(..D...9u.......{EU:ZK.c....ud}..I.V.&.....H....F.,....I...y?..M
X....*.?>..I.<_.IPF....u.Q...Lq..X.....q..a0.....~.....nWF|'..OU
.m.....2{"....&.VA.i........Bl.....I).\.........F'...*.w...7..pZ..Mzh.
Z..V..`..C.f.F...$...Q..L...VPJ......a...Z.\`.....0w..Q1.......'....M.
c.^^......R...heX..9Y.._/...;.3....A....IV.?.c...5v.~..........n...7..
=Zt..a..W..R*..@:q8W..?...8.L^.13....zy.6hb;?o.......}Bi..6.?......,.V
. .......
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:22 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c7.............R.n.0... \..-...c....I..A[TJz..cEn-.!E..l.}W...q......
g... _G.. ..z.8.F.X.....c..z...w.S^..Z4..Q..K..9..}gP6.n.1k.o..Fni....
../..............U.[.2 .......o.G....}.v.%....y.?..4...C..t{.T.|e.O dS
.(.j^.|......iTA.Ln..J...h..t.D...CK.4S..p...G.vG%.....mZ <.v.-...Z
v<...r.!.Qp......Vq..][email protected]!.=..u.c.R.,A.....z.ZS..
W-..0..,.7l.#f|.a5Y.Q0....!~y....L..i.?...G{.....:. ....e...h.b...R...
..Y.6.Nth/0K.....4.v.zw..g...z./d..........e?...d.......Uo........0..H
TTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: 
Mon, 10 Oct 2016 14:12:22 GMT..P3P: CP='This is not a P3P policy. See 
hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..
Vary: Accept-Encoding..transfer-encoding: chunked..Connection: keep-al
ive..1c7.............R.n.0... \..-...c....I..A[TJz..cEn-.!E..l.}W...q.
.....g... _G.. ..z.8.F.X.....c..z...w.S^..Z4..Q..K..9..}gP6.n.1k.o..Fn
i....../..............U.[.2 .......o.G....}.v.%....y.?..4...C..t{.T.|e
.O dS.(.j^.|......iTA.Ln..J...h..t.D...CK.4S..p...G.vG%.....mZ <.v.
-...Zv<...r.!.Qp......Vq..][email protected]!.=..u.c.R.,A.....z
.ZS..W-..0..,.7l.#f|.a5Y.Q0....!~y....L..i.?...G{.....:. ....e...h.b..
.R.....Y.6.Nth/0K.....4.v.zw..g...z./d..........e?...d.......Uo.......
.0......
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:23 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 462
Connection: keep-alive
...........R.n.0... \....,..mH2T'...mQ).!...w...(..l...R...KO.%.3...7.
[email protected]%.t.x#R.A.......~.m.7.C...Z.....k.x.sz...P...-'..}k.7rk...6.>
;}.e.^.g8J.o..&.Wyg..i1.........L3,....m..}.^gE.x..`...&..vJ..pc$&%.9Q
.A.,#\D..M..<,a....`[email protected]\.3..d.\RG.IGF<..Sk{......
...A.......(.....B..}.{u....aM(..W........$.G81:H..j....!.;........-OJ
...E.Wb.=.8.i9[Ea0.\-..==...g.7.4..X.'...,./.F.z...'...,{[kC._.?......
....w.;0.0 ..n7...2...._..o........J........$......HTTP/1.1 200 OK..Co
ntent-Encoding: gzip..Content-Type: text/xml..Date: Mon, 10 Oct 2016 1
4:12:23 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo
.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encod
ing..Content-Length: 462..Connection: keep-alive.............R.n.0... 
\....,..mH2T'...mQ).!...w...(..l...R...KO.%[email protected]%.t.x#R.A....
...~.m.7.C...Z.....k.x.sz...P...-'..}k.7rk...6.>}.e.^.g8J.o..&.Wyg.
.i1.........L3,....m..}.^gE.x..`...&..vJ..pc$&%.9Q.A.,#\D..M..<,a..
..`[email protected]\.3..d.\RG.IGF<..Sk{.........A.......(.....B..
}.{u....aM(..W........$.G81:H..j....!.;........-OJ...E.Wb.=.8.i9[Ea0.\
-..==...g.7.4..X.'...,./.F.z...'...,{[kC._.?..........w.;0.0 ..n7...2.
..._..o........J........$..........


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:23 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 481
Connection: keep-alive
............[..0.... R.....r....F..j.B...*...be1.6$....t..T.........W.
........5.:V.dV.....O....*|.....&s;._.zi. 7.Z..QT.*..aV.....3Km..:.>
;~:D. .#...7.UE...V.*..r....}.m..4...._v...q........e$.......,.WJ`.R6!
r=H...So...3..)....u.U.`.\....3.L.9..HH..%...:1.oI.ZwX...Hg..w2.F..w..
I.,g.k......[.X... .P.._.IN...H....L.@*....."...Eu0.J..A........Y6..e8
.Q:^x.3.\L..==...{..J...4....P.Ms)Vj.^..f.w...?..wQ..o..;6..m.........
...n..._ .C4.o....e`e. ;.p.7..f......._.....'..F.C......o.......HTTP/1
.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Mon, 
10 Oct 2016 14:12:23 GMT..P3P: CP='This is not a P3P policy. See http:
//tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary:
 Accept-Encoding..Content-Length: 481..Connection: keep-alive.........
.....[..0.... R.....r....F..j.B...*...be1.6$....t..T.........W........
.5.:V.dV.....O....*|.....&s;._.zi. 7.Z..QT.*..aV.....3Km..:.>~:D. .
#...7.UE...V.*..r....}.m..4...._v...q........e$.......,.WJ`.R6!r=H...S
o...3..)....u.U.`.\....3.L.9..HH..%...:1.oI.ZwX...Hg..w2.F..w..I.,g.k.
.....[.X... .P.._.IN...H....L.@*....."...Eu0.J..A........Y6..e8.Q:^x.3
.\L..==...{..J...4....P.Ms)Vj.^..f.w...?..wQ..o..;6..m............n...
_ .C4.o....e`e. ;.p.7..f......._.....'..F.C......o...........
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:24 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 487
Connection: keep-alive
...........R]..0.|.....[..B.P.............9.B,..e;@.}....xh.,......F.S
..;.6...3p=...5\.].l.....,y.}M..F..4L.fjc..VM....FWm...&.(.g..R.....P.
.'.R.K.o.*...e..P'.%..e_".zxi....6.U..}./.<}..ST[...?.v......<..
......2.a0....G~I......*~..`..s[........:8.8"B..N.9...4...lx.@Z. . .9.
.*.Y 9..}..w..Z0.5pAkj..z^.E.....HO...CCk.0.*....V.mu)$.[|.......c.6`|
D..p.....I8...S....[j...L..q4b.>.(...........8_/?=.......M.mV..qq..
... ......Wq.Zi0..#I4....17.D...Ef.)......7.&?o..L~)A^g...jN.C......8\
......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml.
.Date: Mon, 10 Oct 2016 14:12:24 GMT..P3P: CP='This is not a P3P polic
y. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyot
e/1.1..Vary: Accept-Encoding..Content-Length: 487..Connection: keep-al
ive.............R]..0.|.....[..B.P.............9.B,..e;@.}....xh.,....
..F.S..;.6...3p=...5\.].l.....,y.}M..F..4L.fjc..VM....FWm...&.(.g..R..
...P..'.R.K.o.*...e..P'.%..e_".zxi....6.U..}./.<}..ST[...?.v......&
lt;........2.a0....G~I......*~..`..s[........:8.8"B..N.9...4...lx.@Z. 
. .9..*.Y 9..}..w..Z0.5pAkj..z^.E.....HO...CCk.0.*....V.mu)$.[|.......
c.6`|D..p.....I8...S....[j...L..q4b.>.(...........8_/?=.......M.mV.
.qq..... ......Wq.Zi0..#I4....17.D...Ef.)......7.&?o..L~)A^g...jN.C...
...8\..........
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:24 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1e4.............R]..0.|......q.........NmEB.p:!...X...v....Pz.Cj...=..
.l.8..^...RE.....(Vr.^"g.m>L.E........w4|...FNam5'.j.....e.$.TN....
.6....!Y9q..^[email protected].]....sH../.....~......U.%.W..j.. .7.V1UR...G
9.1...|..|.Lg0.&c?.Cot.{.*..XM9p0.......'DX..sm:Xs...a..O.(.K.......@.
...6=..y.(..!........Y..K.M.`N.....J* .........`k.....{.a..I....9`|L..
h......dJ...8$.:........{[email protected]...&
gt;..V...>]..[D....ui...VV.L7.$............."3...q....e.M~.......y.
L.....7...d.........N.#.....0..HTTP/1.1 200 OK..Content-Encoding: gzip
..Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:24 GMT..P3P: CP
='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-poli
cy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encodi
ng: chunked..Connection: keep-alive..1e4.............R]..0.|......q...
......NmEB.p:!...X...v....Pz.Cj...=...l.8..^...RE.....(Vr.^"g.m>L.E
........w4|...FNam5'.j.....e.$.TN.....6....!Y9q..^[email protected].]....sH
../.....~......U.%.W..j.. .7.V1UR...G9.1...|..|.Lg0.&c?.Cot.{.*..XM9p0
.......'DX..sm:Xs...a..O.([email protected]=..y.(..!........Y..K.M.`N...
..J* .........`k.....{.a..I....9`|L..h......dJ...8$.:........{........
[email protected]...>..V...>]..[D....ui...VV.L7.
$............."3...q....e.M~.......y.L.....7...d.........N.#.....0..font>....
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:24 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c0.............R]o.0.}..`H..0.B...X.I..m.t{.......l,....wI.f./{......
.7....o.cE.r?.B...:..>........x.} ..B.'.^Tv.r.uN..q.dg...X'......:.
z...>..k..J...wC..3U.h...>....KF^7O.%.....m..}.^.u.p...8....tG.T
G....7...qB.e..4Y. ..E..(._..L.0. .....'...N...S..N..0P.t.>.n....q.
 N..yD.GE.........}..-P..E.`...h..:*5.......R.\o..`..y......b.S...F.|.
....U....c..?#.1.3.$.VX.Pn.`.....({&L>.=`..m..;../Y...i.G..I.d.,} .
.;M.)...............'.8e7.Fk.M~.......y....s..O...d..........V......0.
.HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date
: Mon, 10 Oct 2016 14:12:24 GMT..P3P: CP='This is not a P3P policy. Se
e hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1
..Vary: Accept-Encoding..transfer-encoding: chunked..Connection: keep-
alive..1c0.............R]o.0.}..`H..0.B...X.I..m.t{.......l,....wI.f./
{.......7....o.cE.r?.B...:..>........x.} ..B.'.^Tv.r.uN..q.dg...X'.
.....:.z...>..k..J...wC..3U.h...>....KF^7O.%.....m..}.^.u.p...8.
...tG.TG....7...qB.e..4Y. ..E..(._..L.0. .....'...N...S..N..0P.t.>.
n....q. N..yD.GE.........}..-P..E.`...h..:*5.......R.\o..`..y......b.S
...F.|.....U....c..?#.1.3.$.VX.Pn.`.....({&L>.=`..m..;../Y...i.G..I
.d.,} ..;M.)...............'.8e7.Fk.M~.......y....s..O...d..........V.
.....0......
<<< skipped >>>

GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:25 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 429
Connection: keep-alive
..........dRMo.0...Wx...".q.$..xi....bv.CQ....B'Y..$..c.,.....#.D*_...
`...^.a<...5....E..||?.W...[U7.Zr.Q.vK_...f....z......9g../..?."..e
S..e^....[0....G.Q...6.........h....]..}\.TM.x.g.zM.&...5.=....h......
y..,./0..Y.B.M......D.~p..5.B.......G.mO...n'=.....0./#a1j.Jr......{.7
..)#.Et;...J.=(C..S..............q*.,..<..r1.....$..XdsH.......[k{.
.~...2....w .y;.Q...Tx..Ew., ..%.r........b6...3n...Gl.;..d.G.v>5..
$..%@.....P...t...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Typ
e: text/xml..Date: Mon, 10 Oct 2016 14:12:25 GMT..P3P: CP='This is not
 a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: 
Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 429..Connect
ion: keep-alive............dRMo.0...Wx...".q.$..xi....bv.CQ....B'Y..$.
.c.,.....#.D*_...`...^.a<...5....E..||?.W...[U7.Zr.Q.vK_...f....z..
....9g../..?."..eS..e^....[0....G.Q...6.........h....]..}\.TM.x.g.zM.&
...5.=....h......y..,./0..Y.B.M......D.~p..5.B.......G.mO...n'=.....0.
/#a1j.Jr......{.7..)#.Et;...J.=(C..S..............q*.,..<..r1.....$
..XdsH.......[k{..~...2....w .y;.Q...Tx..Ew., ..%.r........b6...3n...G
l.;..d.G.v>5..$..%@.....P...t.......


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:25 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 436
Connection: keep-alive
[email protected]$.. 0F.."RR.I9..w..q..t.K.r..`..
(.8..F.*u...:.X........~.....kQV.[x..CeV6u.k...Y...M_OY =c:.. c..&uo?.
.k7K..d.7.]... .cQf...)./..r86-x....&K.......?..@[E......S-.\......a..
..x.-....<.!.gW.?.R.....a...\3TV.$>.n..e...W...q ...\.FR". .6...
A.8......I....dG........v...P8.)'....._..{....z..B..|./ zx...O.7Z...(.
..WG3............}[email protected] ...&..@...._7....V.{
.!..3.................HTTP/1.1 200 OK..Content-Encoding: gzip..Content
-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:25 GMT..P3P: CP='This is
 not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serv
er: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 436..Con
nection: [email protected]$.. 0F.."RR
.I9..w..q..t.K.r..`..(.8..F.*u...:.X........~.....kQV.[x..CeV6u.k...Y.
..M_OY =c:.. c..&uo?..k7K..d.7.]... .cQf...)./..r86-x....&K.......?..@
[E......S-.\......a....x.-....<.!.gW.?.R.....a...\3TV.$>.n..e...
W...q ...\.FR". .6...A.8......I....dG........v...P8.)'....._..{....z..
B..|./ zx...O.7Z...(...WG3............}[email protected]
 ...&..@...._7....V.{.!..3.....................


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:26 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 454
Connection: keep-alive
...........RMo.0...Wx...,[email protected];.E@K\-t..Iv..?%..u...'.Q||d...
_..J.N.n.....v......?.....M....3-:.l..K...1....Pt....v.h...Yj.f....zWn
." .Sd?..=.....AQ..\...f.9x,Z...o.m....zS....\..H ....$.....gy.t..%...
...|.a..... .....)J..w...g....Z\...T=L..I...Z(.q.`.'z.".... .G.[4r....
.....s.D.3.j.Do..0LX.&...?..f.6."....".CrwWd.e..Ju....>H|.....h..0N
[email protected].....^./.tt....v......e.kL=.?...^.>,.)...~.......u.,.V@.
..].v .....r&... .[d7.dX.[......m.......HTTP/1.1 200 OK..Content-Encod
ing: gzip..Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:26 GMT
..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/pri
vacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Conten
t-Length: 454..Connection: keep-alive.............RMo.0...Wx...,..M...
[email protected];.E@K\-t..Iv..?%..u...'.Q||d..._..J.N.n.....v......?.....M....
3-:.l..K...1....Pt....v.h...Yj.f....zWn." .Sd?..=.....AQ..\...f.9x,Z..
.o.m....zS....\..H ....$.....gy.t..%......|.a..... .....)J..w...g....Z
\...T=L..I...Z(.q.`.'z.".... .G.[4r.........s.D.3.j.Do..0LX.&...?..f.6
."....".CrwWd.e..Ju....>H|[email protected].....^./.tt....v....
..e.kL=.?...^.>,.)...~.......u.,.V@...].v .....r&... .[d7.dX.[.....
.m...........


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:27 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 429
Connection: keep-alive
...........R.o.0.~._.E.o.I.)..(.L....I...B..V,j... ....e?^......w.... 
_... ZU..0..T..B=..C...$..w..../..H....\.n..3B.A..M..Y ..:...:p.-..w..
:.y....7.5.cT......6.....%O.%...auC.........r..S~.._..b..>7....1b.B
3iR...).Q6N....U..t.Ip...m>$..S..j.{.{.\...D.@.;R<.. xM.4.v...v.
c.R{X...?.\...L#..:?..)..._..G....f4M.h.|.M }z.9........\..eh.C....l{.
_.... t..l.z..r....S...z7R...U../.. vh/.....xfm.m.WY.P9.....\.....m.~.
g.................HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Typ
e: text/xml..Date: Mon, 10 Oct 2016 14:12:27 GMT..P3P: CP='This is not
 a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: 
Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 429..Connect
ion: keep-alive.............R.o.0.~._.E.o.I.)..(.L....I...B..V,j... ..
..e?^......w.... _... ZU..0..T..B=..C...$..w..../..H....\.n..3B.A..M..
Y ..:...:p.-..w..:.y....7.5.cT......6.....%O.%...auC.........r..S~.._.
.b..>7....1b.B3iR...).Q6N....U..t.Ip...m>$..S..j.{.{.\...D.@.;R&
lt;.. xM.4.v...v.c.R{X...?.\...L#..:?..)..._..G....f4M.h.|.M }z.9.....
...\..eh.C....l{._.... t..l.z..r....S...z7R...U../.. vh/.....xfm.m.WY.
P9.....\.....m.~.g.....................


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:27 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
18d.............._o.0....).R.6...$.".vR.j..m..*.po...X.I....f........=
..:[...oK..^.~...G.........|....CvWV....m..4K....j...$z..M.....|....;.
...mS^.EV.Wd..."..U..$..p.....{_<..X....U.}|X_.u.p.S..t.....e {....
7......y.`......,n ...q8Qy5H..z...5..P..IA.A........\..4D..vNm9R.B9Y.*
....jc..pI..]....4..6}JZ.A.L.I.N......."c.b^j...hwA...r.v.${.\.7...'.C
{.;...J..w...Z;:.%s.Ev...9k......[..87...Nf.[...^..#^.S..e........._I.
h.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/x
ml..Date: Mon, 10 Oct 2016 14:12:27 GMT..P3P: CP='This is not a P3P po
licy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Co
yote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connectio
n: keep-alive..18d.............._o.0....).R.6...$.".vR.j..m..*.po...X.
I....f........=..:[...oK..^.~...G.........|....CvWV....m..4K....j...$z
..M.....|....;....mS^.EV.Wd..."..U..$..p.....{_<..X....U.}|X_.u.p.S
..t.....e {....7......y.`......,n ...q8Qy5H..z...5..P..IA.A........\..
4D..vNm9R.B9Y.*....jc..pI..]....4..6}JZ.A.L.I.N......."c.b^j...hwA...r
.v.${.\.7...'.C{.;...J..w...Z;:.%s.Ev...9k......[..87...Nf.[...^..#^.S
..e........._I.h.....0......


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:28 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
182.............R.n.0... T..-.$..mP4T'...mQ .!...v..))..T..K.....'...;
...j..G.Y';]..$.#.m.R?..C..z... .....Zv..F....w..%c.....o&m..s&...y.. 
.....m,x..._-.C.PmF.I....m6.8;o.E ...........U]=...X...&........J,.jgD
Y........J.b.5.&..,.2%..P..M.V....].o%.;.0;...........2..`*.......6R.U
.D).1)r.i.oy.3H.."..)...C..$8.............5..^....;_.....<........!
2..6.......}...Y[h_.'..H{........o#.9......)[email protected]..._.....0..HT
TP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: M
on, 10 Oct 2016 14:12:28 GMT..P3P: CP='This is not a P3P policy. See h
ttp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..V
ary: Accept-Encoding..transfer-encoding: chunked..Connection: keep-ali
ve..182.............R.n.0... T..-.$..mP4T'...mQ .!...v..))..T..K.....'
...;...j..G.Y';]..$.#.m.R?..C..z... .....Zv..F....w..%c.....o&m..s&...
y.. .....m,x..._-.C.PmF.I....m6.8;o.E ...........U]=...X...&........J,
.jgDY........J.b.5.&..,.2%..P..M.V....].o%.;.0;...........2..`*.......
6R.U.D).1)r.i.oy.3H.."..)...C..$8.............5..^....;_.....<.....
...!2..6.......}...Y[h_.'..H{........o#.9......)[email protected]..._.....0
......


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:29 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 414
Connection: keep-alive
...........R.n.0... .....^Vd...:). h.Xn.A`..m$....R../m8q...........v.
.7.6]/.?.B.C..../...>........Uu....{(...~k...b5.^.C.4. .(..sc.....|
...>.%....A)..l.7....o....%..G..W..~.g..iy[V...N.........F.....E...
1N....gi>.(..q.Q....D..y..l.!^~.x."...... .\4v.{.......s....A......
0Jy.....~...BT'.4....,....Q...;.{...&.L....z{4.|G.H...V-\a[X..D;YI>
..%..K.q.xRu/.Fs.6at..P...9d..Y...44[.[.F..84y..3.........4..[......np
......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml.
.Date: Mon, 10 Oct 2016 14:12:29 GMT..P3P: CP='This is not a P3P polic
y. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyot
e/1.1..Vary: Accept-Encoding..Content-Length: 414..Connection: keep-al
ive.............R.n.0... .....^Vd...:). h.Xn.A`..m$....R../m8q........
...v..7.6]/.?.B.C..../...>........Uu....{(...~k...b5.^.C.4. .(..sc.
....|...>.%....A)..l.7....o....%..G..W..~.g..iy[V...N.........F....
.E...1N....gi>.(..q.Q....D..y..l.!^~.x."...... .\4v.{.......s....A.
.....0Jy.....~...BT'.4....,....Q...;.{...&.L....z{4.|G.H...V-\a[X..D;Y
I>..%..K.q.xRu/.Fs.6at..P...9d..Y...44[.[.F..84y..3.........4..[...
...np..........


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:28 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 422
Connection: keep-alive
...........R...0.}.W...[q...1.."!...$..j.9.....e...}.D.......33......7
....^.~4.}.d.3.w._W.w..N..O.............[.f.Y....C;.z..Q.gg.R{0....).&
gt;.%.....R.....X..:.z...F..s..UtW.\...y.,...RNQm..4.....dO.\sV..e.qJ.
I..<.L!..,ni.&wq8R.=g...K.....|.'...AO.r...d.l.P.=..K..\v.R..).../i
.2...4....i>......w..Z../ ....vo..j.q.........#.......x5D...^o6A...
......C...t....r-..3L.....I.....~.ZA......6......F?....~I.. ..}...!@..
...R]P.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text
/xml..Date: Mon, 10 Oct 2016 14:12:28 GMT..P3P: CP='This is not a P3P 
policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-
Coyote/1.1..Vary: Accept-Encoding..Content-Length: 422..Connection: ke
ep-alive.............R...0.}.W...[q...1.."!...$..j.9.....e...}.D......
.33......7....^.~4.}.d.3.w._W.w..N..O.............[.f.Y....C;.z..Q.gg.
R{0....).>.%.....R.....X..:.z...F..s..UtW.\...y.,...RNQm..4.....dO.
\sV..e.qJ.I..<.L!..,ni.&wq8R.=g...K.....|.'...AO.r...d.l.P.=..K..\v
.R..).../i.2...4....i>......w..Z../ ....vo..j.q.........#.......x5D
...^o6A.........C...t....r-..3L.....I.....~.ZA......6......F?....~I.. 
..}[email protected]]P.........


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:29 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 377
Connection: keep-alive
.............N.0.E.|E..;.$M...WQ[$$...X T...F......=n(-.. ..3s.....~.V
.M.......P....K....g}....}> .X..\.4C...k.....n.b.....1....X.K..W..|
.3......J...f.c.fE...f7...[.\..rw{....x....NN...-.....R6 F.......'..&l
t;.i..`....C.vzqx......'.xU.l.V.,@...sQ..]j^I<]...%"L.. ....].xg..a
.. .C...(...T.F....[....o.^..@p>Z..~Z._&Z...E.4.mH...vC...C......,4
.......5.&_?...o#.>5...%.. .......]?...HTTP/1.1 200 OK..Content-Enc
oding: gzip..Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:29 G
MT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/p
rivacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Cont
ent-Length: 377..Connection: keep-alive...............N.0.E.|E..;.$M..
.WQ[$$...X T...F......=n(-.. ..3s.....~.V.M.......P....K....g}....}>
; .X..\.4C...k.....n.b.....1....X.K..W..|.3......J...f.c.fE...f7...[.\
..rw{....x....NN...-.....R6 F.......'..<.i..`....C.vzqx......'.xU.l
.V.,@...sQ..]j^I<]...%"L.. ....].xg..a.. .C...(...T.F....[....o.^..
@p>Z..~Z._&Z...E.4.mH...vC...C......,4.......5.&_?...o#.>5...%..
 .......]?.......


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:30 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 378
Connection: keep-alive
............]O.0.....s...ncL ].....52.....Gi..i."..BP...._.9.s....|.:.
NhU.Y...(..P.U<o.O......z..e.F.....*^zo..y.R...M...9.G~.<. W.7..
.<&........vs....I.mm4..a.}[email protected]>..W-.
.@^.v...,.#..r..4K.gy.3U'8h*.I>m..yX.\.._.V(..B......?c.K...fm.T.i.
.Q9...3..7.....c...eb..I .M.FL.7...l...w.....nK...........Z.^t..[....4
(.K.[.....]P.......-.w.!..?.O......p4.VW...HTTP/1.1 200 OK..Content-En
coding: gzip..Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:30 
GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/
privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Con
tent-Length: 378..Connection: keep-alive..............]O.0.....s...ncL
 ].....52.....Gi..i."..BP...._.9.s....|.:.NhU.Y...(..P.U<o.O......z
..e.F.....*^zo..y.R...M...9.G~.<. W.7...<&........vs....I.mm4..a
.}[email protected]>..W-..@^.v...,.#..r..4K.gy.3U'8h*
.I>m..yX.\.._.V(..B......?c.K...fm.T.i..Q9...3..7.....c...eb..I .M.
FL.7...l...w.....nK...........Z.^t..[....4(.K.[.....]P.......-.w.!..?.
O......p4.VW.......


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=videoamp,TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:31 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 421
Connection: keep-alive
...........R.n.0... T..-.....E..c.@[email protected]"4.......e.q.8..........~
.....4...x.......|..C.... ....}q.%#..J....d.Z"d5..~..I.....{vi,.....o%
[email protected] .I.(...vG........D........."k.q.... .......
."....Q6M*.G.,.B..\1.$.R.......a.f!.".....O\.)..t..(.b..9~x.....Z.N.#.
.......(.7N...:-P:.$.../.si.....j.....#W.. ....k\c....aw..t....N..-.m.
..v\....U....D.Z.....r.....;d.y....z.i.C.s.].....-%..'........./..[...
.HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date
: Mon, 10 Oct 2016 14:12:31 GMT..P3P: CP='This is not a P3P policy. Se
e hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1
..Vary: Accept-Encoding..Content-Length: 421..Connection: keep-alive..
...........R.n.0... T..-.....E..c.@[email protected]"4.......e.q.8..........~
.....4...x.......|..C.... ....}q.%#..J....d.Z"d5..~..I.....{vi,.....o%
[email protected] .I.(...vG........D........."k.q.... .......
."....Q6M*.G.,.B..\1.$.R.......a.f!.".....O\.)..t..(.b..9~x.....Z.N.#.
.......(.7N...:-P:.$.../.si.....j.....#W.. ....k\c....aw..t....N..-.m.
..v\....U....D.Z.....r.....;d.y....z.i.C.s.].....-%..'........./..[...
.....


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=TapAd,_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:31 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 422
Connection: keep-alive
...........R[k.0.}......"_.........6..{(.....,..$...O.i.....t9G.|.C..v
..@......}...:.......o3w.~!.......f.B/L.>.#....m...z...i-].,.......
g..nJ2.....R..N.gm.M....n..t.<.f.....EJ........r.*#...;.g.DG.R5<
..M.BL.Y.y.gs..x..4..i..dR.VV.Wu#`.[....1.S.?`.'4..9....y<...>%.
...R..h.9.~l.......7.G..As..y....Vr.r.ph.T.0s..j.....2/....|.h. ...r/.
.....|}[..U.{.|...N1../Z.@..@)Y)..N....|..R.,.e.m....F[4zyAW0z...t....
|.O.......:.l....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type
: text/xml..Date: Mon, 10 Oct 2016 14:12:31 GMT..P3P: CP='This is not 
a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: A
pache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 422..Connecti
on: keep-alive.............R[k.0.}......"_.........6..{(.....,..$...O.
i.....t9G.|.C..v..@......}...:.......o3w.~!.......f.B/L.>.#....m...
z...i-].,.......g..nJ2.....R..N.gm.M....n..t.<.f.....EJ........r.*#
...;.g.DG.R5<..M.BL.Y.y.gs..x..4..i..dR.VV.Wu#`.[....1.S.?`.'4..9..
..y<...>%....R..h.9.~l.......7.G..As..y....Vr.r.ph.T.0s..j.....2
/....|.h. ...r/......|}[..U.{.|...N1../Z.@..@)Y)..N....|..R.,.e.m....F
[4zyAW0z...t....|.O.......:.l........


GET /syncnoad?rid=bec5ee24ab8b4d6489e10652ba103720&p=_dmp_turbine&uid=e14d064d7c6f4cd5a1b394203ad968a4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e14d064d7c6f4cd5a1b394203ad968a4; tvrg_60409="1,1476108740"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Mon, 10 Oct 2016 14:12:32 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
154............d.]o. .... :..[...j(.Q..,..Vwa....q-.`......>.......
.O?.w..J..N..z..5.....X..w1....N.....f.k=1.8..L 4JTR.N..d..n.c&.Ps..x|
..s@p..._.m...[....H..:Y.......<........l....l.x....^%......m......
....$.r )...{...`j....:..Q8..Z1.-ui..e.#.E..X....R...(.B..QL......B...
q.x.....h.....Q....7ZV......<S.>...z$.....d.(;..Y..6......0.!./i
.d.../...d.................0..HTTP/1.1 200 OK..Content-Encoding: gzip.
.Content-Type: text/xml..Date: Mon, 10 Oct 2016 14:12:32 GMT..P3P: CP=
'This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-polic
y'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encodin
g: chunked..Connection: keep-alive..154............d.]o. .... :..[...j
(.Q..,..Vwa....q-.`......>........O?.w..J..N..z..5.....X..w1....N..
...f.k=1.8..L 4JTR.N..d..n.c&.Ps..x|..s@p..._.m...[....H..:Y.......<
;........l....l.x....^%......m..........$.r )...{...`j....:..Q8..Z1.-u
i..e.#.E..X....R...(.B..QL......B...q.x.....h.....Q....7ZV......<S.
>...z$.....d.(;..Y..6......0.!./i.d.../...d.................0..



GET /counter/counter.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d3ff0cde4a728de158ea17165e832100c1476108733; is_unique=sc10114910.1476108733.0; is_visitor_unique=1476108733343882628


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 14:12:16 GMT
Server: PWS/8.1.41.3
X-Px: ht h0-s1117.p11-fra.cdngp.net
ETag: W/"576924c5-654e"
Cache-Control: max-age=43200
Expires: Mon, 10 Oct 2016 22:21:16 GMT
Age: 13860
Content-Length: 9529
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT
Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
[email protected]..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..][email protected].?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#[email protected].,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 22:18:42 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Mon, 10 Oct 2016 22:18:42 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 10 Oct 2016 22:18:40 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Mon, 11 Sep 2017 22:18:40 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



aegis.exe_1384_rwx_00A2A000_00001000:




okEy

tonawanda.exe_308:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd7.tmp\ExecCmd.dll
"%Program Files%\verbiage\aegis.exe"
ecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd7.tmp
nsd7.tmp
rogram Files\verbiage\aegis.exe"
q aegis.exe" | %SystemRoot%\System32\find /I "aegis.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd7.tmp
"%Program Files%\perfect\tonawanda.exe"
%Program Files%\perfect
tonawanda.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\perfect\tonawanda.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
fect\tonawanda.exe"
rbiage\aegis.exe"






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    taskkill.exe:1976
    taskkill.exe:1252
    tasklist.exe:1160
    tasklist.exe:884
    tasklist.exe:452
    tasklist.exe:1928
    tasklist.exe:856
    tasklist.exe:1424
    tasklist.exe:1772
    tasklist.exe:1112
    tasklist.exe:936
    tasklist.exe:1012
    tasklist.exe:448
    tasklist.exe:1312
    tasklist.exe:244
    tasklist.exe:1868
    tasklist.exe:1880
    tasklist.exe:1804
    tasklist.exe:1932
    tasklist.exe:908
    tasklist.exe:500
    tasklist.exe:1100
    tasklist.exe:1668
    tasklist.exe:1740
    57630973.exe:224
    %original file name%.exe:1756
    tonawanda.exe:308
    36921.exe:136
    find.exe:1160
    find.exe:1204
    find.exe:276
    find.exe:1832
    find.exe:1076
    find.exe:1112
    find.exe:2012
    find.exe:1752
    find.exe:516
    find.exe:568
    find.exe:1408
    find.exe:1092
    find.exe:1932
    find.exe:1492
    find.exe:240
    find.exe:1916
    find.exe:936
    find.exe:1472
    find.exe:648
    find.exe:512
    find.exe:1368
    find.exe:376
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CAUVGXEF.xml (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\crossdomain[2].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[4].xml (628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[5].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\analytics[1].js (644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[2].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\crossdomain[2].xml (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[2].xml (719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[7].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\css1[1].css (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\lbg[1].png (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\collect[1].gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[1].xml (628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAQV6JYH.gif (49 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[5].xml (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[5].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\crossdomain[3].xml (144 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CA435TJQ.xml (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\jwplayer1[1].js (62963 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CAOL2NWL.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAEQSWHS.xml (810 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[2].xml (616 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1074 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[1].xml (803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CA6ZEV01.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\page-4[1].htm (2336 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\player1[1].swf (18045 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CA49I9MH.xml (815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAABG1YV.xml (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CAIV09YN.xml (759 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\logo[2].png (723 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CAEJCLIV.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[5].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[6].xml (719 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1498 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[1].xml (716 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CA3RG4K1.xml (912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CA1AAS1Z.xml (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[1].xml (704 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\v[1].xml (654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\page-4[1].htm (3953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\ova-jw[1].swf (43153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CAGRWTGF.xml (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CARWW7CC.xml (765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[6].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\CALD808N.xml (725 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ortaconde[1].txt (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\syncnoad[2].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\player1[1].swf (15021 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CASDW1Q5.xml (810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\logo[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1I7O9YN\CADZIO1V.xml (765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\syncnoad[7].xml (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ortaconde[2].txt (311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41ENKL2F\CAOTYROD.xml (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[3].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\syncnoad[6].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1UBGX6N\CAIPOTED.xml (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C1Y74P2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\SimpleFC.dll (5289 bytes)
    %WinDir%\aegis.exe (11888 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\oregano.lnk (471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\57630973.exe (3057 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Program Files%\verbiage\settings.dll (6 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %Program Files%\verbiage\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %WinDir%\settings.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (13 bytes)
    %Program Files%\perfect\tonawanda.exe (1040 bytes)
    %Program Files%\verbiage\aegis.exe (11888 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\36921.exe (1082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp\ExecCmd.dll (4 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "southpaw" = "%Program Files%\verbiage\aegis.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "medal" = "%Program Files%\verbiage\aegis.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "hern" = "%Program Files%\verbiage\aegis.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "manzano" = "%Program Files%\verbiage\aegis.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "swampscott" = "%Program Files%\verbiage\aegis.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "tonawanda" = "%Program Files%\perfect\tonawanda.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now