Dropped.Trojan.Generic.17338822_b1f3420229

by malwarelabrobot on September 8th, 2016 in Malware Descriptions.

Dropped:Trojan.Generic.17338822 (B) (Emsisoft), Dropped:Trojan.Generic.17338822 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b1f342022972160628e55f97bc8be5cc
SHA1: af9e777c9a6c8d6a3605ce8a2d1023e420805526
SHA256: 7cfe9716b1b58fa05f3fc6e7bb6eaa84377da150213816dcc9e09592b238e76d
SSDeep: 24576:N6XaRVIKYib61W0YA0lgdyd9WO6ACa4Xbh:MXaRVIi6M0RvQvWOC3bh
Size: 790492 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:616
taskkill.exe:1056
%original file name%.exe:1156
tasklist.exe:1788
tasklist.exe:1168
tasklist.exe:1900
tasklist.exe:1816
tasklist.exe:1536
tasklist.exe:1072
tasklist.exe:1500
tasklist.exe:356
tasklist.exe:1468
tasklist.exe:348
tasklist.exe:816
tasklist.exe:408
tasklist.exe:1176
tasklist.exe:1272
tasklist.exe:1860
tasklist.exe:268
tasklist.exe:868
tasklist.exe:1824
tasklist.exe:1240
tasklist.exe:1388
tasklist.exe:1108
82361163.exe:1032
nephrology.exe:776
42887.exe:1108
find.exe:1236
find.exe:1716
find.exe:1964
find.exe:1256
find.exe:1468
find.exe:1376
find.exe:280
find.exe:548
find.exe:1176
find.exe:584
find.exe:580
find.exe:612
find.exe:616
find.exe:1796
find.exe:1936
find.exe:264
find.exe:220
find.exe:1608
find.exe:948
find.exe:1976
find.exe:1472
find.exe:2008

The Dropped injects its code into the following process(es):

gaines.exe:284

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1156 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\AccessControl.dll (13 bytes)
%WinDir%\gaines.exe (4854 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\ammonite.lnk (461 bytes)
%Program Files%\limps\nephrology.exe (1044 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\ShellLink.dll (4 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Program Files%\adela\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\42887.exe (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
%WinDir%\settings.dll (11007 bytes)
%Program Files%\adela\gaines.exe (4854 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\82361163.exe (3148 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Program Files%\adela\settings.dll (11007 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\ShellLink.dll (0 bytes)

The process 82361163.exe:1032 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

The process nephrology.exe:776 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp (0 bytes)

The process 42887.exe:1108 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)

The process gaines.exe:284 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA2701U7.xml (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAUFKHMN.xml (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[6].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[2].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (591 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA1OWAEE.xml (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[8].xml (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CATC2TXR.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CALHTYJP.xml (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (602 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAYD9KIN.xml (718 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAUJKHI3.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (690 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[5].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[8].xml (591 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[6].xml (711 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bgg[1].png (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAPKNZOK.xml (868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[7].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[6].xml (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jwplayer1[1].js (76369 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-2[1].htm (4947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[6].xml (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\player1[1].swf (15001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (12689 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAA6HVL1.xml (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[2].png (723 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sxx (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[7].xml (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYV8TMV.xml (689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[5].xml (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (745 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\analytics[1].js (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page-2[1].htm (4544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[7].xml (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGL2V4X.xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACHC5U3.xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[7].xml (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAULSXPE.xml (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (567 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAC1M74H.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA4POVBA.xml (797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAKDQ3OH.xml (699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA6HQD0R.xml (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ova-jw[1].swf (37965 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[2].txt (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA9YN3SF.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\count[1].htm (47 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-2[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAC1M74H.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (0 bytes)

Registry activity

The process taskkill.exe:616 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E C5 C6 68 BE 15 DC F2 E4 7B AE 50 0E 5D 73 42"

The process taskkill.exe:1056 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 2A CF A8 E8 F8 38 E4 03 4F 11 1C 6A 03 81 F8"

The process %original file name%.exe:1156 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA CA 6C BD 1C 6E 5F E4 09 32 C6 DA 92 16 0B 96"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"centerline" = "%Program Files%\adela\gaines.exe"

"watercourse" = "%Program Files%\adela\gaines.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"besse" = "%Program Files%\adela\gaines.exe"

"sard" = "%Program Files%\adela\gaines.exe"

The process tasklist.exe:1788 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D7 5D 2A D8 F9 2B 73 32 20 EF AF 3E 05 23 1F"

The process tasklist.exe:1168 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 A5 87 C2 54 E6 9C 85 62 82 E5 C4 93 26 F2 44"

The process tasklist.exe:1900 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 91 69 75 08 59 BC 7B 26 74 D0 5C 24 B7 84 50"

The process tasklist.exe:1816 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 59 91 3F 50 8A 2F 29 3B B1 44 C3 2D AE 15 17"

The process tasklist.exe:1536 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 A4 C1 D5 20 42 C8 77 97 37 50 9F 59 63 25 37"

The process tasklist.exe:1072 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 5D F5 7A CE 84 E9 27 76 D2 3C 9D 8B 19 3F 5B"

The process tasklist.exe:1500 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 5D 0D 3F E9 72 B7 AB 24 98 6D AB C9 89 15 96"

The process tasklist.exe:356 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 E1 4C 93 1D D3 CE D5 4C 8F CE 87 18 7F E6 5B"

The process tasklist.exe:1468 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 04 87 63 D1 21 76 84 0A 06 6D 56 AD 95 39 B4"

The process tasklist.exe:348 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 3F CD 1D 21 4D 38 95 64 83 A8 A1 F1 E4 78 76"

The process tasklist.exe:816 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 08 F1 F7 6A 7C D9 D5 04 0D E0 6C AD 05 AB B3"

The process tasklist.exe:408 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF C2 93 DC 69 E7 B9 4B 10 33 0F 0F 50 B6 12 07"

The process tasklist.exe:1176 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 B5 87 9F E6 34 83 A1 DD 77 31 94 B8 F3 1A 2F"

The process tasklist.exe:1272 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 22 02 0F AC 8F 01 99 DD 42 56 11 31 3F C4 06"

The process tasklist.exe:1860 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 3A 95 39 F3 22 65 3A 84 20 68 65 33 0F 10 7F"

The process tasklist.exe:268 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 4C EA FD 94 88 BB F9 C6 22 4B 49 09 B1 07 52"

The process tasklist.exe:868 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 05 36 DE 48 90 87 02 6A 5E 16 F3 A8 41 B8 AA"

The process tasklist.exe:1824 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 A0 E5 22 47 41 A3 1B 71 43 CC F0 13 61 C5 EE"

The process tasklist.exe:1240 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 41 9A E7 60 EF D1 E6 3B 4C F5 F4 FF D8 26 47"

The process tasklist.exe:1388 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 96 8D 53 7C E7 80 E1 73 7F 30 24 92 55 12 56"

The process tasklist.exe:1108 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 81 94 4B 6A 14 C4 90 4A F1 77 0C 66 A8 09 0D"

The process 82361163.exe:1032 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 37 82 6F 8A 3F CA AA 6E 88 88 74 AD D9 F3 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nephrology.exe:776 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E A9 43 25 1B C7 11 8D C8 98 AC 40 74 67 5B 75"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"chevaux" = "%Program Files%\adela\gaines.exe"

"nephrology" = "%Program Files%\limps\nephrology.exe"

The process 42887.exe:1108 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF A7 88 CE 73 ED 11 78 1D 70 99 40 C0 68 B6 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:1236 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 AC B3 5D 58 DD 96 5C 5B 34 91 1E FE E4 68 2B"

The process find.exe:1716 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 12 68 26 18 54 97 8C 00 3B 2C AD FE 86 22 1B"

The process find.exe:1964 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 DA BA 41 B1 DD 19 96 2E E9 7C A7 3E 2C B0 E4"

The process find.exe:1256 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 7F 67 A0 14 2C AF 0C DE E1 EB E6 9F 15 7B 40"

The process find.exe:1468 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 C7 F3 9A FC 8E 08 37 66 02 89 EE CC C1 45 A1"

The process find.exe:1376 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 BC 34 BB C1 4B F9 74 83 33 2B 90 34 23 9F 71"

The process find.exe:280 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 4A 52 EB 0C A0 FF 7E 0D CC 0D F7 46 18 25 B0"

The process find.exe:548 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 40 9D 87 62 10 54 6F B4 D9 E3 59 9A A0 AB 93"

The process find.exe:1176 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 05 BA 85 FE 75 67 91 37 07 EE 1D A0 E5 75 70"

The process find.exe:584 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 19 24 D0 C7 10 3E 71 94 E0 47 48 DC 2B AD DA"

The process find.exe:580 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 D8 15 A4 AF CE 70 5C BA 03 7D 0E 79 64 BD E3"

The process find.exe:612 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 6D D2 89 D9 CE A6 F2 E3 E9 85 2E 14 09 8B 28"

The process find.exe:616 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 D7 B3 0D 6E 59 88 7D 48 B4 8C 49 C2 DC 81 B1"

The process find.exe:1796 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 E7 6E 6A 0D D8 27 99 82 0F D7 F0 15 98 2D 41"

The process find.exe:1936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 0A 46 72 D4 CE 98 EE D8 93 64 D4 BB BB 6A 5D"

The process find.exe:264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 55 EA 1A 3D 0D DC 4E 0B B1 EC 4D 75 5A D8 68"

The process find.exe:220 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 61 17 F7 A8 45 14 5B 11 67 30 D1 23 C6 4A 2B"

The process find.exe:1608 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 D4 6B 31 F9 77 BA 61 3E 83 AF E9 F6 ED CB 85"

The process find.exe:948 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 5C 36 AC 93 6B FB 48 7B 6E B0 E6 AF 55 EC AA"

The process find.exe:1976 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 63 12 D2 85 DF 83 07 18 7F FA 28 72 6E B9 39"

The process find.exe:1472 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6F 17 AE 65 EF A7 D6 8D 3D DD 81 70 92 71 B6"

The process find.exe:2008 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 D7 8A 72 41 42 3A F5 D2 EA CF 7B 79 6C FF 14"

The process gaines.exe:284 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090720160908]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090720160908]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 8A 03 C5 87 AC B4 C9 31 36 7E 89 A3 52 69 12"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090720160908]
"CachePrefix" = ":2016090720160908:"
"CacheOptions" = "11"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016090720160908\"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
6351426f5922b23dd580621eee7b681c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\42887.exe
508f058119c5957ee21c4651435b371b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\82361163.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp7.tmp\ExecCmd.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\adela\Microsoft.Win32.TaskScheduler.dll
480e11f1cb20f4f578665d20d2da0309 c:\Program Files\adela\gaines.exe
d5358855bda542b0edbb385e58945cfe c:\Program Files\adela\settings.dll
5a09dce9da45f5de4e34a5239e4f9cca c:\Program Files\limps\nephrology.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
480e11f1cb20f4f578665d20d2da0309 c:\WINDOWS\residentially.exe
d5358855bda542b0edbb385e58945cfe c:\WINDOWS\settings.dll

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 81
7bcde813c50a0b0e20e5f9f233bc3040
637bb93dc73a24cf09b23978655b53c2
461ec31a2d9f4cb4629e19d90afcd885
d39b2060fb5d686cd00740d95d66da28
8c5c729b23092d8327ee3d3e3c6f9555
d50e432a8fdaf70f58f6827e9e9a127a
39eda76caa561e614ad56c9fd3a56795
920b0a615f533fe5b5a303884784b337
687103e1b99753a9b29adb563dda87e2
a03424bc22092f0c5dd55690515bdaec
c4739131eb465158fc0fe9a507243ae5
a330a483c6310b89bfb063478eaebb6d
db5758991e0deed7870c5e00ac1784f9
3bb658d8842811f2bb1727abfc9e8886
6fbb8fb46337e3f62482246f42d9b043
54f561eda86f1e84fc86247e6f2c8430
49839380f2b5206da8310e3e7a06a5ae
b341a56684c065e107316fd0df7f6581
c09676623f77c5767f18b933aaba2b62
acaa641b943db17b0caaf35156d8830d
bbfa9010ebef7ef8e0573cefda04c850
728ff14118449483f419515f9c0986a8
5ec17924d5a5120ceda2664f1b218ecb
4ad0fc6d5ebd598a467812b0f9740221
8ff5ebdddc64d38db37572540e7a1d7a
6cd19462f1f0d052f2737cc36afbcdf3

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&rand=
hxxp://www.clangburkitt.info/count.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&rand= 162.222.194.132
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.93
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=444929402&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1882943855&cid=901027798.1473224086&tid=UA-74694740-5&_r=1&z=825984649
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 67.215.253.139
hxxp://b770b459a2.site.internapcdn.net/page-2.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=1067&c=000000ffffff&p= 173.192.200.70
hxxp://109.201.148.40/report1.php?url=/everclips/page-2.html?lid=937115
hxxp://everclips.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1473224087000
hxxp://everclips.net/1.js 162.222.194.11
hxxp://b770b459a2.site.internapcdn.net/page-2.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/everclips/page-2.htm?lid=937115
hxxp://109.201.148.40/bck.php?1473224088000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://everclips.net/player1.swf 162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=1099431110&t=pageview&_s=1&dl=http://www.everclips.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1080934410&cid=374620636.1473224089&tid=UA-74694740-2&_r=1&z=484259805
hxxp://b770b459a2.site.internapcdn.net/style.css
hxxp://b770b459a2.site.internapcdn.net/img/logo.png
hxxp://b770b459a2.site.internapcdn.net/img/bgg.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=04D6997BDB6C4FA87FC9C9DCBD11994D&sc_random=0.25085182936845757&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.everclips.net/page-2.html?lid=937115&u=http://www.everclips.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 67.215.253.139
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://everclips.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 2&mediaDesc=Entertainment videos at everclips.net - 2&mediaId=2&mediaUrl=hxxp://www.everclips.net/2.html&srcPageUrl=hxxp://www.everclips.net/2.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dataxu,beeswax,videoamp,tremornet,SundaySky,Videology,mediamath,Bidswitch,dynadmic,centro,BidTheatre,conversant,thetradedesk,1,TubeMogul-GP,appnexus,ignitionone,google,_dmp_turbine,adapTV,eyeview,rocketfuel&uid=fbd8f5fa3dca48478d863069416c5077&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.everclips.net/crossdomain.xml 109.201.148.40
hxxp://vi.everclips.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.everclips.net/2.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 2&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t= 54.230.45.71
hxxp://www.google-analytics.com/analytics.js 173.194.113.193
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=444929402&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1882943855&cid=901027798.1473224086&tid=UA-74694740-5&_r=1&z=825984649 173.194.113.193
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/crossdomain.xml 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://www.everclips.net/img/logo.png 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://cdn.tremorhub.com/crossdomain.xml 52.85.173.235
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml 52.202.159.191
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://cdn.tremorhub.com/static/noad.xml 52.85.173.235
hxxp://www.everclips.net/page-2.html?lid=937115 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 2&mediaDesc=Entertainment videos at everclips.net - 2&mediaId=2&mediaUrl=hxxp://www.everclips.net/2.html&srcPageUrl=hxxp://www.everclips.net/2.html&contentLength=300 54.208.246.208
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 54.208.246.208
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://www.bruindorsett.pw/func.js?r=5 54.230.45.71
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dataxu,beeswax,videoamp,tremornet,SundaySky,Videology,mediamath,Bidswitch,dynadmic,centro,BidTheatre,conversant,thetradedesk,1,TubeMogul-GP,appnexus,ignitionone,google,_dmp_turbine,adapTV,eyeview,rocketfuel&uid=fbd8f5fa3dca48478d863069416c5077&init=true 52.21.184.69
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=1099431110&t=pageview&_s=1&dl=http://www.everclips.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1080934410&cid=374620636.1473224089&tid=UA-74694740-2&_r=1&z=484259805 173.194.113.193
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://www.statcounter.com/counter/counter.js 151.249.89.224
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://www.everclips.net/page-2.htm?lid=937115 69.88.149.136
hxxp://www.everclips.net/style.css 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://www.everclips.net/img/bgg.png 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69
hxxp://partners.tremorhub.com/syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 52.21.184.69


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 13:00:41 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Wed, 09 Aug 2017 13:00:41 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 13:00:41 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Wed, 07 Sep 2016 13:00:41 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /draw/?w=colored&n=1067&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: uid=CgH9HlfPnaeh9XoIHlfqAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Wed, 07 Sep 2016 04:55:04 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Fri, 07 Oct 2016 04:55:04 GMT
Cache-Control: max-age=2592000
667...PNG........IHDR...Q...........p.....PLTE...EEEYYY............???
,,,...AAA...~~~........................;<=.........abdWXZ..........
...........GGG.........<<<'((...............uvyEFG"""zzz.....
.kln...NNN...............~~.vwx...hhi.........OPQ............{{{......
......uvv...opp......UVV...WWW.........ooo......bcc...ijj}~~......dee.
.....qqq.........QQQ...]^^PPP.........TTTaaa...yyy...VVV............__
_......HHHrss.........kllJJJDDDBBBIII............CCC...RRR............
LLLNOO.........@@@tttkkkvvv:::|||.....................................
........?@@888666ppprrr......>>>FFF...............KKK......11
1............000...lll......XYZ(((&&&hhhfff   cdeZ[\788...dddccc......
...nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```[email protected]..
.iIDATH....S.A......`#vM......V...{.lXOE...(..D.*..."..*..(*DE......q.
.....3...{...yfw.I..8..... .)%....cx....py}...~..Uz].......%E_>../n
...,.).........>?........{....]n..y-qy._9..../...i< p...Iv....?z
.e.P>..O..]F..f.H.7....~.&p....V..G.u..lJ\....^.).QZ....K.E.D.D..]8
o.X..e...f...a.r.d....{B<...f...qG Wb.....D.h.M......C.X..?...wO..;
J....;...}.6.J...D.[...l.D..o.y~=......u</...$.......j|R.....B2$..V
,_...d."B..Y.. 2q...<.r.~B.s#...9.i..J%...Y3gP".OsFLuN.~.t.L.d..<
;.2..9.....)Vy..0.._D$.'h.X..0F.(.....G..a.(#......n<L..x.........h
./B.8..u@h(.N...8$sd.R..B..x..*"4  ........F3A..Q..4.~...F}.d..Q.>.
E..(..Si4..)7j ...6.JdeN,...BBO.nc.......n.!.l.i5.........B5..S.....]:
......{}GTi.$H.. ...?.]n.`.....}l;#.;5.'..2.4....^.x...;..7....J]a
<<< skipped >>>


GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 13:00:42 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Wed, 09 Aug 2017 13:00:42 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.everclips.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1473224089.04D6997BDB6C4FA87FC9C9DCBD11994D.1.1.1.1.1.1.1.1.1; _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:06 GMT
Content-Type: image/png
Content-Length: 2813
Connection: keep-alive
Last-Modified: Sat, 01 Nov 2014 03:24:47 GMT
ETag: "a1d83-afd-506c3a7ca5dc0"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L........@....gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx..\.OTW.G......]../.E.~..(6M.[:.......`V..
...i..&U.Y!..c"D.......tE.d...d?......;..0..s..s.}.;/8../7f.{...9..<
;o..[~.. ..H=...0.j.....Tc.-^....*0..12...Qcl...i.v.......(......`l..e
..`..`.1...2..1..16....-..S....[c....9......m....?..g.1.....w.(,......
\\^......<  ..~~....?o\/*x....y.\..T.s...@...>h.....`R0....w.i..
vX.QRAY.n.3..?......qZ...n..z..kcl.:...2o... ..!;3t....1......m.{.....
....53.'S.1.n..Z.....K ?........E...*b.G....~...q..=....S.U..8...~y.k|
.....s.N...B...j.....Cy.6.>...X.eL..%N.6.g:>........:cf..@.(....
.TKx....J.........G.1.!)...Aa.@.....]]...V.A.&....&.7.....I.`8.L.:....
.P.{.......:[email protected].'[email protected]........]....|.}....
..........u...r...Y........u.!Z...!..7p........Sc%.....A.....M.y.F..}.
...T.g...~J'.....o$..>y.2.]Un1.t.l.;5........c..g.....j.ZV.A..a....
..!6..8........h.n.;...'. ..n......o...ZR..)...Kf..`.m..XA...&.6..b...
.o....8<hx..7../?-..$k.....}.xl.C..BtE..z..~/j...3....ax.M......].r
..1..Y.._..m..h..>}w..@.....%....*g....m.5..B~H........AJ.$7j.`....
...{K.........8v.....g..........3h..{.C'n..E.mj.....R.%"t..........%. 
aW.)!..S$.".S..D6B......|W.3.C..$ $...0........c....zO..].}..@..]..u..
..F.....U.M[....`>....Y.S.[[email protected]/@..%3..M.....SF'n..|.
Xw.b...j%...{Z...b../..].=L...nl|J?....<.You......[d..n..Z.%.'.....
..l....:.p..H..?@o-.....#i.bG-u.....i.5/.q0d..W":.n...l........r.....}
.,..P..&.....pw....6.1K...........WSO....<e......x&...:.. ..mz.
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 07 Sep 2016 04:55:09 GMT
ETag: W/"144-1446501138000"
Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 2&mediaDesc=Entertainment videos at everclips.net - 2&mediaId=2&mediaUrl=hXXp://VVV.everclips.net/2.html&srcPageUrl=hXXp://VVV.everclips.net/2.html&contentLength=300 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/xml;charset=ISO-8859-1
Date: Wed, 07 Sep 2016 04:55:09 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; Domain=.tremorhub.com; Expires=Thu, 07-Sep-2017 10:43:30 GMT; Path=/
Set-Cookie: tvrg_60409="1,1473224110"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Wed, 07-Sep-2016 04:56:10 GMT; Path=/
Vary: Accept-Encoding
x-tremorvideo-status: NO_AD
transfer-encoding: chunked
Connection: keep-alive
210..............Mo.0............. l.Y..)..X..P..-1..X2$9..~t.5.v...#.
"......Zw6h..*....uPq-.*S.1.v.{..,y...SZ.M...^..[:W_1..V.,...u........
\cS...|4..d$:Y..@].iO..uXe..mg6{H.[..t$r(..N....x2.G..v5..h..?}.. .bh.
H.....`1...Q...b.0.}..0..n..p.k>.......h#.j.j.......Q.......MY.....
.......v .oY...JrB....z./..l...U.T[.-...(......7....Y....#i.p.XBY*....
.:.........kL!.q.P.O.....-..|.n.....>.B......C.G.....Oj..~._^v%.I.i
..%K.{?.....[...z.7.....n.0............'w...q.nq..uIG....5.....1.0.q.i
U...".,..rCn..0KnI?...._..p.!.,e.?7....*..6...(Xv..e...;.....Z..d.....
0..HTTP/1.1 200 OK..Cache-Control: no-cache, no-store, must-revalidate
..Content-Encoding: gzip..Content-Type: text/xml;charset=ISO-8859-1..D
ate: Wed, 07 Sep 2016 04:55:09 GMT..P3P: CP='This is not a P3P policy.
 See hXXp://tremorvideo.com/en/privacy-policy'..Pragma: no-cache..Serv
er: Apache-Coyote/1.1..Set-Cookie: tvid=fbd8f5fa3dca48478d863069416c50
77; Domain=.tremorhub.com; Expires=Thu, 07-Sep-2017 10:43:30 GMT; Path
=/..Set-Cookie: tvrg_60409="1,1473224110"; Version=1; Domain=.tremorhu
b.com; Max-Age=60; Expires=Wed, 07-Sep-2016 04:56:10 GMT; Path=/..Vary
: Accept-Encoding..x-tremorvideo-status: NO_AD..transfer-encoding: chu
nked..Connection: keep-alive..210..............Mo.0............. l.Y..
)..X..P..-1..X2$9..~t.5.v...#."......Zw6h..*....uPq-.*S.1.v.{..,y...SZ
.M...^..[:W_1..V.,...u........\cS...|4..d$:Y..@].iO..uXe..mg6{H.[..t$r
(..N....x2.G..v5..h..?}.. .bh.H.....`1...Q...b.0.}..0..n..p.k>.....
..h#.j.j.......Q.......MY............v .oY...JrB....z./..l...U.T[.
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 13:00:40 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Wed, 07 Sep 2016 13:00:40 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /count.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.clangburkitt.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:04 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Wed, 07 Sep 2016 04:55:04 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 130
Connection: keep-alive
Date: Thu, 26 May 2016 04:32:57 GMT
Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT
ETag: "2cf4c5e3d4c1206209355ac1065b0efc"
Accept-Ranges: bytes
Server: AmazonS3
Age: 36288
X-Cache: Hit from cloudfront
Via: 1.1 926c5f53581f4e2717deb4e0fac4efc6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: n2njCR2sH7XB0E0VE2_Br1jk_2VYHbbJdaY8E-ykFbEUYC5gult9Rg==
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" />.</cro
ss-domain-policy>....


GET /static/noad.xml HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 73
Connection: keep-alive
Date: Thu, 26 May 2016 04:30:14 GMT
Last-Modified: Thu, 04 Dec 2014 23:38:15 GMT
ETag: "074455bdeaf186ffa7b220bc14965cd5"
Accept-Ranges: bytes
Server: AmazonS3
Age: 68558
X-Cache: Hit from cloudfront
Via: 1.1 926c5f53581f4e2717deb4e0fac4efc6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: z31EySQ0V-3sIGT2XRJTkko4-tVU6UZbUe8t3MMQjP7kIccXJe9Amw==
<VAST version="2.0" t:status="NO_AD" xmlns:t="hXXp://tremorhub.com/
ssp"/>HTTP/1.1 200 OK..Content-Type: text/xml..Content-Length: 73..
Connection: keep-alive..Date: Thu, 26 May 2016 04:30:14 GMT..Last-Modi
fied: Thu, 04 Dec 2014 23:38:15 GMT..ETag: "074455bdeaf186ffa7b220bc14
965cd5"..Accept-Ranges: bytes..Server: AmazonS3..Age: 68558..X-Cache: 
Hit from cloudfront..Via: 1.1 926c5f53581f4e2717deb4e0fac4efc6.cloudfr
ont.net (CloudFront)..X-Amz-Cf-Id: z31EySQ0V-3sIGT2XRJTkko4-tVU6UZbUe8
t3MMQjP7kIccXJe9Amw==..<VAST version="2.0" t:status="NO_AD" xmlns:t
="hXXp://tremorhub.com/ssp"/>..



GET /itd.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cocomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:04 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Wed, 07 Sep 2016 04:55:04 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>


GET /page-2.html?lid=937115 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
e58..<img src="hXXp://109.201.148.40/report1.php?url=/everclips/pag
e-2.html?lid=937115" alt="" width="0" height="0"><script type="t
ext/javascript" src="hXXp://everclips.net/jwplayer1.js"></script
><script>var thecc ="ok";</script><script type="text
/javascript" src="hXXp://everclips.net/1.js"></script><for
m action="hXXp://VVV.everclips.net/page-4.php" method="get" name="redi
rect"><input type="hidden" name="lid" value="937115"></for
m>..<script type="text/javascript"> if (top.location!= self.l
ocation) { document.write('<head></head><body bgcolor="
#ffffff" class="body" topmargin="0" leftmargin="0">');}..</scrip
t>..<form action="hXXp://VVV.everclips.net/page-2.htm" method="g
et" name="redirect1"><input type="hidden" name="lid" value="9371
15"></form><script type="text/javascript"> if (top.loca
tion!= self.location) { document.forms['redirect1'].submit();}</scr
ipt><script type='text/javascript'>..var cb = Math.round(new 
Date().getTime() / 1000);..var items = Array('mp4:lqbyul0x.mp4','mp4:h
c6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t.mp4','mp4:peyjpa0x.mp4',
'mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4','mp4:lzcpj8vr
.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','mp4:qgmcib5y.mp4','mp4:if
gfn0gh.mp4');..var item = items[Math.floor(Math.random()*items.length)
];..var ffile = "hXXp://thm.vidvib.com/abcd.mp4";..jwplayer('ova-jwpla
yer-container').setup({.. "flashplayer": "hXXp://everclips.net/pla
<<< skipped >>>

GET /page-2.htm?lid=937115 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.everclips.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:05 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
e59..<img src="hXXp://109.201.148.40/report1.php?url=/everclips/pag
e-2.htm?lid=937115" alt="" width="0" height="0"><script type="te
xt/javascript" src="hXXp://everclips.net/jwplayer1.js"></script&
gt;<script>var thecc ="ok";</script><script type="text/
javascript" src="hXXp://everclips.net/1.js"></script><form
 action="hXXp://VVV.everclips.net/page-4.php" method="get" name="redir
ect"><input type="hidden" name="lid" value="937115"></form
>..<script type="text/javascript"> if (top.location!= self.lo
cation) { document.write('<head></head><body bgcolor="#
ffffff" class="body" topmargin="0" leftmargin="0">');}..</script
>..<script type="text/javascript"> if (top.location!= self.lo
cation) { var rc = document.referrer.split('/')[2];if (rc == window.lo
cation.hostname) {document.write('<div id="ova-jwplayer-container" 
style="position:absolute; top:0px; left:0px;width:300px;height:250px;"
></div>');}}</script>..<script type='text/javascript
'>..var cb = Math.round(new Date().getTime() / 1000);..var items = 
Array('mp4:lqbyul0x.mp4','mp4:hc6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nb
syph4t.mp4','mp4:peyjpa0x.mp4','mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','
mp4:q5fufgnb.mp4','mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.
mp4','mp4:qgmcib5y.mp4','mp4:ifgfn0gh.mp4');..var item = items[Math.fl
oor(Math.random()*items.length)];..var ffile = "hXXp://thm.vidvib.com/
abcd.mp4";..jwplayer('ova-jwplayer-container').setup({.. "flashpla
<<< skipped >>>

GET /style.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.everclips.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1473224089.04D6997BDB6C4FA87FC9C9DCBD11994D.1.1.1.1.1.1.1.1.1; _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:06 GMT
Content-Type: text/css
Content-Length: 2406
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Fri, 05 Dec 2014 02:43:45 GMT
ETag: "a23af-966-5096f0ba5fa40"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: 
#000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DE
CORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: 
none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY:
 Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-
SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Ari
al, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt
}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 5%;..margin-right
: 5%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR: #
eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topmenu
font..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:lin
k ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-s
erif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smoothin
g: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004)
;..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana,
 Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12p
x;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1px 
1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B5;
..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION
: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !import
ant;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..bac
<<< skipped >>>

GET /img/bgg.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.everclips.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1473224089.04D6997BDB6C4FA87FC9C9DCBD11994D.1.1.1.1.1.1.1.1.1; _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:06 GMT
Content-Type: image/png
Content-Length: 198
Connection: keep-alive
Last-Modified: Fri, 31 Oct 2014 16:20:09 GMT
ETag: "a1d82-c6-506ba5ee06040"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....0f......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...XIDATx.b.R.b....p.Z..00.'O...r...;...`r'^....4n!
7\h..4I...wZ";..=...<.*e.`..-..`J..)......m....?N....IEND.B`.HTTP/1
.1 200 OK..Date: Wed, 07 Sep 2016 04:55:06 GMT..Content-Type: image/pn
g..Content-Length: 198..Connection: keep-alive..Last-Modified: Fri, 31
 Oct 2014 16:20:09 GMT..ETag: "a1d82-c6-506ba5ee06040"..Server: CDCE..
X-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-003.ams002.in
ternap.com..Accept-Ranges: bytes...PNG........IHDR.......L.....0f.....
.gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...XIDATx.b.R.b..
..p.Z..00.'O...r...;...`r'^....4n!7\h..4I...wZ";..=...<.*e.`..-..`J
..)......m....?N....IEND.B`...



GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=04D6997BDB6C4FA87FC9C9DCBD11994D&sc_random=0.25085182936845757&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.everclips.net/page-2.html?lid=937115&u=http://VVV.everclips.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: is_unique=sc10114910.1473224104.0; is_visitor_unique=1473224104640332604


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:06 GMT
Server: Apache/2.2.3 (CentOS)
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1473224104.0-10675947.1473224106.0; expires=Mon, 06-Sep-2021 04:55:06 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1473224104640332604; expires=Fri, 07-Sep-2018 04:55:06 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif
GIF89a...................!.......,...........T..;..



GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:55:04 GMT
Server: Apache/2.2.3 (CentOS)
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1473224104.0; expires=Mon, 06-Sep-2021 04:55:04 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1473224104640332604; expires=Fri, 07-Sep-2018 04:55:04 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif
GIF89a...................!.......,...........T..;..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vi.everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:58:53 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 11 Nov 2014 03:08:25 GMT
ETag: "a1b01-52-5078c97abfc40"
Accept-Ranges: bytes
Content-Length: 82
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hXXp://VVV.everclips.net/2.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 2&LR_FORMAT=application/x-shockwave-flash HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vi.everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.374620636.1473224089; _gat=1


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 04:58:53 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=1qo7u8gaqvo2d7r8l87oorvo80; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Length: 684
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>..<VAST version="2.0"&g
t;..<Ad id="1"><Wrapper><AdSystem>1</AdSystem>
<VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/a
d/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPositi
on=1&mediaTitle=Entertainment videos at everclips.net - 2&mediaDesc=Wa
tch Entertainment videos at everclips.net - 2&mediaId=&mediaUrl=[CONTE
NT_MEDIA_URL]&srcPageUrl=hXXp://VVV.everclips.net/2.html&contentLength
=[CONTENT_LENGTH]]]></VASTAdTagURI><Impression><![CD
ATA[hXXp://z.frightenedomniscient.info/chki.php?ww=tremor&aa=hXXp://ww
w.everclips.net/2.html&lrp=937115&TIMESTAMP=5169358157]]></Impre
ssion><Creatives></Creatives></Wrapper></Ad>
;..</VAST>HTTP/1.1 200 OK..Date: Wed, 07 Sep 2016 04:58:53 GMT..
Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Set-Cookie: P
HPSESSID=1qo7u8gaqvo2d7r8l87oorvo80; path=/..Expires: Thu, 19 Nov 1981
 08:52:00 GMT..Cache-Control: private..Pragma: no-cache..Content-Lengt
h: 684..Keep-Alive: timeout=5..Connection: Keep-Alive..Content-Type: t
ext/xml..<?xml version="1.0" encoding="UTF-8"?>..<VAST versio
n="2.0">..<Ad id="1"><Wrapper><AdSystem>1</AdS
ystem><VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremor
hub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&pla
yerPosition=1&mediaTitle=Entertainment videos at everclips.net - 2&med
iaDesc=Watch Entertainment videos at everclips.net - 2&mediaId=&me
<<< skipped >>>


GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Wed, 07 Sep 2016 04:55:08 GMT
Etag: "3015243340"
Expires: Wed, 14 Sep 2016 04:55:08 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: we1sb-wwcgk.ads.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 07 Sep 2016 04:55:22 GMT
ETag: W/"144-1446501138000"
Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....



GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 02:59:22 GMT
Expires: Wed, 07 Sep 2016 04:59:22 GMT
Last-Modified: Mon, 15 Aug 2016 04:25:11 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11590
Age: 6941
Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j46&a=444929402&t=pageview&_s=1&dl=http://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1882943855&cid=901027798.1473224086&tid=UA-74694740-5&_r=1&z=825984649 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Wed, 07 Sep 2016 04:55:03 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Wed, 07 Sep 2016 04:55:03 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j46&a=1099431110&t=pageview&_s=1&dl=http://VVV.everclips.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1080934410&cid=374620636.1473224089&tid=UA-74694740-2&_r=1&z=484259805 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Wed, 07 Sep 2016 04:55:06 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Wed, 07 Sep 2016 04:55:06 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bruindorsett.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 905
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Wed, 07 Sep 2016 04:55:03 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 f507e21f7d1fb46eecab2dff9302173f.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ZqvE1gYlZAZTD9UUaua1ScmYDDrivgD7jTNd33-VM0Vnnl1IDlS6_g==
...........UMs.6..g&....I..?l..-A.;.D........."W$..`..X...^.....:.A.v.
..}.V...f1....y..IQsm...q=....h....|......?.'.T.q...().D....%......j..
t......L.s..(..I......<...t.k..-i`.-....f...vvJ.`.c..wO`.%Y........
...-...F]2.i:.CR4\V.^.....k.....tuw&J.M........L\.\-...\.....g..$;.d..
.I%a.....d.........DU._..WJ..}....i......O..wr....A.. R....u..Q..dL.5.
b.P.o...P.JPC.t....M..........$:.....k(....Fg.....{Y.P2...U\.:.q......
RU...7[...uu....L....e.....~t..9k...?..7.Q....m...).D..w6,.I.@>Z4a4
..$....l...U....uT.OVs....g...o...O.....v.*[.....?..l/..x.k.!t.\..(..,
.....Y..X. ....<......y...{..A4s%&..a0f..$..<...L......x....O...
3w.....).<}...2....urJ....V..S...Lox.....0.1...'.=.B..^..g..h..&...
[email protected].<K.V&.m/..7ia.`.H....l]......'.du...=..... .../..2.(.=&
gt;.b-....6..F......i-...me.VDZ...'I......S.}r....F..A.~.....Y.OO.,...
[email protected].....#...L.>...j..L.
.`.R7...?..7.e :...HTTP/1.1 200 OK..Content-Type: text/html..Content-L
ength: 905..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/
5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Wed, 0
7 Sep 2016 04:55:03 GMT..Vary: Accept-Encoding..X-Cache: Miss from clo
udfront..Via: 1.1 f507e21f7d1fb46eecab2dff9302173f.cloudfront.net (Clo
udFront)..X-Amz-Cf-Id: ZqvE1gYlZAZTD9UUaua1ScmYDDrivgD7jTNd33-VM0Vnnl1
IDlS6_g==.............UMs.6..g&....I..?l..-A.;.D........."W$..`..X...^
.....:.A.v...}.V...f1....y..IQsm...q=....h....|......?.'.T.q...().D...
.%......j..t......L.s..(..I......<...t.k..-i`.-....f...vvJ.`.c.
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=04A0BsRX1Y0iE3IHQSHH&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bruindorsett.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 597
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT
ETag: "90000001e1520-f7a-537ea953f7333"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Fri, 19 Aug 2016 01:35:05 GMT
Vary: Accept-Encoding
X-Cache: RefreshHit from cloudfront
Via: 1.1 f507e21f7d1fb46eecab2dff9302173f.cloudfront.net (CloudFront)
X-Amz-Cf-Id: KREgDb_AvGIJcddgm9aag-BLk7nyClI59giIzuPbJFW66qlo6ngcHA==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fr
i, 19 Aug 2016 01:35:05 GMT..Vary: Accept-Encoding..X-Cache: RefreshHi
t from cloudfront..Via: 1.1 f507e21f7d1fb46eecab2dff9302173f.cloudfron
t.net (CloudFront)..X-Amz-Cf-Id: KREgDb_AvGIJcddgm9aag-BLk7nyClI59giIz
[email protected]/vJ.8....U U.R.q.z..N.....
..DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$......
..AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.&
lt;......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&].
.~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V
:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Wed, 07 Sep 2016 04:55:10 GMT
ETag: W/"144-1446501138000"
Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dataxu,beeswax,videoamp,tremornet,SundaySky,Videology,mediamath,Bidswitch,dynadmic,centro,BidTheatre,conversant,thetradedesk,1,TubeMogul-GP,appnexus,ignitionone,google,_dmp_turbine,adapTV,eyeview,rocketfuel&uid=fbd8f5fa3dca48478d863069416c5077&init=true HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:10 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 496
Connection: keep-alive
...........R]o.@.|.....[0....6rIZEJ..v.C.......w...........>.4{7.s3
.hq.w.=j#...o4v.(..BV.......E..Z.Y~.].4j.fncgcm3w]..Vz..#.j.......`[.;
.....'.R>H.....u_e..X'..w.e...vy.My.....$z...I...,....>4.K..L*..
-x<..._.e......P.. ........M\)U.....)...i........]}y.RTRXr.d.....&_
..`...x....}%8.....~.V.G.fK%v..x.G4..ckzm.V ...7.a..p.J.]....N...#X#.P
.......ISQ .....{y...k^7k..BH...IY....0......<.&c....t<.=?'..g..
Z .o.#]...Y..2.<.".y.t.?.......F....M..&Ob........1s.lK.y.........B
v.........\.K......a...........


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:10 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1f5.............R...0.}.W.H.m.X.!E!(e..J..J.>.Vhb..Eb[....;........
.....If...m.X.........).d9....7.7K.$.l._i........W9.'A..6.Tm.3...j..&.
.k....m..{i..^..0.5..Z...&......)...G...P>..L../..,.^.r........A2..
........u.....p...<....c.(..}=eJvc.t.n.y[..U....'.E)....D..t.....88
...N.......jU..........B<.V.. ...}k.2..(....;.XEx.J.... ...x#......
\u....ISP ....m;yh4..o.......-9..x..[..3..p..8....a......k.....`.2....
...j..Y-.....-.X.J...W..N.....x...o..,......:w..h.... M....[.W.&.i\ fn
.mh.....%v..%....J.....;;.....d.. ....0..R......0..HTTP/1.1 200 OK..Co
ntent-Encoding: gzip..Content-Type: text/xml..Date: Wed, 07 Sep 2016 0
4:55:10 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo
.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encod
ing..transfer-encoding: chunked..Connection: keep-alive..1f5..........
...R...0.}.W.H.m.X.!E!(e..J..J.>.Vhb..Eb[....;.............If...m.X
.........).d9....7.7K.$.l._i........W9.'A..6.Tm.3...j..&..k....m..{i..
^..0.5..Z...&......)...G...P>..L../..,.^.r........A2..........u....
.p...<....c.(..}=eJvc.t.n.y[..U....'.E)....D..t.....88...N.......jU
..........B<.V.. ...}k.2..(....;.XEx.J.... ...x#......\u....ISP ...
.m;yh4..o.......-9..x..[..3..p..8....a......k.....`.2.......j..Y-.....
-.X.J...W..N.....x...o..,......:w..h.... M....[.W.&.i\ fn.mh.....%v..%
....J.....;;.....d.. ....0..R......0......
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:11 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1d5.............R]o.0.}..`..7..4d(..h7U..jI.CU...B,.m.......e./{.t...=
>G7...mo...%.o4.z=.Lq!...T|.G.,}./.....;.=.v...rNO}......r.T.[....Z
......a..zi..^..4.5...[..N...^.?..[.(....O?......6 ......$}h..n .T.gF.
d<..`.....0...%...h.X9....N...oj.l._.?\..Z.G..D.Ft.....8884.N......
..j.v........Jlq'p...Z.....Jg..O...p.".7.C.o.!...k............H......@
h..C...y...1..x...U.......A....G.xHQ.Bv3.L^^...3.;c..'...>..U.....1
.S.?.. ...Y....m.N~...Y.;...._....0.6..w;......./d.....~...=.....d....
......"......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type:
 text/xml..Date: Wed, 07 Sep 2016 04:55:11 GMT..P3P: CP='This is not a
 P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Ap
ache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Co
nnection: keep-alive..1d5.............R]o.0.}..`..7..4d(..h7U..jI.CU..
.B,.m.......e./{.t...=>G7...mo...%.o4.z=.Lq!...T|.G.,}./.....;.=.v.
..rNO}......r.T.[....Z......a..zi..^..4.5...[..N...^.?..[.(....O?.....
.6 ......$}h..n .T.gF.d<..`.....0...%...h.X9....N...oj.l._.?\..Z.G.
.D.Ft.....8884.N........j.v........Jlq'p...Z.....Jg..O...p.".7.C.o.!..
[email protected]^^...3
.;c..'...>..U.....1.S.?.. ...Y....m.N~...Y.;...._....0.6..w;.......
/d.....~...=.....d.........."......0......
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:11 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 514
Connection: keep-alive
...........R]..0.|.....[1.\HQ...NB...K........ .e;@.}7.=.!U}.4k.wvg7..
.C........`h...k.......'..E..M..7....G..&.Jc....XU....y]....3Sm.4:..~.
.. .b......d...V.VE..o/I...~y..i....*.>...q..\.$(#.......E.t.8..'..
. ..........<..........Np.M.......P...........`...SV..]....(..2....
....K!.`.F#..0.Fp..>q....FPh.}....h.s....*0..=-..4..c..gD.N.*.pK .5
...`...-2..w.84..w'>.=g.....n8...F.....R...Ze..4.6.k..W.....<...
...La.*..(.q...v......,..kO....y.Z..E..Ft).Z.....n.I......L.`.<....
TA...^..~.l.........}'q..6E?......u.......HTTP/1.1 200 OK..Content-Enc
oding: gzip..Content-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:11 G
MT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/p
rivacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Cont
ent-Length: 514..Connection: keep-alive.............R]..0.|.....[1.\HQ
...NB...K........ .e;@.}7.=.!U}.4k.wvg7...C........`h...k.......'..E..
M..7....G..&.Jc....XU....y]....3Sm.4:..~... .b......d...V.VE..o/I...~y
..i....*.>...q..\.$(#.......E.t.8..'... ..........<..........Np.
M.......P...........`...SV..]....(..2........K!.`.F#..0.Fp..>q....F
Ph.}....h.s....*0..=-..4..c..gD.N.*.pK .5...`...-2..w.84..w'>.=g...
..n8...F.....R...Ze..4.6.k..W.....<......La.*..(.q...v......,..kO..
..y.Z..E..Ft).Z.....n.I......L.`.<....TA...^..~.l.........}'q..6E?.
.....u...........
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:11 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c1.............R.n.0... \..-........I..A[T.{..cE.-.&E..l.}W...q.m...p
..-.r?h...V.7....*^.Jmc.9.|.z..].J..J..4z....^...3.....M1..d.jo....kl.
}..N..$J. .~...M?e.u(...v.e.".vx2ME.....I..ey.....N.q.>4...S\. ....
tZ..&.....?.........b......?L. @. ......gM.....X..m.......hw4b.m..^Bk.
........|..=T....F...]/":[email protected].\....1E....|.B...
.L..?.g........~7..^_......1....s...:.o....]...Q....y2..?Jm.....hi(U..
..$z..@......=.T.%6.u..d...{....K......d.................0..HTTP/1.1 2
00 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Wed, 07 S
ep 2016 04:55:11 GMT..P3P: CP='This is not a P3P policy. See hXXp://tr
emorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Acc
ept-Encoding..transfer-encoding: chunked..Connection: keep-alive..1c1.
............R.n.0... \..-........I..A[T.{..cE.-.&E..l.}W...q.m...p..-.
r?h...V.7....*^.Jmc.9.|.z..].J..J..4z....^...3.....M1..d.jo....kl.}..N
..$J. .~...M?e.u(...v.e.".vx2ME.....I..ey.....N.q.>4...S\. ....tZ..
&.....?.........b......?L. @. ......gM.....X..m.......hw4b.m..^Bk.....
....|..=T....F...]/":[email protected].\....1E....|.B....L..
?.g........~7..^_......1....s...:.o....]...Q....y2..?Jm.....hi(U....$z
..@......=.T.%6.u..d...{....K......d.................0......
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:12 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 456
Connection: keep-alive
...........R.n.0... \..... .jH2T'...m.).!......G.AR...]9n....Yr8..l.&l
t;./.....J....F.x#..%.c..c.-.w.:....j..Ce...*...1g.nL......Z....:p.M.o
.7..........Z........8....}...O..(`..p....V7Y.=..4...C..|{.U.bi.Hf.2..
.6....4.(E..F>..,..c...].?\..88..^..:.k).yiv.p^.3 P....=v...(..ck.r
T.4.>Ka....p.*.}[email protected] k.JD{.#.n..Z...Zo\kJ.p.R.m)....
f.C...HD......_....s..?..5.1...bB....a..5......<..e.jm.....xe(...^`
.....1..|O.v.Q]........o..mch;............A]....HTTP/1.1 200 OK..Conte
nt-Encoding: gzip..Content-Type: text/xml..Date: Wed, 07 Sep 2016 04:5
5:12 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.co
m/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding
..Content-Length: 456..Connection: keep-alive.............R.n.0... \..
... .jH2T'...m.).!......G.AR...]9n....Yr8..l.<./.....J....F.x#..%.c
..c.-.w.:....j..Ce...*...1g.nL......Z....:p.M.o.7..........Z........8.
...}...O..(`..p....V7Y.=..4...C..|{.U.bi.Hf.2...6....4.(E..F>..,..c
...].?\..88..^..:.k).yiv.p^.3 P....=v...(..ck.rT.4.>Ka....p.*.}..DD
[email protected] k.JD{.#.n..Z...Zo\kJ.p.R.m)....f.C...HD......_....s..?
..5.1...bB....a..5......<..e.jm.....xe(...^`.....1..|O.v.Q]........
o..mch;............A]........


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:13 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 475
Connection: keep-alive
[email protected].(..]P....=.#i.....yo^&\..
..E.E%#k2.[....B.#k..?.."~.>%iv.M{.5J=7.U.S...(, U4..U..um..\.0....
_............F.Wi...qv......y{..&<....c...^..,y.....$C.?t;.d.|...\7
.....?zco.......1c..x.a.q0pn...u.DC.Ip.......4.8r..*..V.... ..h...Q..{
..I.V.N...K....I..`.K..J0. = .H...Q..L......nyYoM.r!q..J..........x...
.;..'>...f//q.....R.. .>..p.G.....Q......u.....1.lwe....=[..'...
....V..sr.p.(.....8.D [email protected]~.......5.........;'.<....
HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date:
 Wed, 07 Sep 2016 04:55:13 GMT..P3P: CP='This is not a P3P policy. See
 hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1.
.Vary: Accept-Encoding..Content-Length: 475..Connection: keep-alive...
[email protected].(..]P....=.#i.....yo^&\...
.E.E%#k2.[....B.#k..?.."~.>%iv.M{.5J=7.U.S...(, U4..U..um..\.0...._
............F.Wi...qv......y{..&<....c...^..,y.....$C.?t;.d.|...\7.
....?zco.......1c..x.a.q0pn...u.DC.Ip.......4.8r..*..V.... ..h...Q..{.
.I.V.N...K....I..`.K..J0. = .H...Q..L......nyYoM.r!q..J..........x....
;..'>...f//q.....R.. .>..p.G.....Q......u.....1.lwe....=[..'....
...V..sr.p.(.....8.D [email protected]~.......5.........;'.<....<
/font>....
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:13 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 480
Connection: keep-alive
...........R]..@.}[email protected].~<..$.....{.
..\..'PZT2......d..r.X...{.Z.o..(Nn.....R.M`...sB...RE...*...50sm.it`}
yH........7E..T_..6P...w.._}..."....w.M..}Z..$z...T....?t;.dE.B..L&...
n.~pF...4....7b,.x.xX./........P..}...`...A....N.ZDh].....H.*.....0.@.
7...>.Cx')/.CX.....x.'.P.."..-=#:........S..LH.6.I.q/..t..u<g.q.
..p........9...y...._....N......q..Xa.E..&H......j.1.w...f.=H.\...X:..
./[email protected]@......M~~!72.e.y.2..k8........$.V.....H
TTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: 
Wed, 07 Sep 2016 04:55:13 GMT..P3P: CP='This is not a P3P policy. See 
hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..
Vary: Accept-Encoding..Content-Length: 480..Connection: keep-alive....
.........R]..@.}[email protected].~<..$.....{...
\..'PZT2......d..r.X...{.Z.o..(Nn.....R.M`...sB...RE...*...50sm.it`}yH
........7E..T_..6P...w.._}..."....w.M..}Z..$z...T....?t;.dE.B..L&...n.
~pF...4....7b,.x.xX./........P..}...`...A....N.ZDh].....H.*[email protected].
..>.Cx')/.CX.....x.'.P.."..-=#:........S..LH.6.I.q/..t..u<g.q...
p........9...y...._....N......q..Xa.E..&H......j.1.w...f.=H.\...X:.../
[email protected]@......M~~!72.e.y.2..k8........$.V.....ont>....
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:14 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 490
Connection: keep-alive
...........R]..0.|.......H..(...!!..........!...l'.....G?..o..xgwf..E.
z... .9....1I....9.l.!p....9I.;m....43.9....!..P...!Q..S9=;3...D....d.
.aB{q.U..b....X&......_B...*....v.M...Y,.,y..UX[.....m%.....4r.<...
.?z#o.a.S.c?.....7.T.3.L....O..dVc.(3G(Y.....`\....H..Z.x....%%.......
kB[.....`.c.m.......P...3..j:y,*.{*...u.%..0}...x(.K...o...wG...'.....
5......V.....^u:.l.....vV...RG.R0mXZ1.m..?u..>E.M.?Yw9..u........t.
.o.-....u..:.Qif..Cq..."o...8|[email protected]'..Z..[....... ....Q.
H.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml.
.Date: Wed, 07 Sep 2016 04:55:14 GMT..P3P: CP='This is not a P3P polic
y. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyot
e/1.1..Vary: Accept-Encoding..Content-Length: 490..Connection: keep-al
ive.............R]..0.|.......H..(...!!..........!...l'.....G?..o..xgw
f..E.z... .9....1I....9.l.!p....9I.;m....43.9....!..P...!Q..S9=;3...D.
...d..aB{q.U..b....X&......_B...*....v.M...Y,.,y..UX[.....m%.....4r.&l
t;....?z#o.a.S.c?.....7.T.3.L....O..dVc.(3G(Y.....`\....H..Z.x....%%..
.....kB[.....`.c.m.......P...3..j:y,*.{*...u.%..0}...x(.K...o...wG...'
.....5......V.....^u:.l.....vV...RG.R0mXZ1.m..?u..>E.M.?Yw9..u.....
...t..o.-....u..:.Qif..Cq..."o...8|[email protected]'..Z..[....... .
...Q.H.........
<<< skipped >>>

GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:14 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 449
Connection: keep-alive
............_o.0....)......Bh.D,..J.V..=TUt./.J1.6$|...Y.?/{...s.=....
<;.j#[.....:.x .zJ.M..}...7..,/......*...[[.-....V.}9.m...\........
.u...i..'..h.:..S>..MZ..:y~....'.L....v..o..7Y.=..:.VQ.._.......R$.
[email protected]..~..&]bk....4.wWk.q..'.....!...n.>Ha....8...1...b
T .............( .JD.... ...t.[.t[..R*....*ET. ... ....B..........1...
..j....9.0.R...N.|BjK..A.........s~=..O['...].i4.m`i..4...\[email protected]...
6....!5.u..b../..z.*..M.........h]....HTTP/1.1 200 OK..Content-Encodin
g: gzip..Content-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:14 GMT..
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priva
cy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-
Length: 449..Connection: keep-alive.............._o.0....)......Bh.D,.
.J.V..=TUt./.J1.6$|...Y.?/{...s.=....<;.j#[.....:.x .zJ.M..}...7..,
/......*...[[.-....V.}9.m...\.........u...i..'..h.:..S>..MZ..:y~...
.'.L....v..o..7Y.=..:[email protected]..~..&]bk....4.w
Wk.q..'.....!...n.>Ha....8...1...bT .............( .JD.... ...t.[.t
[..R*....*ET. ... ....B..........1.....j....9.0.R...N.|BjK..A.........
s~=..O['...].i4.m`i..4...\[email protected]....!5.u..b../..z.*..M.........h
]........


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:15 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 447
Connection: keep-alive
...........R]..0.|...H.[q88B# ...tR.V.k.N.h.M..6.mH..]r.../}..g=...6G.
.....W...K....L.}........x.} ..B..i.....~..^.......&..$.j.sk...6.?}..7
~... .....f...:.....U......DKV....]..~...u.p..`.BC._......1..Q..q....x
..1@...$]R.Di..t.'>.~xs.EO.....r.L...`. ...W.b0UO.b6)`RP..3..\.L.;.
....s{.#.Q0....wL...L#._.h.mX.^..1.q..R.&......^.V..EF.........Z.]....
......}"T.d.1(A7...F....s......du2r....p;..)..........G...Y.&p.nG.."..
.!.2..................9.......HTTP/1.1 200 OK..Content-Encoding: gzip.
.Content-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:15 GMT..P3P: CP=
'This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-polic
y'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 
447..Connection: keep-alive.............R]..0.|...H.[q88B# ...tR.V.k.N
.h.M..6.mH..]r.../}..g=...6G......W...K....L.}........x.} ..B..i.....~
..^.......&..$.j.sk...6.?}..7~... .....f...:.....U......DKV....]..~...
u.p..`.BC._......1..Q..q....x..1@...$]R.Di..t.'>.~xs.EO.....r.L...`
. ...W.b0UO.b6)`RP..3..\.L.;.....s{.#.Q0....wL...L#._.h.mX.^..1.q..R.&
......^.V..EF.........Z.]..........}"T.d.1(A7...F....s......du2r....p;
..)..........G...Y.&p.nG.."...!.2..................9...........


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:15 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
191............d.Qo.0....)......JXd....*M.4..PU.a.bu6.6$|.^.,i.....w..
.]...`......|...4...<..}..c...;..(...ro.B..>.[..%!.J..v.g....>
;...y....ow..:d.....,.........U...,.Srz<.-D.O.?n.}.......8........;
.n:. .D..u.4i.~J.d...".H...:...E.#....}.\si..P|V.m..-.r0...yB-&.B .RK.
@.o...V.r`PK...C5*!;.=.......VF^...."k.....$K....8B.y.......Q...7.v..-
x..y&'9*...N;....6..[.[...#..-..Q..d. ..:.}O.....q.&.3.l&.Z..A.xGp."..
[email protected].?.Z.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content
-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:15 GMT..P3P: CP='This is
 not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serv
er: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunk
ed..Connection: keep-alive..191............d.Qo.0....)......JXd....*M.
4..PU.a.bu6.6$|.^.,i.....w...]...`......|...4...<..}..c...;..(...ro
.B..>.[..%!.J..v.g....>...y....ow..:d.....,.........U...,.Srz<
;.-D.O.?n.}.......8........;.n:. .D..u.4i.~J.d...".H...:...E.#....}.\s
i..P|V.m..-.r0...yB-&.B [email protected]`PK...C5*!;.=.......VF^...."k....
.$K....8B.y.......Q...7.v..-x..y&'9*...N;....6..[.[...#..-..Q..d. ..:.
}O.....q.&.3.l&.Z..A.xGp."[email protected].?.Z.....0......


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:16 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 421
Connection: keep-alive
...........R.n.0... T.....).j...I..E.Trz..cER..."H....k...8$.Yrvgv.i..
?..7V.*.g.....=.j......./.w.}Y.g.......\.w...!.p..nh....Z.{na...f.....
...d^.~7.57.....2...^U.....(Z....o.<}...*...$..8.........Xa....I.6n
.OQ.."....q.P..I4...r.L..b.Y0.,...W.b0VO#b6*`RP..3..\..^w.P...s..{D;.x
.R#.0.7n0.P|2...aI{.B.(DI4OX...z...2..........1..ou.L...=........R.W..
.&&o.....m%...p.$O..#.;n.0O.b.....}....a......9...#....Q..........v...
....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..D
ate: Wed, 07 Sep 2016 04:55:16 GMT..P3P: CP='This is not a P3P policy.
 See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/
1.1..Vary: Accept-Encoding..Content-Length: 421..Connection: keep-aliv
e.............R.n.0... T.....).j...I..E.Trz..cER..."H....k...8$.Yrvgv.
i..?..7V.*.g.....=.j......./.w.}Y.g.......\.w...!.p..nh....Z.{na...f..
......d^.~7.57.....2...^U.....(Z....o.<}...*...$..8.........Xa....I
.6n.OQ.."....q.P..I4...r.L..b.Y0.,...W.b0VO#b6*`RP..3..\..^w.P...s..{D
;.x.R#.0.7n0.P|2...aI{.B.(DI4OX...z...2..........1..ou.L...=........R.
W...&&o.....m%...p.$O..#.;n.0O.b.....}....a......9...#....Q..........v
...........


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:16 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
19b.............R.n.0... T.....).jP4T....Ma).!...I..CJ )....]7.....r.3
.%...K.......d...4...<..C..}......(....H.A.f>.7.w3B........V...0
.3............B..~..u...rp^jV.f...J.k.$Z....V...}\..U.x...z...........
*..q.%M....(.$..H..,....d2...J...|..jQ.F.Pn..b0 ......4.#...F.jbQK..p@
.SB..;.k....m....h..E.\7...I.L3..q..&).....'F..Q....... _.Ny.x..S\.../
1..H.o.6.V......<.I..w.; .q......j'..2z......../..I......r!... .;..
.......d...........}.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..C
ontent-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:16 GMT..P3P: CP='T
his is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding:
 chunked..Connection: keep-alive..19b.............R.n.0... T.....).jP4
T....Ma).!...I..CJ )....]7.....r.3.%...K.......d...4...<..C..}.....
.(....H.A.f>.7.w3B........V...0.3............B..~..u...rp^jV.f...J.
k.$Z....V...}\..U.x...z...........*..q.%M....(.$..H..,....d2...J...|..
jQ.F.Pn..b0 ......4.#[email protected]..;.k....m....h..E.\7...I.L3..q..
&).....'F..Q....... _.Ny.x..S\.../1..H.o.6.V......<.I..w.; .q......
j'..2z......../..I......r!... .;.........d...........}.....0...
...


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:17 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
195..............QO.0.... .H..qJB.U............nl.X..e;.........vl.{.?
_..F....X..".Fq.pE{&.S....Gy. ..}Y.........."...s....7..D...Z..nn.....
...<[email protected].]U.u\.zW.T..F.......tw{A....iY...8..)...S.....-.`E.4
y.fm.3..i.... .cJ.$O..]T.b0V....%..0)...3..\../........s..........r..^
..4B........I......,gy...........#..#..1...r.5....h.).vx....... ...}..
....)"...S.5..I..g.....g....\9.....:..?-..X...x.U..........`.....0..HT
TP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: W
ed, 07 Sep 2016 04:55:17 GMT..P3P: CP='This is not a P3P policy. See h
ttp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..V
ary: Accept-Encoding..transfer-encoding: chunked..Connection: keep-ali
ve..195..............QO.0.... .H..qJB.U............nl.X..e;.........vl
.{.?_..F....X..".Fq.pE{&.S....Gy. ..}Y.........."...s....7..D...Z..nn.
.......<[email protected].]U.u\.zW.T..F.......tw{A....iY...8..)...S.....-.
`E.4y.fm.3..i.... .cJ.$O..]T.b0V....%..0)...3..\../........s..........
r..^..4B........I......,gy...........#..#..1...r.5....h.).vx....... ..
.}......)"...S.5..I..g.....g....\9.....:..?-..X...x.U..........`.....0
......


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:17 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
17e...............n.0...}.U@s.)G......I..EZ.J{..c..b"%E..j.}h...s.m...
.........:..2.N.8..w(.s.?._..x.>....>..v.0......{3'.[.:......q..
..;..we|.m]]..V.1...1......P...F..wJ..{..kx~..e............ux....Qs...
..2M."k.6...l..4...E.y......8j@%.....(A......z# ..M#....P..E...r...}o.
..Y.........9dE6 ...$XOs~..fOO....n....dCg&....{..P..=...w.......X.v..
F.6..A.S.....AY[./!..Ah......................d........a.8W.....0..HTTP
/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Wed
, 07 Sep 2016 04:55:17 GMT..P3P: CP='This is not a P3P policy. See htt
p://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Var
y: Accept-Encoding..transfer-encoding: chunked..Connection: keep-alive
..17e...............n.0...}.U@s.)G......I..EZ.J{..c..b"%E..j.}h...s.m.
...........:..2.N.8..w(.s.?._..x.>....>..v.0......{3'.[.:......q
....;..we|.m]]..V.1...1......P...F..wJ..{..kx~..e............ux....Qs.
....2M."k.6...l..4...E.y......8j@%.....(A......z# ..M#....P..E...r...}
o...Y.........9dE6 ...$XOs~..fOO....n....dCg&....{..P..=...w.......X.v
..F.6..A.S.....AY[./!..Ah......................d........a.8W.....0..font>....


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:18 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
18b.............RMO.0... B$z.8!!5..*.VBZ..m..B..vHT.X..m.=n.m...m..f.{
3&..|.Fal.."L.8..b=..[.>V_..pN..S..N....7*;sE.:.g.9#do...X/..:...:p
.-.....6....%....f.-...I.}o.\. ...'-y.o.?.)9.Y..U.r..`.....x......t.H.
.gM...Y.%[email protected].....).......Hp......U ...I-........=H....z..SwJL.....7W.
..A..).8Oc....*.N__)A...3.7..a.`..o.3......F4.H.z.....D...I......|f.{.
.U.R.awWF.,._F7.{.)....GV......Q(g=.......1....O|......d.. .... .?c...
...0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml.
.Date: Wed, 07 Sep 2016 04:55:18 GMT..P3P: CP='This is not a P3P polic
y. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyot
e/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connection: 
keep-alive..18b.............RMO.0... B$z.8!!5..*.VBZ..m..B..vHT.X..m.=
n.m...m..f.{3&..|.Fal.."L.8..b=..[.>V_..pN..S..N....7*;sE.:.g.9#do.
..X/..:...:p.-.....6....%....f.-...I.}o.\. ...'-y.o.?.)9.Y..U.r..`....
.x......t.H..gM...Y.%[email protected].....).......Hp......U ...I-........=H....z..
SwJL.....7W...A..).8Oc....*.N__)A...3.7..a.`..o.3......F4.H.z.....D...
I......|f.{..U.R.awWF.,._F7.{.)....GV......Q(g=.......1....O|......d..
 .... .?c......0......


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:18 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 417
Connection: keep-alive
...........R]..0.|..H#...@B.!.(...t......S....Z;.m(... ..!U}...;......
...6...?....d.Q.w._....?'...|[.h.........[.f.Y.D...z.t...|....{0...S./
}.s...U.RL.....L..\.m.O.]/..9-`W~^...y.....".@[.....}.....5.Y..i.&mr..
.(..i...a..Q...*....3pM...f....CGNY.B9XQ.*{.5.lpp].......6...4.i..Nc.4
.p:}y!....A.N.5B.u(..-.........;[email protected]..,..-.....
...Z(.L.iD.B.p....$..E..Yhh....pd...Fo/[email protected]_R"?......|u.X....HTT
P/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: We
d, 07 Sep 2016 04:55:18 GMT..P3P: CP='This is not a P3P policy. See ht
tp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Va
ry: Accept-Encoding..Content-Length: 417..Connection: keep-alive......
.......R]..0.|..H#...@B.!.(...t......S....Z;.m(... ..!U}...;.........6
...?....d.Q.w._....?'...|[.h.........[.f.Y.D...z.t...|....{0...S./}.s.
..U.RL.....L..\.m.O.]/..9-`W~^...y.....".@[.....}.....5.Y..i.&mr...(..
i...a..Q...*....3pM...f....CGNY.B9XQ.*{.5.lpp].......6...4.i..Nc.4.p:}
y!....A.N.5B.u(..-.........;[email protected]..,..-........Z
(.L.iD.B.p....$..E..Yhh....pd...Fo/[email protected]_R"?......|u.X....
....


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=BidTheatre,beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:19 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 371
Connection: keep-alive
...........Q[O.0.~.W .{.......LML....`.rzA.R...........v......OW......
...a.......|.....8....?..b..m`.P.....Z5A.j....h.....|.N.......Y.g>.
9..~......|m.hH..z..-F..^4.....].|.4;...i .@[....t.....T.<."..eR&.q
..c....$...Q...*.B.wX..f........o..v..R.:GTR..'%D.A.....I.:.a.N.....`.
..................V.....g.../...V..QZ.M9...v..R..H.....Yh`.......84...
=.}.@..\3...C..........7...HTTP/1.1 200 OK..Content-Encoding: gzip..Co
ntent-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:19 GMT..P3P: CP='Th
is is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'.
.Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 371
..Connection: keep-alive.............Q[O.0.~.W .{.......LML....`.rzA.R
...........v......OW.........a.......|.....8....?..b..m`.P.....Z5A.j..
..h.....|.N.......Y.g>.9..~......|m.hH..z..-F..^4.....].|.4;...i .@
[....t.....T.<."..eR&.q..c....$...Q...*.B.wX..f........o..v..R.:GTR
..'%D.A.....I.:.a.N.....`...................V.....g.../...V..QZ.M9...v
..R..H.....Yh`.......84...=.}.@..\3...C..........7.......


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=beeswax,videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:20 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 374
Connection: keep-alive
............]K.0.........tk...... ...z!2.$ua..$ ......q.]....>'/,?.
{.1c..E8..0`.(..[.>.W.<,..|...Q6.e.Q.. ..sz..3L(..4.Q.X......nc.
..nY]..V4@..`...o..uL.z..,.....w.......5../....^.v..'=P..w .T...."I.&l
t;m.6;O.t.b....,..i.<..t.q....l<_R..nc...`.........%8..iN.,...QF
&.t... ..yi.2.X.vd.i.h.pj"..Qj.....N......?K.....B.f....s......#.7~Y..
..d.C...t...W......pH.'....)@.....L...O...HTTP/1.1 200 OK..Content-Enc
oding: gzip..Content-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:20 G
MT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/p
rivacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Cont
ent-Length: 374..Connection: keep-alive..............]K.0.........tk..
.... ...z!2.$ua..$ ......q.]....>'/,?.{.1c..E8..0`.(..[.>.W.<
,..|...Q6.e.Q.. ..sz..3L(..4.Q.X......nc...nY]..V4@..`...o..uL.z..,...
..w.......5../....^.v..'=P..w .T...."I.<m.6;O.t.b....,..i.<..t.q
....l<_R..nc...`.........%8..iN.,...QF&.t... ..yi.2.X.vd.i.h.pj"..Q
j.....N......?K.....B.f....s......#.7~Y....d.C...t...W......pH.'....)@
.....L...O.......


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=videoamp,_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:20 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 413
Connection: keep-alive
............]O.0.....H.w.0.p)]..d.Q...0...(QJ.....e.._.Kz......99p...[
=..nyj.#...'-..Kj...YbO..\g.. ..2...D....b....i.kW.H....m...Xw*.o..lf#
.Q..G..`rx-7J....\k.... .5.h._V...O..fY.=......../..'..t*k..A..UTE....
!.%.0....2HB..iA.Q.N.5gngr..&.y..Jp..qB.(.L.?".^.??#.~.]K..?....)kq#.`
.2..n../..8.<?.p..AS...JFk..N./'......Gb>._'......fN|........c..
m|......a...W.a].L.....yb..%&of..{..2j....1.V.|m.............8)......H
TTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: 
Wed, 07 Sep 2016 04:55:20 GMT..P3P: CP='This is not a P3P policy. See 
hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..
Vary: Accept-Encoding..Content-Length: 413..Connection: keep-alive....
..........]O.0.....H.w.0.p)]..d.Q...0...(QJ.....e.._.Kz......99p...[=.
.nyj.#...'-..Kj...YbO..\g.. ..2...D....b....i.kW.H....m...Xw*.o..lf#.Q
..G..`rx-7J....\k.... .5.h._V...O..fY.=......../..'..t*k..A..UTE....!.
%.0....2HB..iA.Q.N.5gngr..&.y..Jp..qB.(.L.?".^.??#.~.]K..?....)kq#.`.2
..n../..8.<?.p..AS...JFk..N./'......Gb>._'......fN|........c..m|
......a...W.a].L.....yb..%&of..{..2j....1.V.|m.............8)......ont>....


GET /syncnoad?rid=33b84f6f6940414aabd6aa680ccb3841&p=_dmp_turbine&uid=fbd8f5fa3dca48478d863069416c5077 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=fbd8f5fa3dca48478d863069416c5077; tvrg_60409="1,1473224110"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Wed, 07 Sep 2016 04:55:21 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
152............dQ_o.0.|..`<.6.R.3...KL.m....1.-J....l.~.8....~...^.
..zwZ.t)...<.uD.$/.}....;.N..^...J.v4.X..I..1....D%...{[email protected]:
q..w..%8...o.6.P.m....H..:......7MyF........,........ci.J.jI.g.m.....s
....$..*)...z......}...p..p..Z1.-ui..p.sT...rF!.1.(........q<.Ha.#X
D..}[email protected].!..<D0....-.F......*a...}=..X..Zf.(;.....6.....\......m.
=7B....d.................0..HTTP/1.1 200 OK..Content-Encoding: gzip..C
ontent-Type: text/xml..Date: Wed, 07 Sep 2016 04:55:21 GMT..P3P: CP='T
his is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding:
 chunked..Connection: keep-alive..152............dQ_o.0.|..`<.6.R.3
...KL.m....1.-J....l.~.8....~...^...zwZ.t)...<.uD.$/.}....;.N..^...
J.v4.X..I..1....D%...{[email protected]:q..w..%8...o.6.P.m....H..:......7MyF
........,........ci.J.jI.g.m.....s....$..*)...z......}...p..p..Z1.-ui.
.p.sT...rF!.1.(........q<.Ha.#XD..}[email protected].!..<D0....-.F......*a.
..}=..X..Zf.(;.....6.....\......m.=7B....d.................0..



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 Sep 2016 13:00:39 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Wed, 09 Aug 2017 13:00:39 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



nephrology.exe_776:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp7.tmp\ExecCmd.dll
"%Program Files%\adela\gaines.exe"
xecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp7.tmp
nsp7.tmp
rogram Files\adela\gaines.exe"
q gaines.exe" | %SystemRoot%\System32\find /I "gaines.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp7.tmp
"%Program Files%\limps\nephrology.exe"
%Program Files%\limps
nephrology.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\limps\nephrology.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ps\nephrology.exe"
dela\gaines.exe"






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    taskkill.exe:616
    taskkill.exe:1056
    %original file name%.exe:1156
    tasklist.exe:1788
    tasklist.exe:1168
    tasklist.exe:1900
    tasklist.exe:1816
    tasklist.exe:1536
    tasklist.exe:1072
    tasklist.exe:1500
    tasklist.exe:356
    tasklist.exe:1468
    tasklist.exe:348
    tasklist.exe:816
    tasklist.exe:408
    tasklist.exe:1176
    tasklist.exe:1272
    tasklist.exe:1860
    tasklist.exe:268
    tasklist.exe:868
    tasklist.exe:1824
    tasklist.exe:1240
    tasklist.exe:1388
    tasklist.exe:1108
    82361163.exe:1032
    nephrology.exe:776
    42887.exe:1108
    find.exe:1236
    find.exe:1716
    find.exe:1964
    find.exe:1256
    find.exe:1468
    find.exe:1376
    find.exe:280
    find.exe:548
    find.exe:1176
    find.exe:584
    find.exe:580
    find.exe:612
    find.exe:616
    find.exe:1796
    find.exe:1936
    find.exe:264
    find.exe:220
    find.exe:1608
    find.exe:948
    find.exe:1976
    find.exe:1472
    find.exe:2008
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\AccessControl.dll (13 bytes)
    %WinDir%\gaines.exe (4854 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\ammonite.lnk (461 bytes)
    %Program Files%\limps\nephrology.exe (1044 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\ShellLink.dll (4 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Program Files%\adela\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\42887.exe (1082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
    %WinDir%\settings.dll (11007 bytes)
    %Program Files%\adela\gaines.exe (4854 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\82361163.exe (3148 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %Program Files%\adela\settings.dll (11007 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (5289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp7.tmp\ExecCmd.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA2701U7.xml (760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAUFKHMN.xml (711 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[6].xml (608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[2].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (591 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA1OWAEE.xml (767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[8].xml (679 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CATC2TXR.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CALHTYJP.xml (796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (602 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (640 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAYD9KIN.xml (718 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (14552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAUJKHI3.xml (752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (690 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[5].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[8].xml (591 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[6].xml (711 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bgg[1].png (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAPKNZOK.xml (868 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[7].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (679 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[6].xml (609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jwplayer1[1].js (76369 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-2[1].htm (4947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[6].xml (637 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\player1[1].swf (15001 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (12689 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAA6HVL1.xml (804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[2].png (723 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sxx (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[7].xml (644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYV8TMV.xml (689 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[5].xml (796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (745 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\analytics[1].js (670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page-2[1].htm (4544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[7].xml (567 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGL2V4X.xml (803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACHC5U3.xml (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (758 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[7].xml (640 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAULSXPE.xml (854 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (567 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (637 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAC1M74H.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA4POVBA.xml (797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAKDQ3OH.xml (699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA6HQD0R.xml (745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ova-jw[1].swf (37965 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@everclips[2].txt (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA9YN3SF.xml (752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (297 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\count[1].htm (47 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "centerline" = "%Program Files%\adela\gaines.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "watercourse" = "%Program Files%\adela\gaines.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "besse" = "%Program Files%\adela\gaines.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "sard" = "%Program Files%\adela\gaines.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "chevaux" = "%Program Files%\adela\gaines.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "nephrology" = "%Program Files%\limps\nephrology.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now