MD5: ca004345bdd1cb292744ed711de04d19
SHA1: e5f496443437ab4b5925522828ae35d41666c64e
SHA256: 2fe27213ce3ec941933dc2d22215134f2cf9a3715069a8158c6456ff56c377e2
SSDeep: 12288:N4Scb8PTwNxf5M5X7e0fNTupzl5IXvvj dABad1BDWlg9OS1MWQDqmcAc2nuaWHY:NhSV6UA65l5w J14lgd1MWO6ACa4oB5
Size: 790465 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:216
taskkill.exe:1956
retorts.exe:248
50159.exe:664
%original file name%.exe:188
tasklist.exe:568
tasklist.exe:216
tasklist.exe:1268
tasklist.exe:916
tasklist.exe:1316
tasklist.exe:1168
tasklist.exe:452
tasklist.exe:664
tasklist.exe:616
tasklist.exe:576
tasklist.exe:1276
tasklist.exe:1288
tasklist.exe:1372
tasklist.exe:740
tasklist.exe:1480
tasklist.exe:1748
tasklist.exe:1952
tasklist.exe:1928
tasklist.exe:1884
tasklist.exe:348
49599767.exe:1656
find.exe:216
find.exe:1164
find.exe:880
find.exe:1300
find.exe:628
find.exe:608
find.exe:1088
find.exe:1268
find.exe:1160
find.exe:1424
find.exe:1772
find.exe:508
find.exe:1656
find.exe:936
find.exe:1312
find.exe:1132
find.exe:228
find.exe:1804
find.exe:1480
find.exe:1388
find.exe:648
find.exe:1740
find.exe:516

The Dropped injects its code into the following process(es):

shareware.exe:316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process retorts.exe:248 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj7.tmp (0 bytes)

The process 50159.exe:664 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\miracle\retorts.exe (1046 bytes)
%Program Files%\weeded\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Program Files%\weeded\shareware.exe (4977 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\50159.exe (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\49599767.exe (3075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (4 bytes)
%WinDir%\settings.dll (10947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\unavoidably.lnk (481 bytes)
%Program Files%\weeded\settings.dll (10947 bytes)
%WinDir%\shareware.exe (4977 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)

The process shareware.exe:316 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\jwplayer1[1].js (78027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\syncnoad[2].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\CA4CVTLF.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\page-3[1].htm (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\CA8HMZIV.xml (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\CAQNCT2V.xml (815 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\player1[1].swf (21185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\CAI6AP9Z.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\CAODUVG5.xml (772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\CA4OGI7B.xml (809 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\CA2MROHD.xml (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\syncnoad[1].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\CAC3QTAZ.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\syncnoad[1].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\css1[1].css (659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\syncnoad[2].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\CAX3AIBE.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\analytics[1].js (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\player1[1].swf (21333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\CAF8TFMS.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\syncnoad[1].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\page-3[2].htm (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\syncnoad[4].xml (716 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\syncnoad[5].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@myelomaplanted[1].txt (188 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\CAXMZRPT.xml (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\page-3[1].html (710 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\CAF6O328.xml (815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\CA27U7A5.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\page-3[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\CAIVEPM9.xml (737 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\CAA26RCK.xml (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\syncnoad[6].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\syncnoad[5].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\syncnoad[2].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\syncnoad[6].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\ova-jw[1].swf (36169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@myelomaplanted[2].txt (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\css1[2].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\syncnoad[5].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\CA06VY6F.xml (757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\v[1].xml (653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\syncnoad[5].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\syncnoad[1].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\syncnoad[6].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OLERKPMN\CAE7496F.xml (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\CAW52BS1.xml (777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\CAVJAO89.xml (777 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41670D63\page-3[1].html (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@myelomaplanted[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXQZ01U3\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CD6BGDEJ\collect[1].gif (0 bytes)

The process 49599767.exe:1656 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw4.tmp (0 bytes)

Registry activity

The process taskkill.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 C1 43 09 A6 A0 45 B7 4A 9F 03 50 5E 2F 6C E0"

The process taskkill.exe:1956 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 99 22 8B 39 99 51 BB 8F 05 B0 2B 50 2E A4 63"

The process retorts.exe:248 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 F9 A1 C4 9E 42 D3 5D 9A E0 CE B0 AC 06 33 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"westinghouse" = "%Program Files%\weeded\shareware.exe"

"retorts" = "%Program Files%\miracle\retorts.exe"

The process 50159.exe:664 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 4B E2 BB 28 20 00 BC 54 F7 20 F3 92 CD 92 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:188 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 85 AC 90 F1 3A 46 C4 ED 07 14 49 8F 3E 7C 24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yar" = "%Program Files%\weeded\shareware.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"joysticks" = "%Program Files%\weeded\shareware.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"purest" = "%Program Files%\weeded\shareware.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"spates" = "%Program Files%\weeded\shareware.exe"

The process shareware.exe:316 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091720160918]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091720160918]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091720160918]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 4B AD 5F AF 43 B4 A6 0B 2D D7 F3 6D 03 2A 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091720160918]
"CachePrefix" = ":2016091720160918:"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016091720160918\"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tasklist.exe:568 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 9D 9A BE DD 48 E8 C4 3D D9 E6 14 1E A8 51 EB"

The process tasklist.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 82 39 87 15 74 7F CE 8D F3 E2 C5 9A F4 07 54"

The process tasklist.exe:1268 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 26 E4 F3 81 E2 42 C2 BA CA 3C 43 CF 6D E9 8E"

The process tasklist.exe:916 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 D8 11 68 77 37 71 27 69 C4 D2 E8 97 A4 0E A8"

The process tasklist.exe:1316 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 6F A7 DD A9 3B 8E B7 91 E7 79 87 F3 58 C0 0A"

The process tasklist.exe:1168 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 FF AB 8F F7 77 E8 57 4C 2F F9 E3 BF D4 26 B9"

The process tasklist.exe:452 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 0D 7C 33 69 F2 6B BC 07 36 B2 5F B8 6F 87 59"

The process tasklist.exe:664 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 1F C4 13 E3 AE 64 12 13 70 33 D3 1B AB 57 63"

The process tasklist.exe:616 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 E5 B3 4B A2 A8 5E 35 78 B6 3B 90 7A A4 E6 AB"

The process tasklist.exe:576 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 3B DC E3 25 A7 18 B2 76 96 03 A1 29 DC 89 2F"

The process tasklist.exe:1276 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 CD 84 6E 14 FC 9B 3F DD 4F 99 51 F3 96 BC 8A"

The process tasklist.exe:1288 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F6 8A A1 74 C4 FA 53 2C E1 BF FC ED 79 5D F0"

The process tasklist.exe:1372 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB BF E5 59 A5 98 F1 62 7E 19 99 12 BF 65 E7 5F"

The process tasklist.exe:740 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 AF D6 8B C7 07 63 44 4F B5 2A 79 83 46 49 7A"

The process tasklist.exe:1480 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 0C 77 F8 97 56 C5 C1 54 BF B1 4B 44 3A 13 BE"

The process tasklist.exe:1748 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 EE 51 CE 33 C4 29 F3 3A A9 52 18 69 48 E8 91"

The process tasklist.exe:1952 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 7D 01 6A 2C AD 9A E4 20 8F B4 EF E4 E8 C6 A7"

The process tasklist.exe:1928 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 97 83 22 83 A6 4F 09 7A 9F 50 6D B8 1D 5F 1B"

The process tasklist.exe:1884 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 00 1F 15 06 65 21 D0 28 7F 5D DF 07 AA F6 47"

The process tasklist.exe:348 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 7F 01 9F 12 D7 85 82 C3 77 0C 1D 0F 24 03 36"

The process 49599767.exe:1656 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 63 83 CB 43 32 6B 38 DC 7C 22 B7 9E B7 94 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 0B A3 42 04 D3 E9 A2 DE C8 49 B6 EB 80 1C 37"

The process find.exe:1164 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D0 51 21 92 5F 91 37 37 22 A0 FC 13 2E 39 E2"

The process find.exe:880 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 57 C1 70 32 BF BA 17 5E 01 47 8F 65 EE A3 2F"

The process find.exe:1300 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 F2 53 79 E0 40 8F 74 C3 EB 6B 27 96 36 5C 3D"

The process find.exe:628 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 8C B2 03 64 E1 40 B7 BB 15 F8 31 88 85 BC 32"

The process find.exe:608 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 84 BA 2D 92 94 50 0F 3D 6E C5 F2 DE 72 8C 08"

The process find.exe:1088 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 E5 08 BF AD 35 23 62 09 FD 7A AC 50 19 6A 82"

The process find.exe:1268 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 F3 A8 A1 8C C1 5A 57 1F 7C 3E 22 0B A6 E8 90"

The process find.exe:1160 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 25 75 8D C1 F3 F0 21 D5 58 73 31 7C 52 F3 A4"

The process find.exe:1424 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 43 93 5C 4D DE F4 73 59 9A C9 4A BF E6 10 9D"

The process find.exe:1772 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 68 4E 16 9A 51 C0 08 14 01 A4 02 83 FC 8D 2F"

The process find.exe:508 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 1F 40 0E A1 BE 23 9E 39 D1 12 56 09 F5 A2 0D"

The process find.exe:1656 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A D7 89 20 06 B0 25 98 2D AF 0D 57 0A 99 E6 D3"

The process find.exe:936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 04 B4 6D 29 4E 9E 94 87 81 E7 34 8C 77 72 43"

The process find.exe:1312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 18 48 DD 36 BB 02 C7 5F 10 A2 57 44 3F B9 66"

The process find.exe:1132 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B B7 8C 3B 47 51 E9 2B 58 32 AA 4A FE 44 7A 9D"

The process find.exe:228 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 03 32 79 5E 0D 5D 2B E2 49 1A 41 BE 85 9D EC"

The process find.exe:1804 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 49 FF 89 6D 69 34 E8 6E 89 BB AC BD E7 7F 99"

The process find.exe:1480 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 97 16 F5 DC 3D A2 D0 49 8F 6D 00 F9 2D 83 21"

The process find.exe:1388 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 68 12 0C 14 18 E2 4C 49 92 CD B5 7F 59 0A 89"

The process find.exe:648 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 09 61 BE 8A E1 A7 92 54 56 8A 40 E3 14 35 38"

The process find.exe:1740 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 3D A7 25 A9 76 D0 E5 8F 2F 7C AF A5 28 F5 A8"

The process find.exe:516 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 83 77 36 2A C4 E5 E5 59 39 0E 3A 71 A1 13 22"

Dropped PE files

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 109
7bcde813c50a0b0e20e5f9f233bc3040
29de0a3a7170f7dd71267eee2449b462
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22
4ad98fe1fd6a020f491e31eb4aa16205
562254cc7ac0f92876c4964400fb6cd7
a261aa83665bed04243da16ecade0df0
bea91233ff3a67b260b02a18d7cb54c2
b1a5b5b97ab40559c62f27923a7322c1
830674c88d54f6aa3c6f1bcf72147f75
fb9b2e8e0616dc9aecab4078c571a0f8

URLs

URL	IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&rand=
hxxp://www.clangburkitt.info/count.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&rand=	162.222.194.132
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.94
hxxp://c.statcounter.com/10114910/0/757d7213/1/	216.59.38.123
hxxp://widgets.amung.us/draw/?w=colored&n=1920&c=000000ffffff&p=	173.192.200.70
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=300043112&t=pageview&_s=1&dl=http://www.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=499170364&cid=826493472.1474069324&tid=UA-74694740-5&_r=1&z=1393523018
hxxp://a5f50dedef.site.internapcdn.net/page-3.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-3.html?lid=937115
hxxp://ivids.net/jwplayer1.js	162.222.194.11
hxxp://109.201.148.40/bck.php?1474069325000
hxxp://ivids.net/1.js	162.222.194.11
hxxp://a5f50dedef.site.internapcdn.net/page-3.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-3.htm?lid=937115
hxxp://109.201.148.40/bck.php?1474069326000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://ivids.net/player1.swf	162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=108633066&t=pageview&_s=1&dl=http://www.ivids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1798314341&cid=2082597319.1474069327&tid=UA-74694740-2&_r=1&z=508289087
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=760C804036AC4FCC46A9CE955F5ADF3B&sc_random=0.5965103835010492&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.ivids.net/page-3.html?lid=937115&u=http://www.ivids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	216.59.38.123
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf	162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 3&mediaDesc=Entertainment videos ivids.net - 3&mediaId=2&mediaUrl=hxxp://www.ivids.net/3.html&srcPageUrl=hxxp://www.ivids.net/3.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=eyeview,beeswax,thetradedesk,1,conversant,Bidswitch,appnexus,SundaySky,TubeMogul-GP,mediamath,Videology,BidTheatre,_dmp_turbine,rocketfuel,dataxu,centro,google,audiencescience,dynadmic,tremornet,adapTV,videoamp,TapAd&uid=c6d9dfb0c24041459ea4ba35dabe1183&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=google,conversant,TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=conversant,TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://www.ivids.net/img/lbg.png	69.88.149.139
hxxp://cdn.tremorhub.com/static/noad.xml	54.230.79.182
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://www.google-analytics.com/analytics.js	173.194.113.194
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/crossdomain.xml	52.20.144.243
hxxp://www.ivids.net/page-3.htm?lid=937115	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=300043112&t=pageview&_s=1&dl=http://www.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=499170364&cid=826493472.1474069324&tid=UA-74694740-5&_r=1&z=1393523018	173.194.113.194
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=conversant,TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://cdn.tremorhub.com/crossdomain.xml	54.230.79.182
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 3&mediaDesc=Entertainment videos ivids.net - 3&mediaId=2&mediaUrl=hxxp://www.ivids.net/3.html&srcPageUrl=hxxp://www.ivids.net/3.html&contentLength=300	52.23.109.194
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://www.ivids.net/css1.css	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=108633066&t=pageview&_s=1&dl=http://www.ivids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1798314341&cid=2082597319.1474069327&tid=UA-74694740-2&_r=1&z=508289087	173.194.113.194
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml	52.23.109.194
hxxp://www.myelomaplanted.pw/func.js?r=5	54.230.78.29
hxxp://www.ivids.net/img/logo.png	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://www.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=	54.230.78.29
hxxp://www.statcounter.com/counter/counter.js	151.249.89.217
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://l.longtailvideo.com/5/10/logo.png	93.184.221.48
hxxp://www.ivids.net/page-3.html?lid=937115	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=eyeview,beeswax,thetradedesk,1,conversant,Bidswitch,appnexus,SundaySky,TubeMogul-GP,mediamath,Videology,BidTheatre,_dmp_turbine,rocketfuel,dataxu,centro,google,audiencescience,dynadmic,tremornet,adapTV,videoamp,TapAd&uid=c6d9dfb0c24041459ea4ba35dabe1183&init=true	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=google,conversant,TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243
hxxp://partners.tremorhub.com/syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183	52.20.144.243

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 17 Sep 2016 07:47:47 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Sat, 19 Aug 2017 07:47:47 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>

GET /index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.myelomaplanted.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 906

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Encoding: gzip

Date: Fri, 16 Sep 2016 23:41:53 GMT

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 b3893b6a7f87165f118a84f1c20b39d0.cloudfront.net (CloudFront)

X-Amz-Cf-Id: g4_N2TQ8YsVEHsrVpbMUyxGGN8Grk_gCNd8apSad7mAhR8XixySqhg==
...........UKo.6../....!.ZY.o.... ..l...!).".......T..U#../I..lOE}...r
8.|...5..b^./.........2..j....h......b....?.'.T.q...().D...........j..
t....V.L.u..~...(.../.y:.....R.....[. !..(A.m.......d...^K.....]|.0. .
[ F...d..t...h......... .....tuw$J6..g.............j.;%G`.,..d.'....I%
a.....d.........DU._...J..}....i......O...r.../A.. R....w..Q..dL.5.b.P
.....P.JPC.t./..M.....6....$:..5..k(..........W.,P(....*.b......u.C...
c.............g.Z.0....z?z...5.g.....M.t..C.#.m.4.S......0...M..83I..n
N.p.C...bk.....|.\........f..n6.`.]..V.6...sU..%....Ji..0..)..!K5..*|V
q0V)...! .}._.{b.v....x..\...x....1..*.v.....f.=g.=*.v<[email protected]
....g..n:`..)..k>Z..N.3 2..MH.z....d..O4{!.x..X./ ....M....:pI.6.. 
!a$x.f.L..^VIo..*.2..Xj5.....3[.O...( .zF....7..T...2.(.==.a-....4..Z.
.....a-...me.VDZ...'I......S.}r....N..A.~.....Y..~..4K.....i.).Sj.m..%
Wg./O..OO.~.^..0".......{.2$n....,x.4...~b:....P.pG.......v.....:..7:.
..HTTP/1.1 200 OK..Content-Type: text/html..Content-Length: 906..Conne
ction: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered
-By: PHP/5.3.13..Content-Encoding: gzip..Date: Fri, 16 Sep 2016 23:41:
53 GMT..Vary: Accept-Encoding..X-Cache: Miss from cloudfront..Via: 1.1
 b3893b6a7f87165f118a84f1c20b39d0.cloudfront.net (CloudFront)..X-Amz-C
f-Id: g4_N2TQ8YsVEHsrVpbMUyxGGN8Grk_gCNd8apSad7mAhR8XixySqhg==........
.....UKo.6../....!.ZY.o.... ..l...!).".......T..U#../I..lOE}...r8.|...
5..b^./.........2..j....h......b....?.'.T.q...().D...........j..t....V
.L.u..~...(.../.y:.....R.....[. !..(A.m.......d...^K.....]|.0. .[ 
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.myelomaplanted.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 597

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT

ETag: "90000001e1520-f7a-537ea953f7333"

Accept-Ranges: bytes

Content-Encoding: gzip

Date: Fri, 12 Aug 2016 14:24:56 GMT

Vary: Accept-Encoding

X-Cache: RefreshHit from cloudfront

Via: 1.1 b3893b6a7f87165f118a84f1c20b39d0.cloudfront.net (CloudFront)

X-Amz-Cf-Id: G9i8Ce1AWsteKX0ZKzdbC9B8nw_t65i_9pZIH3h2dNb2dAzLOHlzvA==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fr
i, 12 Aug 2016 14:24:56 GMT..Vary: Accept-Encoding..X-Cache: RefreshHi
t from cloudfront..Via: 1.1 b3893b6a7f87165f118a84f1c20b39d0.cloudfron
t.net (CloudFront)..X-Amz-Cf-Id: G9i8Ce1AWsteKX0ZKzdbC9B8nw_t65i_9pZIH
[email protected]/vJ.8....U U.R.q.z..N.....
..DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$......
..AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.&
lt;......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&].
.~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V
:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V
<<< skipped >>>

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 22:07:39 GMT

Expires: Sat, 17 Sep 2016 00:07:39 GMT

Last-Modified: Mon, 15 Aug 2016 04:25:11 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11590

Age: 5654

Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j46&a=300043112&t=pageview&_s=1&dl=http://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=499170364&cid=826493472.1474069324&tid=UA-74694740-5&_r=1&z=1393523018 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Fri, 16 Sep 2016 23:41:54 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Fri, 16 Sep 2016 23:41:54 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j46&a=108633066&t=pageview&_s=1&dl=http://VVV.ivids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1798314341&cid=2082597319.1474069327&tid=UA-74694740-2&_r=1&z=508289087 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Fri, 16 Sep 2016 23:41:57 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Fri, 16 Sep 2016 23:41:57 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..

GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Fri, 16 Sep 2016 23:41:54 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/draw/?w=colored&n=1920&c=000000ffffff&p=

Set-Cookie: uid=CgH9JVfcg0JoYWb/hybFAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.2082597319.1474069327; _gat=1

HTTP/1.1 200 OK

Date: Sat, 17 Sep 2016 07:47:48 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Sat, 19 Aug 2017 07:47:48 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>

GET /5/10/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: l.longtailvideo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=604800

Content-Type: image/png

Date: Fri, 16 Sep 2016 23:41:58 GMT

Etag: "3015243340"

Expires: Fri, 23 Sep 2016 23:41:58 GMT

Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT

Server: ECAcc (arn/46B0)

X-Cache: HIT

Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xlf5t.ads.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Fri, 16 Sep 2016 23:42:00 GMT

ETag: W/"144-1446501138000"

Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 3&mediaDesc=Entertainment videos ivids.net - 3&mediaId=2&mediaUrl=hXXp://VVV.ivids.net/3.html&srcPageUrl=hXXp://VVV.ivids.net/3.html&contentLength=300 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xlf5t.ads.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Encoding: gzip

Content-Type: text/xml;charset=ISO-8859-1

Date: Fri, 16 Sep 2016 23:42:00 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Pragma: no-cache

Server: Apache-Coyote/1.1

Set-Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; Domain=.tremorhub.com; Expires=Sun, 17-Sep-2017 05:30:21 GMT; Path=/

Set-Cookie: tvrg_60409="1,1474069321"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Fri, 16-Sep-2016 23:43:01 GMT; Path=/

Vary: Accept-Encoding

x-tremorvideo-status: NO_AD

Content-Length: 516

Connection: keep-alive
[email protected]...`[email protected].*R.F...(B...Y..Z.k......~\z.......$...
u.h..*... ..b..U..c..7...U....E6.2.Tv..`.\=.CgPj.i.>.2...:nf......o
..&...w.....F.....eV.b;..C..}<..y.....,y.......\....5...n.....F.t..
......A|=.Mb~.!.0..8.a.N........D..8.r.t.8r.[..=L ?=(G.... ....I...Kp.
(..r..........>?....Hp>b%8.....L...F ...^...Byj4..{ipG...c..A..&
Pi].....heh............Q....u.".....}.P....W.....r... .br...Fc.%F.d..J
.......$.s7..h...^....2....S.RU.=1....N....dm.....da.7.G{.YrO..)..lK'|
.'.,.._...8.-E.v.t.............;.k....HTTP/1.1 200 OK..Cache-Control: 
no-cache, no-store, must-revalidate..Content-Encoding: gzip..Content-T
ype: text/xml;charset=ISO-8859-1..Date: Fri, 16 Sep 2016 23:42:00 GMT.
.P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priv
acy-policy'..Pragma: no-cache..Server: Apache-Coyote/1.1..Set-Cookie: 
tvid=c6d9dfb0c24041459ea4ba35dabe1183; Domain=.tremorhub.com; Expires=
Sun, 17-Sep-2017 05:30:21 GMT; Path=/..Set-Cookie: tvrg_60409="1,14740
69321"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Fri, 16-
Sep-2016 23:43:01 GMT; Path=/..Vary: Accept-Encoding..x-tremorvideo-st
atus: NO_AD..Content-Length: 516..Connection: keep-alive.............R
[email protected]...`[email protected].*R.F...(B...Y..Z.k......~\z.......$...u.h..*... ..
b..U..c..7...U....E6.2.Tv..`.\=.CgPj.i.>.2...:nf......o..&...w.....
F.....eV.b;..C..}<..y.....,y.......\....5...n.....F.t........A|=.Mb
~.!.0..8.a.N........D..8.r.t.8r.[..=L ?=(G.... ....I...Kp.(..r........
..>?....Hp>b%8.....L...F ...^...Byj4..{ipG...c..A..&Pi].....
<<< skipped >>>

GET /draw/?w=colored&n=1920&c=000000ffffff&p= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cookie: uid=CgH9JVfcg0JoYWb/hybFAg==

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.9.6

Date: Fri, 16 Sep 2016 23:41:54 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Content-Disposition: filename=wau-widget.png

Expires: Sun, 16 Oct 2016 23:41:54 GMT

Cache-Control: max-age=2592000
6ab...PNG........IHDR...Q...........p.....PLTE...EEEYYY......???...AAA
......;<=...~~~......abdWXZ...............GGG.........'((222.......
...........uvyEFG<<<zzz,,,...kln...NNN>>>...WWW.....
................~~.vwx...hhi.........OPQ............iii............uvv
...opp......UVV...ooo.....................bcc...ijj}~~......dee.......
..............QQQ...]^^PPP.........TTTaaaVVV...III...{{{............__
_......HHHrss.........kllJJJ|||BBB...RRR.........CCC......OOO......DDD
............LLLNOO.........@@@tttkkkvvv:::........................;;;.
.......................FFF.........?@@888666ppprrr.........KKK........
.......MMM......111............000...lll......XYZ(((&&&hhhfff   cdeZ[\
788...dddccc.........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```gggxxxjjj4
\[email protected]....[.U....,.........vQ).\/]..<fv....F.K..
.....'./C.!...(.1.].4W...0*7....._t.3.<....<......g.....}v..8...
......w......|.'..U...7.P.....G..[]-.....n.. 7k4..}.NS......9.........
...aP.C..7.....k.....r.............v.......U,.Y]i..C=~Q.<..$...w.7.
.Zi..RR..../..._...g%..B|.....$g~.OU..I8...p?...x.8..x.. "#.T....D_...
(..3....{Q<.].K..6...&3...d..\!..~`..}`/K..$..w.L..H.%.k.98>1...
4u....m...&Q..G^...)../x...q.F......../..CM..i.:K....R'..VR.p......PV.
.!!..^.('...._.{...e..W..wV............p..-.k.%6.M9v......Y#c..K.%...,
.W....^u.2^.9./.e..(.O...f.y..I.^1..:...9..u...../...g..../...Av....Z.
5>K.& *.A2.aX.4...."q....th...S.Qc6A........j._c.3S.B......d.....I.
[email protected]......=dtb...P_.......ue..vZO[
<<< skipped >>>

GET /report1.php?url=/ivids/page-3.html?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:45:25 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Fri, 16 Sep 2016 23:45:25 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1474069325000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:45:26 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Fri, 16 Sep 2016 23:45:26 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/ivids/page-3.htm?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:45:27 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Fri, 16 Sep 2016 23:45:27 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1474069326000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:45:27 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Fri, 16 Sep 2016 23:45:27 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..

GET /page-3.html?lid=937115 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:54 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: HIT

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Content-Encoding: gzip
f0c.............\mO.J...J..s......;.. .(.-....[..*........'...}.3~....
....RT.'.r..33.<s&;.....l)}!..JE.6U...Z.......^ 4......iU..m.......
.....c[.fmS...f8..(ld[..R...s..GZUi..f`.....[....ra..8U).!.Q]..#.1.<
;....UT..i]...0....Z.w.lOg._c..t.`..S....g4......t....\.=....P.k....[v
.M..m.....m..n...S..p".H...R..7.. ....[...:.i....X..n...~0.3..w.:.l...
v....D...Yc......-..].Oa.c.aK.O....F........b..^Z......5d..7...z....'U
.u'.k).Lm...F..-..=/4.4..%.%a.....d...x.k-.|...........<.......v\.C
6.Qj7.......o9W.q.T.U.,..........K.;Nh..n....c._..$../|.PWsp..K'.k...i
..\...n....\.sc...a.K....]./rI.7...Q.K...L..>.%..^....2)...B../....
y.r.Q......?........|O.....G.t......lhwT..T..);. {..,/yCc-}[3=W......5
."....y...&J?^........._.....y....(..;c.\-.lc...".....#..(..SA...)%...
... ..1.C$A.WL..S..1... ......xh...)..neu....2S=.............C..)...{.
uh9.p...J...Y......7....J....q..`....ds.k......:75a....c....7).)4...t.
 .$>g...6-.H.2(.7P.d.<.w"....STM.=..J....]...$.66.C..A....Ax..vH
....f.[..._q.......>.._C'...W....`..N .1Sg.= .I\o......p.......Zl..
...b9E..A..k...TtH.4.A?J..UA.w...Y.5.Z.Y...m.m<..I.b........Z..$.$.
.......g.px...<.YK...|.^..Abk......Y:.....b_a...fl...au.K.g..~..H.X
.Z5....u.....H.< ...|20SC?..0x.....x.z..X/9..hS....Z....ai..M.uh...
...........|<8=?.o...Z.-R..}<.....-...o....~=.|r..o....}>>
;8>._.<.?.|...h!nQ*................*........~Il.J:;<;:..4.kh.
...xQ........Yr/Y.d[c.w....w"Z}rsCq.e:4...!.g.a.u..*6.P.c[..#.*.y}n...
..%..?.uK...mi.y.X.|..;..&.`..6Di..u.[r..6..x..........^]....v..[.
<<< skipped >>>

GET /page-3.htm?lid=937115 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:56 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: HIT

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Content-Encoding: gzip
1143.............\iS.L...T.?..[..y.,y..D..!...P..wn.([email protected].$..yNk..
`.2.T]H..V/.O?}......v-...&..8........*....R.!..0V.`.....V.........My.
.......mUmKLwbM...6..&)..r.."M.v_EFh.1......_..3}.'.........1..}.CU>
;.PE=....;.C...a0M.......kl.....L7b..r.L&.y&.PC..#1..C..$....t....i...
!......C.4..e..$6.....zDG...... m...V..@v|C'9..X..A...~2.7F..by..1.V^.
.n...O.7..o......?..#1...H..........5`L.>.g......\..#1.k.1......C..
Q..q.R.l|o..P.)...y.?..-..(.A....o.c..J.X....i.^......x.`0.?.I.=....(.
;....\....O....B...{.6=.Z..P....,L....:o....z<.C...U.O.[...!.^...O.
.TEQ6v.".Z7B..0......z.E.:r.K....H..[.>...$..D..1($y.h..[q!)...@...
.....S.5...aO.B...`4..~!..a.g.qXH........I........ta...oO.I...x.5.IE]@
.B%........D.:..V7..^....x.q..q0.....9.....7.....u.o..I..A.ZY......x.T
..x...&.01fR/..`JR;.M.R..s..@F!.......l..H5$...(.....p.. ...Rb.../.?..
.. B.dy.$....0..`....<.d!....HH.. Q......T..j..\...T.......h).4....
.jXc..R.."/~.2C..c..*...g<..ZI....4L.....ll...Y...........3..H..oR"
..F.....D.x.r3.$..8.].J&...g...i>C.l....4......d.Y....B,..0^39..f..
[email protected]^.,>,.!..&:...<.....1,...D.8>J....$.w.......E.Q
.C..........rR...LA............Q:..:2...}.....Q...j...dj.%<..V;}~..
....&..F]S_.X..c;..?.b....u.a.s?b. .M.Lr...Q:...5.b..8...........P....
..>...a.....E.....t.C......fa.g/.......L...L......m....A......4`...
:......./.G..|8.......[...4[/..u....=..v.....mR.....G....s.O..?..|:N..
u....../.......h..H..>.=<>..IS(.h...../_.......?..0.....>.
....3>.,.k.K.!...k..NR.d....OanH..L....V.;5..7.....(>.......
<<< skipped >>>

GET /css1.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1474069327.760C804036AC4FCC46A9CE955F5ADF3B.1.1.1.1.1.1.1.1.1; _ga=GA1.2.2082597319.1474069327; _gat=1

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:57 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Mon, 10 Nov 2014 09:13:53 GMT

Server: CDCE

X-INAP-Cache-Status: HIT

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Content-Encoding: gzip
293.............U[O.0.~.R..G5.IM.B/.>.(..P..i......cG.{a...s..]7..0
..G....s..w<.........6 ...!..f.o3.||6...&...(...^{..F....t.>X.]L
of...zr.= _.aT....Ae.|[email protected].{97b.F_r...M~...9..........#H...W.oi(y.
.....B;[email protected].|.J..N...<8n.2...P.......>_.N...{U.....R
jb.<......oEF.I)..Bm.7...I..`.q28........Y......-P..y..V..rk.....$.
p}..z.2.I..sy..|.7..ehx..Nl..@.?9q...V<.......Z.D.8 TY`..9P..H3m,..
...A1.L..Ba.p.8..~.=m..~(@...Y...T.a..IT.X#.B...F/...50.3j..da...H..2.
.....f..s\..q.....k.I..4.2..6..4....;(. .Rb(.........Z.,/..S....lur.*.
. ..B.....X....Jc3.P.x...I.$...)..`..F..iZ..E.pK...{F...&.....i..ja1&g
t;..s.&X..Q..~....v...*m...3.Dq".|oo%.MpTn..qU..~..-.q......0..
....


GET /img/lbg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1474069327.760C804036AC4FCC46A9CE955F5ADF3B.1.1.1.1.1.1.1.1.1; _ga=GA1.2.2082597319.1474069327; _gat=1

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:57 GMT

Content-Type: image/png

Content-Length: 200

Connection: keep-alive

Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT

ETag: "a1c85-c8-4ebb56fac1880"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes
.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
[email protected]#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Fri, 16 Sep 2016 23:41:57 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1c85-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-001.ams002.int
ernap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......
gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b ..
...tV.....Z&.'B..!.;......qn...h:[email protected]#......|..-..z...D..g.f.!
[.....O...........IEND.B`...

GET /ova-jw.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.2082597319.1474069327; _gat=1

HTTP/1.1 200 OK

Date: Sat, 17 Sep 2016 07:47:49 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT

ETag: "4403b3-39741-4fbe0551c3280"

Accept-Ranges: bytes

Content-Length: 235329

Cache-Control: max-age=2592000, public

Expires: Sat, 19 Aug 2017 07:47:49 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Fri, 16 Sep 2016 23:42:00 GMT

ETag: W/"144-1446501138000"

Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=eyeview,beeswax,thetradedesk,1,conversant,Bidswitch,appnexus,SundaySky,TubeMogul-GP,mediamath,Videology,BidTheatre,_dmp_turbine,rocketfuel,dataxu,centro,google,audiencescience,dynadmic,tremornet,adapTV,videoamp,TapAd&uid=c6d9dfb0c24041459ea4ba35dabe1183&init=true HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:01 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 500

Connection: keep-alive
...........R.n.0... \..-.e...I...E...*.=..1.'.a.$H....C...\z ..|3o.hyl
v.=j....`0.z(J...b.!.|5....h.f..6r4r.fac..V-|.jl...bP..7Fy=.0.lkb...Mz
.%Q.zI.S.R...u.b..'.^..G...I4e9T.?n.....:......m.%4.K........x........
a8..g!...!L.8...Wq%e....U)....%#o..*[email protected].{..j
`..l........R...q.e....<]N.....'.....&...A.m]X..`./.6.84`..z^#P2d..
..GB{..4...*etoX.6.....o.=.G6g......0..)..0.0(0.f...$......R.;..~...(.
%.q.Wm.O......I....Q...4?.V.j.{4..DwT..3.PniSo..<Cl.......B.o.Gkv..
.%@......D.&........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=google,conversant,TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:01 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1f9.............R...0.}.W.H.m....(.J.m...]5Y..Z..=...m......(.....g.gn
....M....B......C....J........o.e..W...Q..3.xk..,...F.u[.L5......u.Z.x
_...;/.3.K....F.Y..:l.......8.8.E3^@...!...,.."{9..`.......$......L#..
a8..8.nG.I.oC...S..#...)............j..OOd.t.....88...N.$v.K.Q..:t.5:.
.9...x...].Bk...v....E...y.Jg......plM8o%.C........F.A....>..5.5CF.
hw.'....Fw...8. ...kM)$.[R...S....a4.........C.a8....q.....(......|...
FV...I.@.=..J.....r'.V..V.l..7vA......}.;yh.A.mc...CB.-. L.G...Y.`....
-)m...z.......e=i..J.?...d...........(.....0..HTTP/1.1 200 OK..Content
-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:
01 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/
en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..
transfer-encoding: chunked..Connection: keep-alive..1f9.............R.
..0.}.W.H.m....(.J.m...]5Y..Z..=...m......(.....g.gn....M....B......C.
...J........o.e..W...Q..3.xk..,...F.u[.L5......u.Z.x_...;/.3.K....F.Y.
.:l.......8.8.E3^@...!...,.."{9..`.......$......L#..a8..8.nG.I.oC...S.
.#...)............j..OOd.t.....88...N.$v.K.Q..:t.5:..9...x...].Bk...v.
...E...y.Jg......plM8o%.C........F.A....>..5.5CF.hw.'....Fw...8. ..
.kM)$.[R...S....a4.........C.a8....q.....(......|...FV...I.@.=..J.....
r'.V..V.l..7vA......}.;yh.A.mc...CB.-. L.G...Y.`....-)m...z.......e=i.
.J.?...d...........(.....0......
<<< skipped >>>

GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=conversant,TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:01 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 486

Connection: keep-alive
[email protected]...=D..{.x..]........~\zX.....f.&..
.moG..%c/.....R....{.?^O.y.&Z.Y~..;...v.b.rN.|......._...V{=7..\cc...U
z.%Q..$.n@k2]...Q.....,{....Q4...O.......6.......$7..K...T.s#0..0).`&l
t;-h...F..o....S..#..q...Y......w.E...t.d....08IHr...Im.....9.HHv.!...
..Jh-....6([email protected].[.X..aM(..W..yE..pP..=........s.
)...Z.\c.!..a#..8.......0.y|...........%..?..3F..\?9q...U..S.8.~.....Y
.T<k.....V.O........&.........^...{h...z./d.......^.gL~......j.R...
..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Dat
e: Fri, 16 Sep 2016 23:42:01 GMT..P3P: CP='This is not a P3P policy. S
ee hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.
1..Vary: Accept-Encoding..Content-Length: 486..Connection: keep-alive.
[email protected]...=D..{.x..]........~\zX.....f.&.
..moG..%c/.....R....{.?^O.y.&Z.Y~..;...v.b.rN.|......._...V{=7..\cc...
Uz.%Q..$.n@k2]...Q.....,{....Q4...O.......6.......$7..K...T.s#0..0).`&
lt;-h...F..o....S..#..q...Y......w.E...t.d....08IHr...Im.....9.HHv.!..
...Jh-....6([email protected].[.X..aM(..W..yE..pP..=........s
.)...Z.\c.!..a#..8.......0.y|...........%..?..3F..\?9q...U..S.8.~.....
Y.T<k.....V.O........&.........^...{h...z./d.......^.gL~......j.R..
.......
<<< skipped >>>

GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=TubeMogul-GP,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:02 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 517

Connection: keep-alive
...........R...0.}.W.H...\(.%AY.....j...j.&.....l...w..........g..L8=.
.......,...:(..q...e..idM...*I...ki.P.....1r.8FaY.]....t..V.L..S....m.
..8LX'.. ..U...6X...m'M.B.=yi......E.~|...,y..... A.?.6......,..0.]w0.
...}.......`......\.......00p.....h..8..Pm.6.C..!C....<r<.%..x.u
.k..B....L......g..M.#...A.......J^.,.q(........P.#.....[APJ......f.\.
Z.\`.......m.~...............#..5.....W.R......:';....p-.#9s.<1.4..
T.d..s,..i.c...E.........ez..^.....?.....\.R.n.....".......#y.....{Z..
#.A...y..../%....]..... .....u.*)...HTTP/1.1 200 OK..Content-Encoding:
 gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:02 GMT..P3
P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy
-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Le
ngth: 517..Connection: keep-alive.............R...0.}.W.H...\(.%AY....
.j...j.&.....l...w..........g..L8=........,...:(..q...e..idM...*I...ki
.P.....1r.8FaY.]....t..V.L..S....m...8LX'.. ..U...6X...m'M.B.=yi......
E.~|...,y..... A.?.6......,..0.]w0....}.......`......\.......00p.....h
..8..Pm.6.C..!C....<r<.%..x.u.k..B....L......g..M.#...A.......J^
.,.q(........P.#.....[APJ......f.\.Z.\`.......m.~...............#..5..
...W.R......:';....p-.#9s.<1.4..T.d..s,..i.c...E.........ez..^.....
?.....\.R.n.....".......#y.....{Z..#.A...y..../%....]..... .....u.*)..
.....
<<< skipped >>>

GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:02 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 469

Connection: keep-alive
...........RMo.0...Wd....8q.$..xi..(.av.CQ....BjY..$.......e'>RO...
...~...:..$...`@Z6..6...O.g.2}.......=.?j..IPyo.BxKuc........`....o].|
...n.4.p...-.C....y....w.._c.Z<5.......4~..................R7.K.0.G
0 .p:/i.]O&...C...s....2. .b.n.B.pl...i.....yn.]_..[@Br;N.....#^F..u=l
Q.}..)pE...a.Q.;(/ .y...|..b..k%....j......x.NJ"w.#.}?...a.&C.......T.
.Z.Z~.9.(Gr...0.]!*a2E().g...4..z{kmc...p.......-..G.......,{W.K.?... 
.[.=..L.{...YX.;>..=...-~...Y.&!^o....V.S......3.VB....HTTP/1.1 200
 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep
 2016 23:42:02 GMT..P3P: CP='This is not a P3P policy. See hXXp://trem
orvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accep
t-Encoding..Content-Length: 469..Connection: keep-alive.............RM
o.0...Wd....8q.$..xi..(.av.CQ....BjY..$.......e'>RO......~...:..$..
.`@Z6..6...O.g.2}.......=.?j..IPyo.BxKuc........`....o].|...n.4.p...-.
C....y....w.._c.Z<5.......4~..................R7.K.0.G0 .p:/i.]O&..
.C...s....2. .b.n.B.pl...i.....yn.]_..[@Br;N.....#^F..u=lQ.}..)pE...a.
Q.;(/ .y...|..b..k%....j......x.NJ"w.#.}?...a.&C.......T..Z.Z~.9.(Gr..
.0.]!*a2E().g...4..z{kmc...p.......-..G.......,{W.K.?... .[.=..L.{...Y
X.;>..=...-~...Y.&!^o....V.S......3.VB........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:03 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1e8.............R...0.}.W.H....P.J...HH.v......M.). .e;..}',]z..>..
.x.....sy.5.4.Dh....C.W..}hm......>..q..h..F.....*..s.1..J.u6....ZZ
=3..L.C...]... f.(..@JT]...`.....$y.....i.R.o.6Q..e......N.2.......\T.
...p..4s..,..?....&......]..2d`.\...[....3gX..}...4..2.......... .\...
..k...A...Q..;..... ...A.......J..,.q(..o..@ 1.d...gBM'.JI0..3:w..;S..
...4l.....l......4"..xc.....{}...wK...._.v........,.V....n.......M....
...({....G\.].lJ.Pw..D.R...A}.Q.@#.1S......!.5...7....R.y.<........
......Av......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type
: text/xml..Date: Fri, 16 Sep 2016 23:42:03 GMT..P3P: CP='This is not 
a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: A
pache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..C
onnection: keep-alive..1e8.............R...0.}.W.H....P.J...HH.v......
M.). .e;..}',]z..>...x.....sy.5.4.Dh....C.W..}hm......>..q..h..F
.....*..s.1..J.u6....ZZ=3..L.C...]... f.(..@JT]...`.....$y.....i.R.o.6
Q..e......N.2.......\T....p..4s..,..?....&......]..2d`.\...[....3gX..}
...4..2.......... .\.....k...A...Q..;..... ...A.......J..,.q(..o..@ 1.
d...gBM'.JI0..3:w..;S.....4l.....l......4"..xc.....{}...wK...._.v.....
...,.V....n.......M.......({....G\.].lJ.Pw..D.R...A}.Q.@#.1S......!.5.
..7....R.y.<..............Av......0......
<<< skipped >>>

GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:04 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 493

Connection: keep-alive
...........R]..0.|.....[c.I.P.........k..)r..X.... ......xh.".:.....g.
..;.6..........\.].l.O...,~.>&iv..;.&J3..SZ...X.U...pY].c...Sc.mL.|
y.........7M...Eik,Tqv.......^^.&<...z..o...$K.....V. ....d..|...&&
gt;....L...w....w..O......*z..`.....C}.w-b[........Z8.8!B.....`.....].
.a ...|....e%....... .[Iy%.........= ......s.gD.N..........J......o...
...m1`C..{>.........y...s....\j].....)...V....Q. ..............}..=
..f......8B....?..H..[UJ......\.7X..`........l...G4. ...Cnd.K.....kWs.
.........;.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: 
text/xml..Date: Fri, 16 Sep 2016 23:42:04 GMT..P3P: CP='This is not a 
P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apa
che-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 493..Connection
: keep-alive.............R]..0.|.....[c.I.P.........k..)r..X.... .....
.xh.".:.....g...;.6..........\.].l.O...,~.>&iv..;.&J3..SZ...X.U...p
Y].c...Sc.mL.|y.........7M...Eik,Tqv.......^^.&<...z..o...$K.....V.
 ....d..|...&>....L...w....w..O......*z..`.....C}.w-b[........Z8.8!
B.....`.....]..a ...|....e%....... .[Iy%.........= ......s.gD.N.......
...J......o......m1`C..{>.........y...s....\j].....)...V....Q. ....
..........}..=..f......8B....?..H..[UJ......\.7X..`........l...G4. ...
Cnd.K.....kWs..........;.........
<<< skipped >>>

GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:04 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1ea.............R...0.}.W.H.VBH..J..\$.U."a..Z!..%...l'.....K/R.'.....
..pv..N..p%#.....H......f.Ocg.....4...-.?J3..SX[N].j.J.U..J...N.N.%.2.
....Y8q..N.~..,A.Q..."...;i........ed.......|.d..U.$.J,...n#.T..4g.$ .
..F........v...d4...C...8.uT..;[email protected]. .. 0.r...i.Bp..9
qK..i%.i.C..5.0.)B...Al.F.. X>.9.9.3..-...aF....c...J.\B....g6a....
.A.....r.........K......Z.?Ld...k..5..U..'...U..!E;.....:..S.W.c...t..
vB]..&.....~..7.5.E...vi...Z..L..n..5..k07.....Af..=.R/k..A........R..
[[email protected]./.....0..HTTP/1.1 200 OK..Content-Encoding: gzi
p..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:04 GMT..P3P: C
P='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-pol
icy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encod
ing: chunked..Connection: keep-alive..1ea.............R...0.}.W.H.VBH.
.J..\$.U."a..Z!..%...l'.....K/R.'.......pv..N..p%#.....H......f.Ocg...
..4...-.?J3..SX[N].j.J.U..J...N.N.%.2.....Y8q..N.~..,A.Q..."...;i.....
...ed.......|.d..U.$.J,...n#.T..4g.$ ...F........v...d4...C...8.uT..;.
[email protected]. .. 0.r...i.Bp..9qK..i%.i.C..5.0.)B...Al.F.. X>
;.9.9.3..-...aF....c...J.\B....g6a.....A.....r.........K......Z.?Ld...
k..5..U..'...U..!E;.....:..S.W.c...t..vB]..&.....~..7.5.E...vi...Z..L.
.n..5..k07.....Af..=.R/k..A........R..[[email protected]./.....0..
....
<<< skipped >>>

GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:04 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 461

Connection: keep-alive
...........R.n.0... \....eK.mH2T'-..MQ..!...w...(..d...r...KO;$g9;....
.i....Q..L....hP.........u.*.....6.h....%^..^..3T7.j..hj.Z....:p.M..w.
..K..Gi....d.S.[GuZ.zGy.%._.O......z....7.Y....4..x.._.....\...2.E....
.ix5./B...B....s...U.. !.....z.$........`..C! N.o.)g...%..t.b......=c.
.`-...PB..z..............H...a.:C.;........-{..p.?.....0....%.#...`1.x
Hc...n.i.?...M.Dxr.)...9J..d...lu\.f.h...'...Y......'~.o......L.Ol..Y.
.{........................?......K.?.....HTTP/1.1 200 OK..Content-Enco
ding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:04 GM
T..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/pr
ivacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Conte
nt-Length: 461..Connection: keep-alive.............R.n.0... \....eK.mH
2T'-..MQ..!...w...(..d...r...KO;$g9;.....i....Q..L....hP.........u.*..
...6.h....%^..^..3T7.j..hj.Z....:p.M..w...K..Gi....d.S.[GuZ.zGy.%._.O.
.....z....7.Y....4..x.._.....\...2.E.....ix5./B...B....s...U.. !.....z
.$........`..C! N.o.)g...%..t.b......=c..`-...PB..z..............H...a
.:C.;........-{..p.?.....0....%.#...`1.xHc...n.i.?...M.Dxr.)...9J..d..
.lu\.f.h...'...Y......'~.o......L.Ol..Y..{........................?...
...K.?.........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:05 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 460

Connection: keep-alive
...........R.n.0... T....e..mH2T'...mQ).!........AR...]9n...'..C..p..Q
..z.N.:..h...y ..g.]...2....oEY]h..F..[.,l.7k..E....#.*.....v.|.....]q
..i!.<.n...cU........,...e.$Z...w_o.............5.....4.-..."[%...x
..q.\...D\...,V...81...K<..m...c.F..I)....v8jo[...p..yC.....|...A.P
..T($(..3.j..#.5.;..P/......L!h..ev....8..<.'V....Y2M..,CR.|!..8^..
..........')........Z.......zd{..%.x/v.4.....72.'.....Y.V..n....[K....
...G...Y.&h.nz.....:a.2....264"..........^\R.....HTTP/1.1 200 OK..Cont
ent-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:
42:05 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.c
om/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encodin
g..Content-Length: 460..Connection: keep-alive.............R.n.0... T.
...e..mH2T'...mQ).!........AR...]9n...'..C..p..Q..z.N.:..h...y ..g.]..
.2....oEY]h..F..[.,l.7k..E....#.*.....v.|.....]q..i!.<.n...cU......
..,...e.$Z...w_o.............5.....4.-..."[%...x..q.\...D\...,V...81..
.K<..m...c.F..I)....v8jo[...p..yC.....|...A.P..T($(..3.j..#.5.;..P/
......L!h..ev....8..<.'V....Y2M..,CR.|!..8^............')........Z.
......zd{..%.x/v.4.....72.'.....Y.V..n....[K.......G...Y.&h.nz.....:a.
2....264"..........^\R.........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:06 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
19e............dRMo.0...Wx....8v.$..xi..(.av.CQ....B'Y.d'..c.,.....#.D
*[email protected].;...Dt.yo.(.|...".
.i[..</e..o..Ew......>.FU.9g..qh)kx~.r.........O.,.`H.........vJ
....M....N..4]d.:A.`..y...-H..}...6.KEoG/..".Mp...J....%\.F.X....h@j%.
j..4....n.H.9.......$v.-..l).n.....F...I.x'..{3..l.%.....t...$Y.OO<
g./[email protected]...?o.2.......u...e<.8.......{R....=.g....Ol.;..d.
G.v>5..$.....d.. ........t.....0......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:06 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 435

Connection: keep-alive
[email protected]@[email protected].$.X.....},../.....I.
.....:..,...0@.;!...7......_._.....G.=.n.....,...Ug....N1.L.....{..w..
.u........c..w..<..>....S...OMKQ.n.y....W.e].....^S.._}..u...Rd.
..M....N..8.'.*BL`..Y...d..I.F.O.......#.^..$=oIW..0T..i1h.Jr.......i.
[..C...=...^[email protected]}o..q.SN.N,[email protected]
c...N(v..x.2.b...^.1......lke,....<]YB#...2Oo.......i.n.......a.3..
.{.!..3.........o.......HTTP/1.1 200 OK..Content-Encoding: gzip..Conte
nt-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:06 GMT..P3P: CP='This 
is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Se
rver: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 435..C
onnection: [email protected]@[email protected].
HI.$.X.....},../.....I......:..,...0@.;!...7......_._.....G.=.n.....,.
..Ug....N1.L.....{..w...u........c..w..<..>....S...OMKQ.n.y....W
.e].....^S.._}..u...Rd...M....N..8.'.*BL`..Y...d..I.F.O.......#.^..$=o
IW..0T..i1h.Jr.......i.[..C...=...^[email protected]}o..q.SN.N,..f...$..J.
[email protected](v..x.2.b...^.1......lke,....<]YB#...2O
o.......i.n.......a.3...{.!..3.........o...........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:06 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1b8.............RQo.0.~..`H.m..Y...X.I....t{....o..l.m.....i.n/}...w..
..l....-j#:..4.|....P...S..8.....GY.'Z...De.6.[k.9!V..t;4!.$1..=;7..`r
....\.EVr..~j.{..[5......^U]g.%x(Z...o......rU....\..*'(......./...,.i
C.d.`..%.4.g.1...'4....*........QX.:\...X=...Q...9(...`.'z.".... .G.9.
..;...5.%w...~c......T.O|..5...(....i...C..N..."#.{?....[ vQ.j..&B..\.
$.).J"..(L.x.....Z...tp*p..v...X..e.[L=.?.^.^../.)..v~.-..,.K..8f..=..
;.....&./.D&.}A^..m........d..........r......0..HTTP/1.1 200 OK..Conte
nt-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:4
2:06 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.co
m/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding
..transfer-encoding: chunked..Connection: keep-alive..1b8.............
RQo.0.~..`H.m..Y...X.I....t{....o..l.m.....i.n/}...w....l....-j#:..4.|
....P...S..8.....GY.'Z...De.6.[k.9!V..t;4!.$1..=;7..`r....\.EVr..~j.{.
.[5......^U]g.%x(Z...o......rU....\..*'(......./...,.iC.d.`..%.4.g.1..
.'4....*........QX.:\...X=...Q...9(...`.'z.".... .G.9...;...5.%w...~c.
.....T.O|..5...(....i...C..N..."#.{?....[ vQ.j..&B..\.$.).J"..(L.x....
.Z...tp*p..v...X..e.[L=.?.^.^../.)..v~.-..,.K..8f..=..;.....&./.D&.}A^
..m........d..........r......0......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:08 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 428

Connection: keep-alive
...........RQo.0.~..."..aBB.(..(.*mkE...........l.....hi..=...w...s:..
.`...Fga....j.........y............F..M}...7S..E..u[.y..s&...y.....7..
*..B.y...1h.Q.9.*...AY...5y.-D..w..<.x?.*...$g.zM.....4.....".$0..h
4.q.\..8...b......{&."..I.........r......$'.PHP....Wk....Ft;...J..(C..
S.:WB..om-5.Z.._...]..0.$QB#@RC<.Pc.....<e.-/.m.......Nzt.i..6..
.................?OqT?.] c..V..tn....;.<.F....................M...{
...o.,@......V......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-T
ype: text/xml..Date: Fri, 16 Sep 2016 23:42:08 GMT..P3P: CP='This is n
ot a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server
: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 428..Conne
ction: keep-alive.............RQo.0.~..."..aBB.(..(.*mkE...........l..
...hi..=...w...s:...`...Fga....j.........y............F..M}...7S..E..u
[.y..s&...y.....7..*..B.y...1h.Q.9.*...AY...5y.-D..w..<.x?.*...$g.z
M.....4.....".$0..h4.q.\..8...b......{&."..I.........r......$'.PHP....
Wk....Ft;...J..(C..S.:WB..om-5.Z.._...]..0.$QB#@RC<.Pc.....<e.-/
.m.......Nzt.i..6...................?OqT?.] c..V..tn....;.<.F......
..............M...{...o.,@......V..........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:08 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 410

Connection: keep-alive
............_o.0.....!.}#n.....*tC...D2x...:.,..c.N.|{nKY.......{..5_.
..h.....q.L..M.Ke......v...W.KU7g..`....B.w!..c...]7...5...QX..a.E..f[
].%.dT....Ew.......x6..[.^....l....u._.o....?.Yp.....rG.....)Y,sX.4./.
N..,[.."E.a..y.....`$....f.....UKR.T.!t.. .t..C....aOj.$..-..l%i.Jm.ap
B...t...\.ob...i......l.A`.......?1....?..D(..Uh..`8b.........=..._k..
...J.qD.v.........8h..7\...On.k............^.C.......U..h...HTTP/1.1 2
00 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 S
ep 2016 23:42:08 GMT..P3P: CP='This is not a P3P policy. See hXXp://tr
emorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Acc
ept-Encoding..Content-Length: 410..Connection: keep-alive.............
._o.0.....!.}#n.....*tC...D2x...:.,..c.N.|{nKY.......{..5_...h.....q.L
..M.Ke......v...W.KU7g..`....B.w!..c...]7...5...QX..a.E..f[].%.dT....E
w.......x6..[.^....l....u._.o....?.Yp.....rG.....)Y,sX.4./.N..,[.."E.a
..y.....`$....f.....UKR.T.!t.. .t..C....aOj.$..-..l%i.Jm.apB...t...\.o
b...i......l.A`.......?1....?..D(..Uh..`8b.........=..._k.....J.qD.v..
.......8h..7\...On.k............^.C.......U..h.......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:09 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 398

Connection: keep-alive
...........R.n.0.}.Wd...bB...1.(....*..PU.&..X...vR..3.B..........c>
;...QG..F.q2.....A......z9.....Q..3m...F.f>.....c..j....u..s&...y..
...7..:...H....!......Dy....[.N....Kx..[...aq]...Q...:\h..n.k.....|...
J....av.........S.')]..{..d.i.P....m._$.[.0;...{.]@[email protected]|k ..
....g...jX..a.dA....1BEI2I...g..-.m.?....\..z........p....A...R......_
.`Pv..P.o...fi.~..`........;......jH..P.. ....0.i._...HTTP/1.1 200 OK.
.Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 201
6 23:42:09 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvi
deo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-En
coding..Content-Length: 398..Connection: keep-alive.............R.n.0.
}.Wd...bB...1.(....*..PU.&..X...vR..3.B..........c>...QG..F.q2.....
A......z9.....Q..3m...F.f>.....c..j....u..s&...y.....7..:...H....!.
.....Dy....[.N....Kx..[...aq]...Q...:\h..n.k.....|...J....av.........S
.')]..{..d.i.P....m._$.[.0;...{.]@[email protected]|k ......g...jX..a.dA.
...1BEI2I...g..-.m.?....\..z........p....A...R......_.`Pv..P.o...fi.~.
.`........;......jH..P.. ....0.i._.......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:09 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 413

Connection: keep-alive
...........RMo.0...Wx....(vV'..xi....aq.CQ....F&Y.d7..S.....'....{..j.
.F#..zS.<.....W.y,.....<^.W.[...........E.zo..yB.S;.I.k...#.t...
....my.KQ.H...."....y..:..6./.=_.HKU....[)^......?.Y o......iL.jE.*...
5..E...*M.L]q.......'...:...7...NU-Bh....=.>Dc...mCX.-U8.J......N..
..S....6.l..,....t..F....A..........$...:.O..!P{.G6...v......).Yi>.
.K.'/..I.Y......m&...P...%..c...Y.4..[nF4..4.]a.0...{^.X.y*...........
$....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..
Date: Fri, 16 Sep 2016 23:42:09 GMT..P3P: CP='This is not a P3P policy
. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote
/1.1..Vary: Accept-Encoding..Content-Length: 413..Connection: keep-ali
ve.............RMo.0...Wx....(vV'..xi....aq.CQ....F&Y.d7..S.....'....{
..j..F#..zS.<.....W.y,.....<^.W.[...........E.zo..yB.S;.I.k...#.
t.......my.KQ.H...."....y..:..6./.=_.HKU....[)^......?.Y o......iL.jE.
*...5..E...*M.L]q.......'...:...7...NU-Bh....=.>Dc...mCX.-U8.J.....
.N....S....6.l..,....t..F....A..........$...:.O..!P{.G6...v......).Yi&
gt;..K.'/..I.Y......m&...P...%..c...Y.4..[nF4..4.]a.0...{^.X.y*.......
....$........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:10 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
198.............RQo.0.~..."..aB.. '(."!.m...PU.%.....l........T..g....
....(~y...w2.....P...r..U..0.g.;....W....Di.6.w..)!V...n...N.c.....`.&
.?}......y9..A)..m.d,..<.z...J..... a[}]....|Q......m.kh.O.'....Ls.
.1L.0L..G.M.Mbv.".......Tv.Y.Cp$.x. ..pt..3.@(........U..n.......Y.~4.
v...0v..7.%....I...S.R.....OJ..P..Y.^D...3ak<.RI:....^....}f.-..z.D
. .]...Z.h1x.#...]...h......3...\...; .!K..O.1w...84..C.`...\V....R.G.
.e..................0..HTTP/1.1 200 OK..Content-Encoding: gzip..Conten
t-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:10 GMT..P3P: CP='This i
s not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Ser
ver: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chun
ked..Connection: keep-alive..198.............RQo.0.~..."..aB.. '(."!.m
...PU.%.....l........T..g........(~y...w2.....P...r..U..0.g.;....W....
Di.6.w..)!V...n...N.c.....`.&.?}......y9..A)..m.d,..<.z...J..... a[
}]....|Q......m.kh.O.'....Ls..1L.0L..G.M.Mbv.".......Tv.Y.Cp$.x. ..pt.
.3.@(........U..n.......Y.~4.v...0v..7.%....I...S.R.....OJ..P..Y.^D...
3ak<.RI:....^....}f.-..z.D. .]...Z.h1x.#...]...h......3...\...; .!K
..O.1w...84..C.`...\V....R.G..e..................0......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:10 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
169.............Q[O.0.~.W.%.....K...0!1jd..!.t=..... .{.D...SO..|.|t.-
...jST2....{(.J.r.....e...3..N......Ei.6.W..>!VcY....yU.c.....`.&.o
....g4......B..Mw.b..z..N.)9>....`..0a.|6..Y:;.).V:C./...e.b....b..
0l.86.N.uc...ch...F.P.G4...h.7...J...T*....Z.........W.'^x3o..8.......
..a...sF.O.c. ..}.6_. .....v..r..>......5.*.Ri4....C.H...........i.
_]...Jk..|....|. ..\C...C..e........<_.r?.....0..HTTP/1.1 200 OK..C
ontent-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 
23:42:10 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvide
o.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Enco
ding..transfer-encoding: chunked..Connection: keep-alive..169.........
....Q[O.0.~.W.%.....K...0!1jd..!.t=..... .{.D...SO..|.|t.-...jST2....{
(.J.r.....e...3..N......Ei.6.W..>!VcY....yU.c.....`.&.o....g4......
B..Mw.b..z..N.)9>....`..0a.|6..Y:;.).V:C./...e.b....b..0l.86.N.uc..
.ch...F.P.G4...h.7...J...T*....Z.........W.'^x3o..8.........a...sF.O.c
. ..}.6_. .....v..r..>......5.*.Ri4....C.H...........i._]...Jk..|..
..|. ..\C...C..e........<_.r?.....0......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:11 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 377

Connection: keep-alive
............Io.0.....i.rkLH(......T.U...!..S....&*...Q.r.....o...S|.5.
....8j...J1.WY8 .o...\..|Z.e....J.wY.vN..r..2.m.UJ ku...u.mm.>>-
.QHp.........4.Y.....`:}..ty0.YAW.......(/...NS.......d%.e..Y.Ki...v..
f.I.n.:1@J.=h..4tVs...}...T...K&..mM.%4..Mu.z..lV...../.iI.6.%.q7Y,.F.
a..(..YPW.#m..J.L.....p..c#'.....q.p..#.Dh.v.."xh.:^.=o.~..R.,..6>.
q..Y.F./.,F?Z.S.>..?./........mnW...HTTP/1.1 200 OK..Content-Encodi
ng: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:11 GMT.
.P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priv
acy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content
-Length: 377..Connection: keep-alive..............Io.0.....i.rkLH(....
..T.U...!..S....&*...Q.r.....o...S|.5.....8j...J1.WY8 .o...\..|Z.e....
J.wY.vN..r..2.m.UJ ku...u.mm.>>-.QHp.........4.Y.....`:}..ty0.YA
W.......(/...NS.......d%.e..Y.Ki...v..f.I.n.:1@J.=h..4tVs...}...T...K&
..mM.%4..Mu.z..lV...../.iI.6.%.q7Y,.F.a..(..YPW.#m..J.L.....p..c#'....
.q.p..#.Dh.v.."xh.:^.=o.~..R.,..6>.q..Y.F./.,F?Z.S.>..?./.......
.mnW.......


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=videoamp,TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:11 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
[email protected]..._......i
..C.?.......*B<K..T..V=.....[.k....Cy.....*.rE...^!..t.y..Y.w.Z..ne
.p.-...*....2`...Z..^.g..c.i68.>S.R<.rY....=.o.7[^..3...)/h....j
T/......X.........%...@.<.9. .E)4.Q..d. 7..U..~.....V'MJ........\..
0^f....?.............N......"...*...$.&y|)M....b..5..b..2..;..o.oL.Q.;
..x.m.......E.m...N..W.w...B........^..~.~..,.h..P.....ht.. ....zI.O..
j.K..e.........(=F......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Co
ntent-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:11 GMT..P3P: CP='Th
is is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'.
.Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: 
chunked..Connection: keep-alive..196.............RM..0...W.......M.d.5
[email protected]..._......i..C.?.......*B<K..T..V=.....[.k...
.Cy.....*.rE...^!..t.y..Y.w.Z..ne.p.-...*....2`...Z..^.g..c.i68.>S.
R<.rY....=.o.7[^..3...)/h....jT/......X.........%...@.<.9. .E)4.
Q..d. 7..U..~.....V'MJ........\..0^f....?.............N......"...*...$
.&y|)M....b..5..b..2..;..o.oL.Q.;..x.m.......E.m...N..W.w...B........^
..~.~..,.h..P.....ht.. ....zI.O..j.K..e.........(=F......0.....
.


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=TapAd,_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:12 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 421

Connection: keep-alive
...........R[k.0.}......"_........F;..{(.....,..$...O.i.....t9G.|.C..v
[email protected]../.. 6_f..~".l[\a..sDi.6._.U.......}5.....|.....7..w_..
....... .z8m.....'...~#.ry.e../..9%..W. ..YNqm.34.K.M...b....1.UQ4.W..
i....F..O.0.......*m..F..w..F..s..1.q.....'.. ..Y..D....Z.N.k.9.~l....
...7.G.........S...<z?.845..0s..z...&HX.o..O>A......,.q0.-X.....
...`..>..)...y.4.......n.t.....K.;d.y..Uk}.i.C...t....@...^........
..._......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/
xml..Date: Fri, 16 Sep 2016 23:42:12 GMT..P3P: CP='This is not a P3P p
olicy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-C
oyote/1.1..Vary: Accept-Encoding..Content-Length: 421..Connection: kee
p-alive.............R[k.0.}......"_........F;..{(.....,..$...O.i.....t
9G.|[email protected]../.. 6_f..~".l[\a..sDi.6._.U.......}5.....|...
..7..w_......... .z8m.....'...~#.ry.e../..9%..W. ..YNqm.34.K.M...b....
1.UQ4.W..i....F..O.0.......*m..F..w..F..s..1.q.....'.. ..Y..D....Z.N.k
.9.~l.......7.G.........S...<z?.845..0s..z...&HX.o..O>A......,.q
0.-X........`..>..)...y.4.......n.t.....K.;d.y..Uk}.i.C...t....@...
^..........._..........


GET /syncnoad?rid=94a8b1159be0473384d71ee4a59e513e&p=_dmp_turbine&uid=c6d9dfb0c24041459ea4ba35dabe1183 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Fri, 16 Sep 2016 23:42:12 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
152............d.]o.0.... ....R>&.RC.%&...t...B..8(i;.....t.w.9.y..
.d.Q.Y.HU.&.....4..U.O.U~w..SzE.i._0...`.&:..Z.....Z..{...FJ...'J3....
.q..mJRnQ."Y...o...P.|......sq0My....%%...<..........xU%j...Yn.....
XH).?%..S.q...:.u.T.}......~...,..R.....[....-...p......!g.`..........
[email protected]..$..t..GJ....!s.....E..V.F..t....tN.${J.~..
.d.......s.Bg......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content
-Type: text/xml..Date: Fri, 16 Sep 2016 23:42:12 GMT..P3P: CP='This is
 not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serv
er: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunk
ed..Connection: keep-alive..152............d.]o.0.... ....R>&.RC.%&
...t...B..8(i;.....t.w.9.y...d.Q.Y.HU.&.....4..U.O.U~w..SzE.i._0...`.&
:..Z.....Z..{...FJ...'J3.....q..mJRnQ."Y...o...P.|......sq0My....%%...
<..........xU%j...Yn.....XH).?%..S.q...:.u.T.}......~...,..R.....[.
...-...p......!g.`[email protected]..$..t..GJ....!s
.....E..V.F..t....tN.${J.~...d.......s.Bg......0..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 130

Connection: keep-alive

Date: Wed, 01 Jun 2016 04:24:27 GMT

Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT

ETag: "2cf4c5e3d4c1206209355ac1065b0efc"

Accept-Ranges: bytes

Server: AmazonS3

Age: 76057

X-Cache: Hit from cloudfront

Via: 1.1 98156a801d83959662001f06a375d7c7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0ecpjJJKFzzP64GZxM8HOMq3OpmNkCPTYxY100KkK_iI3JHH8pPPIg==
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" />.</cro
ss-domain-policy>....


GET /static/noad.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=c6d9dfb0c24041459ea4ba35dabe1183; tvrg_60409="1,1474069321"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 7

GET /itd.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cocomo.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:55 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 1118

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Fri, 16 Sep 2016 23:41:55 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 17 Sep 2016 07:47:47 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Sat, 17 Sep 2016 07:47:47 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=760C804036AC4FCC46A9CE955F5ADF3B&sc_random=0.5965103835010492&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.ivids.net/page-3.html?lid=937115&u=http://VVV.ivids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10114910.1474069314.0; is_visitor_unique=1474069314367565314

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:57 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1474069314.0-10675947.1474069317.0; expires=Wed, 15-Sep-2021 23:41:57 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1474069314367565314; expires=Sun, 16-Sep-2018 23:41:57 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif
GIF89a...................!.......,...........T..;..

GET /10114910/0/757d7213/1/ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:54 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1474069314.0; expires=Wed, 15-Sep-2021 23:41:54 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1474069314367565314; expires=Sun, 16-Sep-2018 23:41:54 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif
GIF89a...................!.......,...........T..;..

GET /counter/counter.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10114910.1474069314.0; is_visitor_unique=1474069314367565314

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:57 GMT

Server: PWS/8.1.41.3

X-Px: ht h0-s1174.p11-fra.cdngp.net

ETag: W/"576924c5-654e"

Cache-Control: max-age=43200

Expires: Sat, 17 Sep 2016 01:33:03 GMT

Age: 36534

Content-Length: 9529

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT

Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
[email protected]..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..][email protected].?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#[email protected].,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>

GET /img/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1474069327.760C804036AC4FCC46A9CE955F5ADF3B.1.1.1.1.1.1.1.1.1; _ga=GA1.2.2082597319.1474069327; _gat=1

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:57 GMT

Content-Type: image/png

Content-Length: 2536

Connection: keep-alive

Last-Modified: Thu, 10 Jul 2014 23:39:15 GMT

ETag: "a1c81-9e8-4fddf55270ec0"

Server: CDCE

X-INAP-Cache-Status: HIT

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...zIDATx..]]S.W..N.......7.NE.........(...H.8S..V.
....H;j.v..%.3...^.`...3...3....7.6......>..r..n...$....a`M.ys.9.y.
.,..U.[..a.a9M..8M .....4.`..8..4...i...:M2MXd.&J..{..K....=.?........
m.....!sX...M!.5.}...){.....].r..l.U..Vv9.afH.......Wr.i[FEX..v...;...
. Y.=."d.bjy..L,.......Ph..$..I.B...]W...}.3*.B.....-..&....!..gT..{.q
.`...hv.........i..8M ....#~z.|]......}a.......5y..!..&...NzV........&
gt;1....wb..A.E.|g..j....J7m./.w].Df.v.N.FN.}.%...#........g.7...G.wW.
.8"............SGe...x...M..%kV.%.B...7........gz.....K.....d.Da......
../........=).....G?. ..<...Q...k0...v.B.....fn4.:._a...|...J7.g.(:
...&..k.1.i......&.;[email protected]..|[....w-....}.......c5....I=..J.
..j...5...."MV..[..8.Qw....w..........Ec}..~J.9m...A..v.?...m...FvU.; 
....~...r...g..x=....... .....>V....9...~.....!.u.J.FZ.iB.L.T..S./L
..*.q1..|..8.2.z1..5{[email protected]|. 
o.2.6.B...6..)m.T..Y........).O..........Q.'`.M.*J..p.tGW.....FO.C.=..
....b...*[email protected]*].h..Z.}.~....*G.....n$...D.....Q..4Y..8L..;...K...
Z..H1...ai.t.*yL...`-)2E..ip..C.d.&$*....p..[{.......4Ez..Gf.V..T.D[..
..g....Rm......u(Y.o@HT.*>?;}..D2ks...6>-\.)}Rb..ky......Pc.....
.-.\..?..s......319....^..D.i.C.....s.z.[..\...GJ...'8...Hi.s......-.S
.#...1...)..._S.V.ocE.\..cB.*Y.Z..B..%..r..73.8..p....P.U..\......2.2u
....S.....iQ.............P.y...{ 7i......v.s..N..-....K]\v.%..Vo$.P..&
lt;....}....Wb..9..7.p..$4=N Mj..0..4gj..Hie..5;-......6...8..m.(.
<<< skipped >>>

GET /count.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.myelomaplanted.pw/index5.php?id=22A0nISAWSLmWqkNYgwr&date=2016-08-25&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.clangburkitt.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 16 Sep 2016 23:41:55 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 47

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Fri, 16 Sep 2016 23:41:55 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 17 Sep 2016 07:47:46 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Sat, 17 Sep 2016 07:47:46 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 17 Sep 2016 07:47:45 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Sat, 19 Aug 2017 07:47:45 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'