Dropped.Trojan.Generic.17338822_e4e8ea4218

by malwarelabrobot on September 17th, 2016 in Malware Descriptions.

Dropped:Trojan.Generic.17338822 (B) (Emsisoft), Dropped:Trojan.Generic.17338822 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e4e8ea421895b321bea9afa16d8a6fb5
SHA1: 83c2092ffae694d6eda5adfd80dcf9c0dd22fe20
SHA256: 3bf6db23d59e296be3606e0e222a055a47b59c4cbb679f66c8c8495950b8f9d1
SSDeep: 12288:NAScylwlxf1Mjjr8fNTue391fDO4iTG6Wlg9OSQAaWQDqmcAc2nuaWHvw3:N8Vmjjro6eNhOdolgdQLWO6ACa443
Size: 790483 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:1148
taskkill.exe:1556
%original file name%.exe:772
67511525.exe:892
tasklist.exe:216
tasklist.exe:312
tasklist.exe:1088
tasklist.exe:1924
tasklist.exe:172
tasklist.exe:1712
tasklist.exe:1636
tasklist.exe:1852
tasklist.exe:652
tasklist.exe:324
tasklist.exe:1564
tasklist.exe:1752
tasklist.exe:308
tasklist.exe:204
tasklist.exe:636
tasklist.exe:900
tasklist.exe:1868
tasklist.exe:2044
tasklist.exe:1624
tasklist.exe:1976
tasklist.exe:1476
tasklist.exe:1760
tasklist.exe:1764
jam.exe:140
58636.exe:1736
find.exe:216
find.exe:1144
find.exe:196
find.exe:332
find.exe:272
find.exe:1904
find.exe:1488
find.exe:1632
find.exe:1324
find.exe:876
find.exe:656
find.exe:1692
find.exe:188
find.exe:1796
find.exe:900
find.exe:1800
find.exe:908
find.exe:1556
find.exe:1648
find.exe:1748
find.exe:412
find.exe:296
find.exe:432

The Dropped injects its code into the following process(es):

depreciation.exe:1380

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process depreciation.exe:1380 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CAF3ZE6G.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA0HM1LQ.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CAPM7SNO.xml (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CANP6LWN.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[8].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fla8.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[7].xml (599 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAQN89YZ.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[8].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[1].xml (694 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\page-3[1].htm (4544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[5].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\style[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CANX7CVF.xml (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\ova-jw[1].swf (37117 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\abcd[1].mp4 (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CAQEW68J.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[2].xml (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[5].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[1].xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\player1[2].swf (17609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CACTAH43.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CA0EDOPZ.xml (765 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[2].xml (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAC9WPCV.xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[6].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CA8XY34L.xml (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\crossdomain[3].xml (144 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wistfulkhakis[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\page-3[1].htm (4283 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (608 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAZMJO7D.xml (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\player1[1].swf (19685 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sxx (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[7].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[7].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CAPBP6K4.xml (810 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAMOM7SH.xml (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\crossdomain[2].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[1].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[6].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[6].xml (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wistfulkhakis[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA4XABOP.xml (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[4].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\bgg[1].png (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA6LH4NT.xml (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[7].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[2].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\analytics[1].js (3803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CA7P4RT2.xml (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[1].xml (692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[6].xml (607 bytes)
%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[5].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[5].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA0VGDUT.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CA0D19AN.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\jwplayer1[1].js (76701 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[2].txt (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAP3LRI1.xml (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CA9OKZ91.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (297 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wistfulkhakis[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CA9OKZ91.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\page-3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (0 bytes)

The process %original file name%.exe:772 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\fledged\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Program Files%\fledged\settings.dll (10068 bytes)
%Program Files%\uncelebrated\jam.exe (1024 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\58636.exe (1082 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\brewers.lnk (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\AccessControl.dll (13 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\System.dll (11 bytes)
%WinDir%\settings.dll (10068 bytes)
%Program Files%\fledged\depreciation.exe (4884 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\ShellLink.dll (4 bytes)
%WinDir%\depreciation.exe (4884 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\67511525.exe (3099 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\AccessControl.dll (0 bytes)

The process 67511525.exe:892 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp\SimpleFC.dll (0 bytes)

The process jam.exe:140 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)

The process 58636.exe:1736 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)

Registry activity

The process taskkill.exe:1148 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 34 86 E8 87 6B 29 60 FA 4E B1 44 4E DD 48 38"

The process taskkill.exe:1556 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 C7 55 D3 0B 65 6B B0 BD 4E FD 88 32 6E 58 9A"

The process depreciation.exe:1380 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091620160917]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "depreciation.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091620160917]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091620160917]
"CachePrefix" = ":2016091620160917:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Control\VIDEO\{93BE68F4-CC3D-47B9-A3E0-1521247A9D19}\0000]
"Attach.ToDesktop" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091620160917]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016091620160917\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 76 82 FB 2E B6 09 77 0D 6A A4 9E 69 5D 99 E3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091620160917]
"CacheOptions" = "11"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:772 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A DC 1B 80 89 A2 46 3C B5 05 FD 93 2F 1A 15 CA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"madre" = "%Program Files%\fledged\depreciation.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"taneja" = "%Program Files%\fledged\depreciation.exe"

"dresden" = "%Program Files%\fledged\depreciation.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"social" = "%Program Files%\fledged\depreciation.exe"

The process 67511525.exe:892 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 F2 C4 43 DA A6 00 FF 8F AC E3 5D 3D 16 9E D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process tasklist.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 2F 83 D4 10 04 52 23 B7 8F BB 0D C3 4E 0D E6"

The process tasklist.exe:312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 BF 51 3B 3B FF 6D F4 94 68 DD 64 FF 26 C4 7A"

The process tasklist.exe:1088 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 4F D4 05 1C A8 5E 1B F8 6D 11 AE 9E 2B D7 46"

The process tasklist.exe:1924 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 8C E7 02 3F 05 84 35 6F F7 9B 4E 1F 1F 88 22"

The process tasklist.exe:172 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 82 C7 A2 60 F4 56 66 54 69 FA 04 B7 39 DA 0D"

The process tasklist.exe:1712 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 46 21 46 6A B7 E3 BE 03 F8 67 65 1D D1 95 3E"

The process tasklist.exe:1636 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 7B 7D 76 DB 5E E4 73 E8 F3 8D 04 3A EB 39 BF"

The process tasklist.exe:1852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 9E 1A 0D 2F 55 17 63 97 63 59 B7 3F 06 99 4F"

The process tasklist.exe:652 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 A6 EA 1B 02 DC C5 05 97 C0 C4 ED 59 65 54 28"

The process tasklist.exe:324 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 90 0D C0 73 05 A0 AE C0 16 FA 97 EA 2A 2D BC"

The process tasklist.exe:1564 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC C7 67 C6 D2 29 39 A7 BC 9B 98 C2 66 0D 88 BA"

The process tasklist.exe:1752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 E8 EB D6 B9 6E 2C AB B3 2A F8 BE 03 55 3A BC"

The process tasklist.exe:308 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 21 50 76 FA E1 B8 14 6B 7B 83 EA 48 40 0D B8"

The process tasklist.exe:204 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 C8 17 E5 04 44 A5 1F 71 F9 1A D7 C6 65 DF 96"

The process tasklist.exe:636 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 80 BB 94 6B 90 44 C8 4B 40 1E A2 75 BF 2F CA"

The process tasklist.exe:900 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 1D 4E 43 33 AD E6 8E C2 DC 8B 70 D7 EE 03 70"

The process tasklist.exe:1868 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 84 94 FF A5 44 29 F3 04 12 3B 08 EC 60 4E 51"

The process tasklist.exe:2044 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 7A 84 EA F3 73 F5 53 A2 83 DF 59 CF D1 73 A1"

The process tasklist.exe:1624 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 11 C7 7E 3B 9B 48 47 C2 2A 74 C9 E5 45 0D 46"

The process tasklist.exe:1976 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 A8 37 FF 0D C8 9D 68 A6 E5 6E BD E5 4D 01 3A"

The process tasklist.exe:1476 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 E4 0C F4 27 45 7C 85 22 41 D2 75 BA A9 A9 30"

The process tasklist.exe:1760 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 F7 BA 65 7E 73 E3 1B 1E 01 56 7C AF A1 72 90"

The process tasklist.exe:1764 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 98 58 92 13 F1 16 5F 4F 75 63 34 59 69 A5 D9"

The process jam.exe:140 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 AB 89 96 C1 77 FF 9E 7D 56 CA 75 07 06 DF CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Jam" = "%Program Files%\uncelebrated\jam.exe"

"upshot" = "%Program Files%\fledged\depreciation.exe"

The process 58636.exe:1736 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 9D 39 B5 42 F6 6E 1A E7 8D 46 78 15 8C C3 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 24 9C B7 99 0E A1 50 92 61 10 10 32 0C CA FD"

The process find.exe:1144 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 24 4A 78 01 50 83 73 18 66 70 F7 8A 51 6E 5D"

The process find.exe:196 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 FF 4B 47 96 39 0C 4E 00 15 45 DE 52 19 1A 63"

The process find.exe:332 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 4C FB 48 5A 84 3F 35 5B 46 F2 E8 58 1F 87 32"

The process find.exe:272 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 F9 FF D4 0C 29 6E D4 45 18 84 EF EC 4B 8B DF"

The process find.exe:1904 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C F0 FC ED 7B BD F7 48 E5 03 BC 95 FB 5E C0 35"

The process find.exe:1488 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 E3 18 14 55 59 30 20 19 93 0F 56 1A 88 40 AD"

The process find.exe:1632 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 BA B3 4D B8 54 AA A8 FA FB 81 71 00 29 01 2E"

The process find.exe:1324 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 3E F2 50 7F 08 AC EA 1A 04 07 21 98 4B B6 D7"

The process find.exe:876 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 35 2D F1 3E 0F C6 DF 3E C2 AE 7C DA A7 A7 29"

The process find.exe:656 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 DD CD 27 DC 25 A3 39 62 83 C8 68 03 1E 14 DD"

The process find.exe:1692 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 0A 61 44 F3 C8 AA 67 E2 09 8B 39 DD E9 68 95"

The process find.exe:188 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 E8 DB DB 54 A0 C5 CC F0 B8 70 75 3C 82 01 0C"

The process find.exe:1796 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB A5 0F EE 23 C0 38 37 81 2E 62 EE C5 4A 06 04"

The process find.exe:900 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB EB C0 6C 96 79 B5 5F 10 83 FD DF AA 51 DA 4A"

The process find.exe:1800 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 80 BC 59 3A 85 EA 27 34 5E 5C B9 F4 2C FC EC"

The process find.exe:908 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 71 8B 9A 9F 78 57 F7 F5 58 88 47 64 DB 86 E9"

The process find.exe:1556 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 D8 45 F5 39 5D 2C 8F 90 CD 23 1B 34 D9 0F 3E"

The process find.exe:1648 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 FF 96 2A 15 1A D2 06 98 B4 0B F9 BC 3E 3F 60"

The process find.exe:1748 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 83 76 18 F2 F1 2F C1 6C 39 5D 71 CA 17 4F 9F"

The process find.exe:412 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 60 96 9A 6A 4D C7 0B D5 0D 89 48 A0 C7 03 98"

The process find.exe:296 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 56 84 C1 AD 79 AD C7 E6 6D 34 A6 FE E3 21 08"

The process find.exe:432 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 7B 44 DB DC 5F E4 71 ED E9 E9 D5 B0 B0 CB BE"

Dropped PE files

MD5 File path
6351426f5922b23dd580621eee7b681c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\58636.exe
335357c58ba22626290008b14abc3b0d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\67511525.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg7.tmp\ExecCmd.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\fledged\Microsoft.Win32.TaskScheduler.dll
cfb292ab3d192979ed05f6dfbe664e94 c:\Program Files\fledged\depreciation.exe
25140a1f3a1d87d4fb0e7143ab7b8ffa c:\Program Files\fledged\settings.dll
aebc39519c07002d7b74cedc146eea1a c:\Program Files\uncelebrated\jam.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
25140a1f3a1d87d4fb0e7143ab7b8ffa c:\WINDOWS\settings.dll
cfb292ab3d192979ed05f6dfbe664e94 c:\WINDOWS\zorro.exe

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 108
7bcde813c50a0b0e20e5f9f233bc3040
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22
4ad98fe1fd6a020f491e31eb4aa16205
562254cc7ac0f92876c4964400fb6cd7
a261aa83665bed04243da16ecade0df0
bea91233ff3a67b260b02a18d7cb54c2
b1a5b5b97ab40559c62f27923a7322c1
830674c88d54f6aa3c6f1bcf72147f75
fb9b2e8e0616dc9aecab4078c571a0f8
f3636d03e448990429c0cd25a2f93345

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=&rand=
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.93
hxxp://www.clangburkitt.info/count.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=&rand= 162.222.194.132
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 216.59.38.123
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=736457132&t=pageview&_s=1&dl=http://www.wistfulkhakis.pw/index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=249722396&cid=31055690.1474009137&tid=UA-74694740-5&_r=1&z=523066002
hxxp://widgets.amung.us/draw/?w=colored&n=985&c=000000ffffff&p= 173.192.200.70
hxxp://b770b459a2.site.internapcdn.net/page-3.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/everclips/page-3.html?lid=937115
hxxp://everclips.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1474009138000
hxxp://everclips.net/1.js 162.222.194.11
hxxp://b770b459a2.site.internapcdn.net/page-3.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/everclips/page-3.htm?lid=937115
hxxp://109.201.148.40/bck.php?1474009139000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://everclips.net/player1.swf 162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=632542773&t=pageview&_s=1&dl=http://www.everclips.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1663872742&cid=2055819871.1474009140&tid=UA-74694740-2&_r=1&z=1493016848
hxxp://b770b459a2.site.internapcdn.net/style.css
hxxp://b770b459a2.site.internapcdn.net/img/logo.png
hxxp://b770b459a2.site.internapcdn.net/img/bgg.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=D8EC2E6EDAAF4F0CDEB99F6AA263A547&sc_random=0.5731836257490703&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.everclips.net/page-3.html?lid=937115&u=http://www.everclips.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 216.59.38.123
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://everclips.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 3&mediaDesc=Entertainment videos at everclips.net - 3&mediaId=2&mediaUrl=hxxp://www.everclips.net/3.html&srcPageUrl=hxxp://www.everclips.net/3.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=appnexus,audiencescience,dataxu,BidTheatre,TubeMogul-GP,thetradedesk,eyeview,SundaySky,google,Videology,mediamath,rocketfuel,dynadmic,beeswax,ignitionone,centro,_dmp_turbine,1,TapAd,tremornet,videoamp,conversant,adapTV&uid=e7fa5255a41d4a029987dec34cd0a6e0&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.everclips.net/crossdomain.xml 109.201.148.40
hxxp://vi.everclips.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.everclips.net/3.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 3&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.google-analytics.com/analytics.js 216.58.214.206
hxxp://partners.tremorhub.com/crossdomain.xml 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://cdn.tremorhub.com/crossdomain.xml 52.85.173.133
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 3&mediaDesc=Entertainment videos at everclips.net - 3&mediaId=2&mediaUrl=hxxp://www.everclips.net/3.html&srcPageUrl=hxxp://www.everclips.net/3.html&contentLength=300 52.205.82.36
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.everclips.net/img/logo.png 69.88.149.135
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.wistfulkhakis.pw/func.js?r=5 54.230.45.199
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://cdn.tremorhub.com/static/noad.xml 52.85.173.133
hxxp://www.everclips.net/page-3.html?lid=937115 69.88.149.135
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.wistfulkhakis.pw/index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t= 54.230.45.199
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 52.205.82.36
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=632542773&t=pageview&_s=1&dl=http://www.everclips.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1663872742&cid=2055819871.1474009140&tid=UA-74694740-2&_r=1&z=1493016848 216.58.214.206
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=appnexus,audiencescience,dataxu,BidTheatre,TubeMogul-GP,thetradedesk,eyeview,SundaySky,google,Videology,mediamath,rocketfuel,dynadmic,beeswax,ignitionone,centro,_dmp_turbine,1,TapAd,tremornet,videoamp,conversant,adapTV&uid=e7fa5255a41d4a029987dec34cd0a6e0&init=true 52.5.219.205
hxxp://www.statcounter.com/counter/counter.js 174.35.71.33
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.everclips.net/style.css 69.88.149.135
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.everclips.net/page-3.htm?lid=937115 69.88.149.135
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.everclips.net/img/bgg.png 69.88.149.135
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=736457132&t=pageview&_s=1&dl=http://www.wistfulkhakis.pw/index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=249722396&cid=31055690.1474009137&tid=UA-74694740-5&_r=1&z=523066002 216.58.214.206
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
hxxp://partners.tremorhub.com/syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 52.5.219.205
we1sb-wwcgk.ads.tremorhub.com 52.202.159.191


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.2055819871.1474009140; _gat=1


HTTP/1.1 200 OK
Date: Fri, 16 Sep 2016 15:04:42 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Fri, 18 Aug 2017 15:04:42 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Fri, 16 Sep 2016 06:58:55 GMT
ETag: W/"144-1446501138000"
Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=appnexus,audiencescience,dataxu,BidTheatre,TubeMogul-GP,thetradedesk,eyeview,SundaySky,google,Videology,mediamath,rocketfuel,dynadmic,beeswax,ignitionone,centro,_dmp_turbine,1,TapAd,tremornet,videoamp,conversant,adapTV&uid=e7fa5255a41d4a029987dec34cd0a6e0&init=true HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:55 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 504
Connection: keep-alive
...........R.n.0... \..-..x.!.P.....A... 0F.X&l..I9..w.:q.K....o.73...
.{...K.x.`..PT.qQ'.c..j.-.w.*...-t4r.fn.ok......H.m.A%.......X..I.....
.........J.vV...MZ.|{y...o.... .~.~.....7Y.=..).VPA...v....Bs...`.....
.......z...*..Q4..URKY..C...p.@X2.../.n.W........K....`.......-._e.t. 
.P.e...-Z...............ck.l.....N......@...].s.X'.5.". .......Y.E...(
......\..('.T..^.F.m.K...R.p..q8..(`#..Q4.2..G.......i..9.[...w.....3.
...I.Wm.L.`[email protected]|O.....jG.z{...b..?.......[>Z..
.........p...........


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:55 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 522
Connection: keep-alive
...........R.n.@.}.WPK.-6...1rIZEJ..8.!..xg0 .......wL(..............U
...uR.i..;A...(U1...OW.`....."....0NT..O....&...J.M..BW.s&h.....n.|..J
o.$N...?,.C......J.cnk.x.....4......I..y~.f...........{PBi...8.w......
....B.:..Io [email protected](.y`.....@0.....}.....&}).t..
C........l..v.^...(....5J...8^........B8,.M)<(.J.........G.........
W.3.5$.2.8`R.{..Y...RQ.f]h..Ao0.~....M&.........://I..............u..$
J).!.....rVh]..R..M.......}z.g.D.........2.\..Q..-.!w..0..x\......>
..X].........V":/(/.I...........;.*...HTTP/1.1 200 OK..Content-Encodin
g: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 06:58:55 GMT..
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priva
cy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-
Length: 522..Connection: keep-alive.............R.n.@.}.WPK.-6...1rIZE
J..8.!..xg0 .......wL(..............U...uR.i..;A...(U1...OW.`....."...
.0NT..O....&...J.M..BW.s&h.....n.|..Jo.$N...?,.C......J.cnk.x.....4...
...I..y~.f...........{PBi...8.w..........B.:..Io [email protected]
.uy...MY(.y`.....@0.....}.....&}).t..C........l..v.^...(....5J...8^...
.....B8,.M)<(.J.........G.........W.3.5$.2.8`R.{..Y...RQ.f]h..Ao0.~
....M&.........://I..............u..$J).!.....rVh]..R..M.......}z.g.D.
........2.\..Q..-.!w..0..x\......>..X].........V":/(/.I...........;
.*.......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:56 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1dd.............RMo.0...Wd..[........vC.n f7;.E@KL,$..IN..?...}\v...D.
.....j.;..B.....^.%S\.m.=...g."y...,...m.}.v.b.tN.}....)...T.[....[...
....:...([email protected]....^.=F.....<.....$z...M...,..8I....m$......
....&...b2.&P...,..,..Q8.\.8...........`).R8.QI.hH.8.|E...cM.$(..^..j.
.M....p.hw.b....m..%.k......-..b.Jg......l.....^.F.B...W..(x^"P.......
..m.Pi.9......^...B.UMV.t..`<....`...l.........//I..i..1....i.k...}
...Dg...;.........6h....hihDq@{[email protected][email protected]~...
d.......Ci.v......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-
Type: text/xml..Date: Fri, 16 Sep 2016 06:58:56 GMT..P3P: CP='This is 
not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serve
r: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunke
d..Connection: keep-alive..1dd.............RMo.0...Wd..[........vC.n f
7;.E@KL,$..IN..?...}\v...D......j.;..B.....^.%S\.m.=...g."y...,...m.}.
v.b.tN.}....)...T.[....[.......:...([email protected]....^.=F.....<....
.$z...M...,..8I....m$..........&...b2.&P...,..,..Q8.\.8...........`).R
8.QI.hH.8.|E...cM.$(..^..j..M....p.hw.b....m..%.k......-..b.Jg......l.
....^.F.B...W..(x^"P.........m.Pi.9......^...B.UMV.t..`<....`...l..
.......//I..i..1....i.k...}...Dg...;.........6h....hihDq@{[email protected].....
[email protected]~...d.......Ci.v......0......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:57 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1fc.............R.n.@.}.WPK.....E.......Ql.C...3...^......)Mz..>X{f
|v........:.6.....t....D!w....?..i.!\%i.N..._...F..Zu.yVSQ.}...e......
1.le"...u2w.0.V.~....&Jkc.....V.>..[..4..v..E.~|...,y..S..dA.?..2.%
.T...^o.. .x3..!l.n.<...d..d4l.H.....R...z....V..,. .?:H..W..<..
[email protected]`...%._...$.....D..CS.k.X..aA(...g| 0.....6D....
N..(...T.|..Pk[.......4..... .a.].2....~.c...}y.C.w....._Fk..[m..]u.x\
).).../..z..j.........h...r.}v.s.....2.{Z/..h....]D_e....4....L.K.D...
..{...4..^...[o........_Jxo...x.)[email protected].` .....0..HTTP/1.1 20
0 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Se
p 2016 06:58:57 GMT..P3P: CP='This is not a P3P policy. See hXXp://tre
morvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Acce
pt-Encoding..transfer-encoding: chunked..Connection: keep-alive..1fc..
...........R.n.@.}.WPK.....E.......Ql.C...3...^......)Mz..>X{f|v...
.....:.6.....t....D!w....?..i.!\%i.N..._...F..Zu.yVSQ.}...e......1.le"
...u2w.0.V.~....&Jkc.....V.>..[..4..v..E.~|...,y..S..dA.?..2.%.T...
^o.. .x3..!l.n.<...d..d4l.H.....R...z....V..,. .?:H..W..<......j
@B2.........R...i`...%._...$.....D..CS.k.X..aA(...g| 0.....6D....N..(.
..T.|..Pk[.......4..... .a.].2....~.c...}y.C.w....._Fk..[m..]u.x\).)..
./..z..j.........h...r.}v.s.....2.{Z/..h....]D_e....4....L.K.D.....{..
.4..^...[o........_Jxo...x.)[email protected].` .....0......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:57 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 470
Connection: keep-alive
[email protected]..$."UmU;..Eh....].v..........4ofg..{.x~.
.^C...J.a...H..K.M..........e.....k....\....3.w.dev../*.[....Y.......*
...8.^..0.5...[.H...o/....[.<4...O.......> ...8..)^....V.U..M.I8
..7..L..0..Z...Q0....h2....C...],. 88..^9.9....:T......@B.{N....cG...S
m;Xc.......A...A^ .6.wT.*@Y......n..c......dMd.pb.tK......r\.. W.u...f
.4..(.. .b.. ...$q......//i.....1....W...Z!o...l.T...B..e.y...QjC.;.?.
...... L......0 .|z..[f....._...(..[....K...............HTTP/1.1 200 O
K..Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2
016 06:58:57 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremor
video.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-
Encoding..Content-Length: 470..Connection: keep-alive.............RMo.
@...WPK.-...ad..$."UmU;..Eh....].v..........4ofg..{.x~..^C...J.a...H..
K.M..........e.....k....\....3.w.dev../*.[....Y.......*...8.^..0.5...[
.H...o/....[.<4...O.......> ...8..)^....V.U..M.I8..7..L..0..Z...
Q0....h2....C...],. 88..^9.9....:T......@B.{N....cG...Sm;Xc.......A...
A^ .6.wT.*@Y......n..c......dMd.pb.tK......r\.. W.u...f.4..(.. .b.. ..
.$q......//i.....1....W...Z!o...l.T...B..e.y...QjC.;.?....... L......0
 .|z..[f....._...(..[....K...................


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:58 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c2.............RMo.0...Wd...".u>.........0...(.Fd.#.,H.....Y......
..G....T=.Z2..U..G.7 %k,.>.......2}...........]..;8..B8CUm..v$.JX..
.[X.......&...8.A..7.5.>.;..J...A....k..4...........6 ..K;..).h.W.N
IU..M.I8.Ow.....0..V.7.([email protected]....
.F...Sc{.`.......I...A.(..?.R.).... ..*p...J,..<.'["..'Fm?.T.a.:C..
...5f[*.6.).v0.&......D.|.$oB.>L..zJc...w....[.G...^.!.R.>......
."{_iC.?... .[.-. L.O<;0.0 .|nw-[e.-~.. Y.&!^..o..V.C..e.........}-
.......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/
xml..Date: Fri, 16 Sep 2016 06:58:58 GMT..P3P: CP='This is not a P3P p
olicy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-C
oyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connecti
on: keep-alive..1c2.............RMo.0...Wd...".u>.........0...(.Fd.
#.,H.....Y........G....T=.Z2..U..G.7 %k,.>.......2}...........]..;8
..B8CUm..v$.JX...[X.......&...8.A..7.5.>.;..J...A....k..4..........
.6 ..K;..).h.W.NIU..M.I8.Ow.....0..V.7.(..h.a4..u...X..V..N...z...u.T?
[email protected]{.`.......I...A.(..?.R.).... ..*p...J,..<.'[
"..'Fm?.T.a.:C.....5f[*.6.).v0.&......D.|.$oB.>L..zJc...w....[.G...
^.!.R.>......."{_iC.?... .[.-. L.O<;0.0 .|nw-[e.-~.. Y.&!^..o..V
.C..e.........}-.......0......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:58 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 482
Connection: keep-alive
...........R...@.}.W.H...B..%AYX$.....}X..... .hf.%._........=g..#..K~
....(dh.z}.C2 P.Chm....5...Oq..inK..R.Lh..)g.c...:V.^V.....13m.T:.>
}..K .b.D.7.eI...F.......$_...x..c....u...^,.4~.. A...z..md&.....z..x.
#.t7..1...p.......O..2D0p.lw...$..I ......#..HH..)5T.ze.;H.T....v.tv.\
.H.U0H*[email protected]`z$`..... \.....K.).1r.b^nM.vBR...i...;..7@
....O'H.....c...D.....J../7[.z.P.L}M.j...?...U.....:N....<.({.....W
m75..T...r.`...Q...(.. .3S......f.5.../......y.6.....w....../.......HT
TP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: F
ri, 16 Sep 2016 06:58:58 GMT..P3P: CP='This is not a P3P policy. See h
ttp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..V
ary: Accept-Encoding..Content-Length: 482..Connection: keep-alive.....
........R...@.}.W.H...B..%AYX$.....}X..... .hf.%._........=g..#..K~...
.(dh.z}.C2 P.Chm....5...Oq..inK..R.Lh..)g.c...:V.^V.....13m.T:.>}..
K .b.D.7.eI...F.......$_...x..c....u...^,.4~.. A...z..md&.....z..x.#.t
7..1...p.......O..2D0p.lw...$..I ......#..HH..)5T.ze.;H.T....v.tv.\.H.
U0H*[email protected]`z$`..... \.....K.).1r.b^nM.vBR...i...;..7@...
.O'H.....c...D.....J../7[.z.P.L}M.j...?...U.....:N....<.({.....Wm75
..T...r.`...Q...(.. .3S......f.5.../......y.6.....w....../.......t>....
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:59 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 489
Connection: keep-alive
...........R]..0.|.....[..%@P....N..*...N.h..bA..v...n(=...>X..gw..
.g...;.....5..V.%.....Zg..O.Y.&|J..Fs;.%J=5.U.SO..(, U4..U..um..T.0...
..y...0..8....QuQ.j.e.]r{i.%t^./M...n.......E.%..v5(#I..G.V2Y..).#o8.m
..0..<w..6......-...._G?.%.w..Ip....%l.4.8r.{......!......6\.Y..e..
[email protected]./.#X".P.)...< .H...D}.3.c'...`.u.i.yY..Q.!....p....}
........1Gv.1>...^^......R...Da.|...|....I. ..............u..m.l}..
....8b.X.../.H.../k...1'.....:.......bf..../.d.&......._J8.3G.u5'..@..
...O.......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text
/xml..Date: Fri, 16 Sep 2016 06:58:59 GMT..P3P: CP='This is not a P3P 
policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-
Coyote/1.1..Vary: Accept-Encoding..Content-Length: 489..Connection: ke
ep-alive.............R]..0.|.....[..%@P....N..*...N.h..bA..v...n(=...&
gt;X..gw...g...;.....5..V.%.....Zg..O.Y.&|J..Fs;.%J=5.U.SO..(, U4..U..
um..T.0.....y...0..8....QuQ.j.e.]r{i.%t^./M...n.......E.%..v5(#I..G.V2
Y..).#o8.m..0..<w..6......-...._G?.%.w..Ip....%l.4.8r.{......!.....
.6\[email protected]./.#X".P.)...< .H...D}.3.c'...`.u.i.yY..Q.!
....p....}........1Gv.1>...^^......R...Da.|...|....I. .............
.u..m.l}......8b.X.../.H.../k...1'.....:.......bf..../.d.&......._J8.3
G.u5'[email protected]...........
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:59 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1e5.............R...0.}.W.H.V.!\...,..i.V$l.V d..X`;[email protected].^..O>c.
...3..*.....JFN..sZ .b\.#g..>M.Y.!|I....5i.Q......b..V.P:/.]..kL...
.XbK.9........k..7M..t.... ......_C...F......u.~|./.,y...D[..u...%....
.,....!`.L.#...=..&.7.....x.)[email protected]{s......s..j.8\.a....i`.8....... 
.V..R2R.....%a.S...'.....gY..[.`.`....j. .@.."ax..(v..{..S.,0>..7..
..|...`2f@.>e=2...[...*..Z.?.c.{.k....u.D.E..K.:qHQ.nn.l..6........
...j\i.VM..`..>m..f.F....Q.....E..4....\......q......4.'\.e....v...
.d.....f.........d...........#.....0..HTTP/1.1 200 OK..Content-Encodin
g: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 06:58:59 GMT..
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priva
cy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer
-encoding: chunked..Connection: keep-alive..1e5.............R...0.}.W.
H.V.!\...,..i.V$l.V d..X`;[email protected].^..O>c....3..*.....JFN..sZ .b\.#g
..>M.Y.!|I....5i.Q......b..V.P:/.]..kL....XbK.9........k..7M..t....
 ......_C...F......u.~|./.,y...D[..u...%.....,....!`.L.#...=..&.7.....
x.)[email protected]{s......s..j.8\.a....i`.8....... .V..R2R.....%a.S...'.....g
Y..[.`.`....j. .@.."ax..(v..{..S.,0>..7....|...`2f@.>e=2...[...*
..Z.?.c.{.k....u.D.E..K.:qHQ.nn.l..6...........j\i.VM..`..>m..f.F..
..Q.....E..4....\......q......4.'\.e....v....d.....f.........d........
...#.....0......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:58:59 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1bc...............n.0...}.W@}.e .m....I..A[TJ{..c.]G.#. ).z...7...'~$.
...&.c.<..X....M....hP..../?._z..M.=/..,.d.P..K..9..}g.nL..&..}k.7r
 ...6.>....^..8.....&3...:....vT._....d.c.O..n.....:/........4...WB
5.k#1.g..>F..n..s....2."..1....N]E....=..6.S'...KTtl..-J...8-|"H9.0
..B..C......`..%..*................H......#.[....f'..[...{..(.p.!L.8^.
..U(p.s.>>f..gJ7.4....T&N"<....'.....d...lu\.f.(........v[kCv
..?K6......f.....,.....M..ZV..n.......uXx0..f?...d..........b......0..
HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date:
 Fri, 16 Sep 2016 06:58:59 GMT..P3P: CP='This is not a P3P policy. See
 hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1.
.Vary: Accept-Encoding..transfer-encoding: chunked..Connection: keep-a
live..1bc...............n.0...}.W@}.e .m....I..A[TJ{..c.]G.#. ).z...7.
..'~$....&.c.<..X....M....hP..../?._z..M.=/..,.d.P..K..9..}g.nL..&.
.}k.7r ...6.>....^..8.....&3...:....vT._....d.c.O..n.....:/........
4...WB5.k#1.g..>F..n..s....2."..1....N]E....=..6.S'...KTtl..-J...8-
|"H9.0..B..C......`..%..*................H......#.[....f'..[...{..(.p.
!L.8^...U(p.s.>>f..gJ7.4....T&N"<....'.....d...lu\.f.(.......
.v[kCv..?K6......f.....,.....M..ZV..n.......uXx0..f?...d..........b...
...0......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:00 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1ba.............R.n.0... \...........I..E.TJ{..cE.m"%E..b.}W...q.....3
;.t}T?F.Z'....d..P.FH.......e...........F..[.,8xoV.y.......F1.L0. ....
.>....A..b...-..v...yTyu.;*....n.D.Q....m..}.\.U.p.3`.&C..t{.u.bm..
.0.......q4..O..I4..N..b>6...I|~.m...c....I)....v8jo..e....SOX.....
.B!A.?.. Eu@ _T......:)..e.V`.A.V(......qK.q..Y4.A....Q.,...U....8}|.S
.g,[email protected]..;...W;.G.M...bkH.%..Pz#.p.?.....o.....`y......]`.
~.....`.&...8.....v!...`..Bcqn=.)[email protected]/1.1 200 
OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 
2016 06:59:00 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremo
rvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept
-Encoding..transfer-encoding: chunked..Connection: keep-alive..1ba....
.........R.n.0... \...........I..E.TJ{..cE.m"%E..b.}W...q.....3;.t}T?F
.Z'....d..P.FH.......e...........F..[.,8xoV.y.......F1.L0. .....>..
..A..b...-..v...yTyu.;*....n.D.Q....m..}.\.U.p.3`.&C..t{.u.bm...0.....
..q4..O..I4..N..b>6...I|~.m...c....I)....v8jo..e....SOX......B!A.?.
. Eu@ _T......:)..e.V`.A.V(......qK.q..Y4.A....Q.,...U....8}|.S.g,7.6.
[email protected]..;...W;.G.M...bkH.%..Pz#.p.?.....o.....`y......]`.~.....`
.&...8.....v!...`..Bcqn=.)[email protected]......
<<< skipped >>>

GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:00 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
199............dRMo.0...Wx...".u.8..xi....bv.CQ...4B'Y.d7..c.4.....#.D
*_...`@.d..p:...5....E..|...W...GU7.Z|.Q.vK_.;...1oQuv....).....t.|...
..Mu..y%.2.i.......GU6.....sv...V.....we..q}S5..i...5...3w.\w VV.".N.m
&..m..).<.^d..g[.d.....D..w..5.B.......G.mG.....~...Q.P..T($(.;...h
v.......... .v....L%.n.2...Vj..I&..0.g3H.".(...\ .N.. ...............[
./..q.....7B.e.mN.w.Xt.k.2_[.-.t.X._H...9...p;.2...[.].....|^:.Ix.[..e
.........]4Rh.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-
Type: text/xml..Date: Fri, 16 Sep 2016 06:59:00 GMT..P3P: CP='This is 
not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serve
r: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunke
d..Connection: keep-alive..199............dRMo.0...Wx...".u.8..xi....b
v.CQ...4B'Y.d7..c.4.....#.D*_...`@.d..p:...5....E..|...W...GU7.Z|.Q.vK
_.;...1oQuv....).....t.|.....Mu..y%.2.i.......GU6.....sv...V.....we..q
}S5..i...5...3w.\w VV.".N.m&..m..).<.^d..g[.d.....D..w..5.B.......G
.mG.....~...Q.P..T($(.;...hv.......... .v....L%.n.2...Vj..I&..0.g3H.".
(...\ .N.. ...............[./..q.....7B.e.mN.w.Xt.k.2_[.-.t.X._H...9..
.p;.2...[.].....|^:.Ix.[..e.........]4Rh.....0......


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:01 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1a0.............RMo.0...Wx.....u.8........0;..(.ZT...,Hr...1F......(=.
..L........U.?.O|. ..P....../."..~ ..J..4*Tv.2...^..3\...5c...Z.{ni...
f...my..i.^.~7.57.....2..Z.......0.......<}...-...2N.q...... .Z....
..4.%..h.(..a..E..X..(..#.A.......].b\9...:..WO=a.......(@.;.. .>p 
..4..g8.:..-HM..]".-J.u.i........f.l...#..I..#g7....|................P
.....;j^..Q.Y...................y.2d.8r{.y....b....].......~..Wr.[...l
.D...?...d.......l..7......0..HTTP/1.1 200 OK..Content-Encoding: gzip.
.Content-Type: text/xml..Date: Fri, 16 Sep 2016 06:59:01 GMT..P3P: CP=
'This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-polic
y'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encodin
g: chunked..Connection: keep-alive..1a0.............RMo.0...Wx.....u.8
........0;..(.ZT...,Hr...1F......(=...L........U.?.O|. ..P....../."..~
 ..J..4*Tv.2...^..3\...5c...Z.{ni...f...my..i.^.~7.57.....2..Z.......0
.......<}...-...2N.q...... .Z......4.%..h.(..a..E..X..(..#.A.......
].b\9...:..WO=a.......(@.;.. .>p ..4..g8.:..-HM..]".-J.u.i........f
.l...#..I..#g7....|................P.....;j^..Q.Y...................y.
2d.8r{.y....b....].......~..Wr.[...l.D...?...d.......l..7......0..nt>....


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:02 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1b3.............RM..0... B$r#.W..JR.v..ZXD.pX....n...e;.....lY.....7.7
o&_...g.J.^.n...C......{.||.pW...[U7.Zt..D...p;c..!.(.U7.>.9.Z..Yj.
f....vWm.2..S...HI..VO.P^6.\.....9x*Z.....n....zS5.....e....Sw.X.@V.."
..t...E.&Q.-..E..p.'I6O=Y`*...E.z....i..L..g.BN.......#MG.....R.......
.....Y.{...;3.....V...a..f..$. ....P.'..........~.....m.C.....3_P...8.
B.!.P..?.......v]......v..-)~..W(.^c.I.Y..KE.qQP......T_`..XW.2.......
h..-..yA.2.....9vK.......d.................0..HTTP/1.1 200 OK..Content
-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 06:59:
02 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/
en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..
transfer-encoding: chunked..Connection: keep-alive..1b3.............RM
..0... B$r#.W..JR.v..ZXD.pX....n...e;.....lY.....7.7o&_...g.J.^.n...C.
.....{.||.pW...[U7.Zt..D...p;c..!.(.U7.>.9.Z..Yj.f....vWm.2..S...HI
..VO.P^6.\.....9x*Z.....n....zS5.....e....Sw.X.@V.."..t...E.&Q.-..E..p
.'I6O=Y`*...E.z....i..L..g.BN.......#MG.....R............Y.{...;3.....
V...a..f..$. ....P.'..........~.....m.C.....3_P...8.B.!.P..?.......v].
.....v..-)~..W(.^c.I.Y..KE.qQP......T_`..XW.2.......h..-..yA.2.....9vK
.......d.................0......


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:02 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 422
Connection: keep-alive
............_o.0....).H.m8.!...e.I..."..PU.......l..o?CY...=.\.\..tM..
....X..<[email protected]....?N.y..~/..b..6.......9=#.....v....X........&l
t;.v......<(...Z.9VUo...>..UuG...)..5<..n...aq]...9N.q.?h.Wn.
.j....y2.....L.4.ShXt5..1.6<[email protected]...../x..K.....Hp[.?.^o.|./.D..
....c.R{Y..._.\...L#..:...l`.....x.Q.e..Gv.0.A...cA...KcZ./.8........;
......3.......z..z.....)..w#.A{./)..x\.G{......;k.l...r..Y.&.N..L~....
....[.. ....x..gy...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-T
ype: text/xml..Date: Fri, 16 Sep 2016 06:59:02 GMT..P3P: CP='This is n
ot a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server
: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 422..Conne
ction: keep-alive.............._o.0....).H.m8.!...e.I..."..PU.......l.
.o?CY...=.\.\..tM......X..<[email protected]....?N.y..~/..b..6.......9=#..
...v....X........<.v......<(...Z.9VUo...>..UuG...)..5<..n.
..aq]...9N.q.?h.Wn..j....y2.....L.4.ShXt5..1.6<[email protected]...../x..K..
...Hp[.?.^o.|./.D......c.R{Y..._.\...L#..:...l`.....x.Q.e..Gv.0.A...cA
...KcZ./.8........;......3.......z..z.....)..w#.A{./)..x\.G{......;k.l
...r..Y.&.N..L~........[.. ....x..gy.......


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:03 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 400
Connection: keep-alive
...........R.n. .}.Wx.....u.8.D^.I..mZ.....k.iP.F....G.,Y..=q..{...]..
.....V..x.....E......r9......V....i.Q../...fN..B.v.5#.*...#?w.|.....uu
.3Za....c..W..y.X}..V....6.....|............r....B.w.....\X.e6.....fM.
.94<.........i~aJ.4...S.T.%(...?K.....P4B.W...K.-(.`.....Q...l#....
..n`.N&..1.$-......8&.....Q........a....4..^....;_.....<...n....C$.
.m0({........fm...Op...]`.?'.L&.. .TC.G.........It!__...HTTP/1.1 200 O
K..Content-Encoding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2
016 06:59:03 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremor
video.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-
Encoding..Content-Length: 400..Connection: keep-alive.............R.n.
 .}.Wx.....u.8.D^.I..mZ.....k.iP.F....G.,Y..=q..{...].......V..x.....E
......r9......V....i.Q../...fN..B.v.5#.*...#?w.|.....uu.3Za....c..W..y
.X}..V....6.....|............r....B.w.....\X.e6.....fM..94<........
.i~aJ.4...S.T.%(...?K.....P4B.W...K.-(.`.....Q...l#......n`.N&..1.$-..
....8&.....Q........a....4..^....;_.....<...n....C$..m0({........fm
...Op...]`.?'.L&.. .TC.G.........It!__.......


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:03 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 414
Connection: keep-alive
...........R.N.0....!...'i.&..*[@BZ."...B..vI..c.Nh.~..P`/.<.y.....
| .z....d.GA.{\.............3..\V'X......l.7...BVs.......d..=;3.lo....
Uy..\2..G.Jq...;c. ....\.a.~y -Y./.....?-...|:.).V:A.......6.- .(J.9..
.4.S.i8..xB.5K.i:R.........?ZV5.\C....W..hh..@(.V.J....je{]...z...k...
.$.K ..<.2N..e!.<|~&.}.s.u...E..D..I.7.C.....7.j...6....k'k.....
..w.q.xTu ..f.mD.B....7.....:8d..n.o.......[....C...~...T.?.......3.j.
...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Da
te: Fri, 16 Sep 2016 06:59:03 GMT..P3P: CP='This is not a P3P policy. 
See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1
.1..Vary: Accept-Encoding..Content-Length: 414..Connection: keep-alive
.............R.N.0....!...'i.&..*[@BZ."...B..vI..c.Nh.~..P`/.<.y...
..| .z....d.GA.{\.............3..\V'X......l.7...BVs.......d..=;3.lo..
..Uy..\2..G.Jq...;c. ....\.a.~y -Y./.....?-...|:.).V:A.......6.- .(J.9
...4.S.i8..xB.5K.i:R.........?ZV5.\C....W..hh..@(.V.J....je{]...z...k.
...$.K ..<.2N..e!.<|~&.}.s.u...E..D..I.7.C.....7.j...6....k'k...
....w.q.xTu ..f.mD.B....7.....:8d..n.o.......[....C...~...T.?.......3.
j........


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:04 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 423
Connection: keep-alive
...........R]..0.|..H#[email protected]:..$....mb.Vk.....}.D..R.'..........
...6...?....d.Q..._..wS.N...............?X.f.Y.D...f.v...|....{4...C],
}.....E.RL.....L....m..1.=^....}.iM.....(..k9..J'h.G.W....\s...Q..(..I
.(.....,J.lG.l..T..iy`.....a.|..C'NY.B9X.*.;k*Tm.......;.. ......!..l:
....-.!e.....w..Zw./ ....{....@\......J%[email protected]..#...Zo6.x.$..M]Uk..
....E.U.Z(.L?qD.B.&..3wH..k.8f....6....5..~..;.....V....%.C.......6...
...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Da
te: Fri, 16 Sep 2016 06:59:04 GMT..P3P: CP='This is not a P3P policy. 
See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1
.1..Vary: Accept-Encoding..Content-Length: 423..Connection: keep-alive
.............R]..0.|..H#[email protected]:..$....mb.Vk.....}.D..R.'........
.....6...?....d.Q..._..wS.N...............?X.f.Y.D...f.v...|....{4...C
],}.....E.RL.....L....m..1.=^....}.iM.....(..k9..J'h.G.W....\s...Q..(.
.I.(.....,J.lG.l..T..iy`.....a.|..C'NY.B9X.*.;k*Tm.......;.. ......!..
l:....-.!e.....w..Zw./ ....{....@\......J%[email protected]..#...Zo6.x.$..M]Uk
......E.U.Z(.L?qD.B.&..3wH..k.8f....6....5..~..;.....V....%.C.......6.
.........


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:04 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 376
Connection: keep-alive
...........Q]O.0.}.W.%..:....J................. .{.D..........<.Uo.
. ]."u...:\...b.....:v...?g.....0.(t......G.(^.j.)<ZWHk.:.....N...E
6r...C...).:.&{mxE.f..L.1:=6...a5}.%.r6.ey6;.IPFXC./.....6P%K.v;Z&. ..
0...~'N..M.,LzQK.....vW.p[2^C%.....=.....QE)xkc.yo.......B..$.{..NH...
..s..O.c.j..}...=`..{E......$........<..VRq}(..<T...r}....Q."s..
..<.ra.E...t..o....m...|........`.?...HTTP/1.1 200 OK..Content-Enco
ding: gzip..Content-Type: text/xml..Date: Fri, 16 Sep 2016 06:59:04 GM
T..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/pr
ivacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Conte
nt-Length: 376..Connection: keep-alive.............Q]O.0.}.W.%..:....J
................. .{.D..........<.Uo.. ]."u...:\...b.....:v...?g...
..0.(t......G.(^.j.)<ZWHk.:.....N...E6r...C...).:.&{mxE.f..L.1:=6..
.a5}.%.r6.ey6;.IPFXC./.....6P%K.v;Z&. ..0...~'N..M.,LzQK.....vW.p[2^C%
.....=.....QE)xkc.yo.......B..$.{..NH.....s..O.c.j..}...=`..{E......$.
.......<..VRq}(..<T...r}....Q."s....<.ra.E...t..o....m...|...
.....`.?.......


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:05 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 378
Connection: keep-alive
............]O.0.....s....9.#].....52...r..i..i....BP...._.9.s....|.:n
.....I.G\Q..z..ysy:.'..?..f/.6.P...W..{3F.[..]...j..3q...._.*..]..1.5.
.~.`......y.I...f.;../..5k.e~.E.....n......U.J..~(.4.......bY2.Q[.Y.-M
.Fe6...........k..$.6`j....f...........a.....Y.iV..!..,.,...........j.
.Y....X..V0........n......b.;d.-...J...&<D..r...n.%.:..A.X..!... ..
.}.....h........|......At..W...HTTP/1.1 200 OK..Content-Encoding: gzip
..Content-Type: text/xml..Date: Fri, 16 Sep 2016 06:59:05 GMT..P3P: CP
='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-poli
cy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length:
 378..Connection: keep-alive..............]O.0.....s....9.#].....52...
r..i..i....BP...._.9.s....|.:n.....I.G\Q..z..ysy:.'..?..f/.6.P...W..{3
F.[..]...j..3q...._.*..]..1.5..~.`......y.I...f.;../..5k.e~.E.....n...
...U.J..~(.4.......bY2.Q[.Y.-M.Fe6...........k..$.6`j....f...........a
.....Y.iV..!..,.,...........j..Y....X..V0........n......b.;d.-...J...&
<D..r...n.%.:..A.X..!... ...}.....h........|......At..W.....
..


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=videoamp,TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:06 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 421
Connection: keep-alive
...........RMk.0........F....YAM....4N.P.Q$.5].B.M.. ..iw...Azo.f.0p..
.qz.t....G..pA[V......_.w.~.-^.gX4....SS./..).F..U/.nD..h-].L.!...{{W.
.. f.........~..7.<.:..=....)f%y.<....8_..?..$QFXA..x...-a3U."..
t.3B&.4.R..A<..1..,....EI$f^4.X# ..]-...Y...8..I....Q.O2.i.P....OO.
.....j.?B.Q_3..F..v..."g..*...A.&..*........V..b..b.EK{.o.m..^.......^
v.[U'6/[...vX.......!.......=.. .7.Ob..".......h....8.../.gJl".V......
..........HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/
xml..Date: Fri, 16 Sep 2016 06:59:06 GMT..P3P: CP='This is not a P3P p
olicy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-C
oyote/1.1..Vary: Accept-Encoding..Content-Length: 421..Connection: kee
p-alive.............RMk.0........F....YAM....4N.P.Q$.5].B.M.. ..iw...A
zo.f.0p...qz.t....G..pA[V......_.w.~.-^.gX4....SS./..).F..U/.nD..h-].L
.!...{{W... f.........~..7.<.:..=....)f%y.<....8_..?..$QFXA..x..
.-a3U."..t.3B&.4.R..A<..1..,....EI$f^4.X# ..]-...Y...8..I....Q.O2.i
.P....OO......j.?B.Q_3..F..v..."g..*...A.&..*........V..b..b.EK{.o.m..
^.......^v.[U'6/[...vX.......!.......=.. .7.Ob..".......h....8.../.gJl
".V....................


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=TapAd,_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:06 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 424
Connection: keep-alive
...........R_k.0.|......".v.8..Z...l.q..R."........~..!M..FA..s...qxqj
.....[.....: y j....r.e...'[email protected]. .;.1sm..u.~.^.
.%......u....y...R...f.....Y...=o...??.sZ...\....../.W.e..B.".&.x...f.
8.b..~8K.)O."J.x.e.h...jWK......M...E..1?H.Y"....>...z"...l.T..5X..
06.c.....7.'..C}..e....~......5...f..^..AW{!...]........^.{A.%_KZ...b.
...K..G.;.p..h:.z.."x...;..m....2.,...l.VG.F[4z{A70z...v....<.-@...
...nl.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/
xml..Date: Fri, 16 Sep 2016 06:59:06 GMT..P3P: CP='This is not a P3P p
olicy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-C
oyote/1.1..Vary: Accept-Encoding..Content-Length: 424..Connection: kee
p-alive.............R_k.0.|......".v.8..Z...l.q..R."........~..!M..FA.
.s...qxqj.....[.....: y j....r.e...'[email protected]. .;.1s
m..u.~.^..%......u....y...R...f.....Y...=o...??.sZ...\....../.W.e..B."
.&.x...f.8.b..~8K.)O."J.x.e.h...jWK......M...E..1?H.Y"....>...z"...
l.T..5X..06.c.....7.'..C}..e....~......5...f..^..AW{!...]........^.{A.
%_KZ...b....K..G.;.p..h:.z.."x...;..m....2.,...l.VG.F[4z{A70z...v....&
lt;[email protected].........


GET /syncnoad?rid=4116f9daa8b6426abc038925c9fd4976&p=_dmp_turbine&uid=e7fa5255a41d4a029987dec34cd0a6e0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=e7fa5255a41d4a029987dec34cd0a6e0; tvrg_60409="1,1474009135"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Fri, 16 Sep 2016 06:59:07 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
153............d.]o. .... :..[ik?..4...e[....1... 4..........s.....4.h
... ]K............,.......Z.eu...f.......iG.......[...j.....!.]...iSL.
F.s0zU.m.:..Omx..~.).g./...`../^....&..*Vg;.....z...I.k.[.1..%fJI.OI2.
6R.k..:.v...}..e...a....nW..He.<..(."..,$^.ei.8...y$........2FH... 
&[...,.h.ca...~...M..>..1.(n..q}=b.P.N,Y)B..sf..F[.~w...?$.%m..9..%
..e..@.....".........0..HTTP/1.1 200 OK..Content-Encoding: gzip..Conte
nt-Type: text/xml..Date: Fri, 16 Sep 2016 06:59:07 GMT..P3P: CP='This 
is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Se
rver: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chu
nked..Connection: keep-alive..153............d.]o. .... :..[ik?..4...e
[....1... 4..........s.....4.h... ]K............,.......Z.eu...f......
.iG.......[...j.....!.]...iSL.F.s0zU.m.:..Omx..~.).g./...`../^....&..*
Vg;.....z...I.k.[.1..%fJI.OI2.6R.k..:.v...}..e...a....nW..He.<..(."
..,$^.ei.8...y$........2FH... &[...,.h.ca...~...M..>..1.(n..q}=b.P.
N,Y)B..sf..F[.~w...?$.%m..9..%..e..@.....".........0..



GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.everclips.net/page-3.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.2055819871.1474009140; _gat=1


HTTP/1.1 200 OK
Date: Fri, 16 Sep 2016 15:04:40 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Fri, 18 Aug 2017 15:04:40 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-3.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 16 Sep 2016 15:04:39 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Fri, 16 Sep 2016 15:04:39 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.wistfulkhakis.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 905
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Fri, 16 Sep 2016 06:58:47 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 55ee6ea70e0823309f10db2e4b8f119f.cloudfront.net (CloudFront)
X-Amz-Cf-Id: m_2W6MEKb323jsxAikvrd6EYR32wcchoUWcZbbh2mAEHkHdOpCXiKg==
...........UMo.6..... x..V........N.....h]....W.It$R!G.nm....?.S.=..3.
p..y....v.l...e..I.pm......DWd27.....b.....Of?...(.-PR(. ...S.e.q.h...
....5T.L.....,.'Q`. ^..tZ..)..*....;.k!..(A...).......=........].}....
....F]2Gi:.cR.\..A......J.5HL..?.%...\6...v....9....s...l7..f..,;...T.
v..h.KF.(Jl..)[email protected].,.t..E.S..1H...T..e.].m..6..s...2.
.k..*T....)....nS........as.=...k....aT}...o...A.(..Elb....y.E..*8S.n.
D.v..0..7P`p..B\.k......G.>..&...swwu.%.`....`..Mt.{g...$...E.F..LR
h......PE...YG..`5.....d.Y.Uv...7[Y...\e.E..r.'U..%...C.4....y.......R
.>.8.........>...=1...cO.<......<......V.......^6.w.>..
g...d..=.a#`|..L..z.....F..........T..".....n.!.hLv3.........U..2..}.D
.......h.\...F.Gi6.$..d..&-..,....V..k..7....^.....3.80.>......UF.E
...g......."..#....=jDY...,..HK...$...._3t..ON.p._.11.......<....&l
t;K.t.?/....4O....'.|..pynu.~zqv~....d..GN.~.=...A7......`b:......8Bm.
.k.........g..F..\:...HTTP/1.1 200 OK..Content-Type: text/html..Conten
t-Length: 905..Connection: keep-alive..Server: Apache/2.2.22 (Win64) P
HP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Fri
, 16 Sep 2016 06:58:47 GMT..Vary: Accept-Encoding..X-Cache: Miss from 
cloudfront..Via: 1.1 55ee6ea70e0823309f10db2e4b8f119f.cloudfront.net (
CloudFront)..X-Amz-Cf-Id: m_2W6MEKb323jsxAikvrd6EYR32wcchoUWcZbbh2mAEH
kHdOpCXiKg==.............UMo.6..... x..V........N.....h]....W.It$R!G.n
m....?.S.=..3.p..y....v.l...e..I.pm......DWd27.....b.....Of?...(.-PR(.
 ...S.e.q.h.......5T.L.....,.'Q`. ^..tZ..)..*....;.k!..(A...).....
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.wistfulkhakis.pw/index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.wistfulkhakis.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 597
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT
ETag: "90000001e1520-f7a-537ea953f7333"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Fri, 19 Aug 2016 01:35:05 GMT
Vary: Accept-Encoding
Age: 437
X-Cache: Hit from cloudfront
Via: 1.1 55ee6ea70e0823309f10db2e4b8f119f.cloudfront.net (CloudFront)
X-Amz-Cf-Id: v3BwXKrkamVqoLYAAoTxFXBsj_bpk5gQ3hGzupP1ziW6ylJpf195zw==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fr
i, 19 Aug 2016 01:35:05 GMT..Vary: Accept-Encoding..Age: 437..X-Cache:
 Hit from cloudfront..Via: 1.1 55ee6ea70e0823309f10db2e4b8f119f.cloudf
ront.net (CloudFront)..X-Amz-Cf-Id: v3BwXKrkamVqoLYAAoTxFXBsj_bpk5gQ3h
[email protected]/vJ.8....U U.R.q.z..N..
.....DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$...
.....AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.Br
B.<......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v
&]..~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>.
..V:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. 
<<< skipped >>>


GET /itd.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.wistfulkhakis.pw/index5.php?id=11A1nhzcRmLWFvGfsGsY&date=2016-09-06&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cocomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 16 Sep 2016 06:58:49 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Fri, 16 Sep 2016 06:58:49 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>


GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-3.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 16 Sep 2016 15:04:38 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Fri, 18 Aug 2017 15:04:38 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



jam.exe_140:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp\ExecCmd.dll
"%Program Files%\fledged\depreciation.exe"
md.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp
nsg7.tmp
rogram Files\fledged\depreciation.exe"
q depreciation.exe" | %SystemRoot%\System32\find /I "depreciation.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg7.tmp
"%Program Files%\uncelebrated\jam.exe"
%Program Files%\uncelebrated
jam.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\uncelebrated\jam.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
elebrated\jam.exe"
ed\depreciation.exe"






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    taskkill.exe:1148
    taskkill.exe:1556
    %original file name%.exe:772
    67511525.exe:892
    tasklist.exe:216
    tasklist.exe:312
    tasklist.exe:1088
    tasklist.exe:1924
    tasklist.exe:172
    tasklist.exe:1712
    tasklist.exe:1636
    tasklist.exe:1852
    tasklist.exe:652
    tasklist.exe:324
    tasklist.exe:1564
    tasklist.exe:1752
    tasklist.exe:308
    tasklist.exe:204
    tasklist.exe:636
    tasklist.exe:900
    tasklist.exe:1868
    tasklist.exe:2044
    tasklist.exe:1624
    tasklist.exe:1976
    tasklist.exe:1476
    tasklist.exe:1760
    tasklist.exe:1764
    jam.exe:140
    58636.exe:1736
    find.exe:216
    find.exe:1144
    find.exe:196
    find.exe:332
    find.exe:272
    find.exe:1904
    find.exe:1488
    find.exe:1632
    find.exe:1324
    find.exe:876
    find.exe:656
    find.exe:1692
    find.exe:188
    find.exe:1796
    find.exe:900
    find.exe:1800
    find.exe:908
    find.exe:1556
    find.exe:1648
    find.exe:1748
    find.exe:412
    find.exe:296
    find.exe:432
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CAF3ZE6G.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA0HM1LQ.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CAPM7SNO.xml (765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\crossdomain[2].xml (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[3].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CANP6LWN.xml (912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\crossdomain[1].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[8].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fla8.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[7].xml (599 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAQN89YZ.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[8].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[1].xml (694 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\page-3[1].htm (4544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[5].xml (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\style[1].css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CANX7CVF.xml (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\ova-jw[1].swf (37117 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\abcd[1].mp4 (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CAQEW68J.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\logo[1].png (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[2].xml (633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[5].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[1].xml (803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\player1[2].swf (17609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CACTAH43.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\CA0EDOPZ.xml (765 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[2].xml (707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAC9WPCV.xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[6].xml (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CA8XY34L.xml (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\crossdomain[3].xml (144 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@wistfulkhakis[1].txt (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\page-3[1].htm (4283 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (608 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAZMJO7D.xml (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\player1[1].swf (19685 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sxx (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[7].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[7].xml (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CAPBP6K4.xml (810 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAMOM7SH.xml (810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\crossdomain[2].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[1].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[6].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[6].xml (719 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@wistfulkhakis[2].txt (320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA4XABOP.xml (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[4].xml (628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[2].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\bgg[1].png (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA6LH4NT.xml (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\syncnoad[7].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[2].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\analytics[1].js (3803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CA7P4RT2.xml (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\syncnoad[1].xml (692 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[6].xml (607 bytes)
    %System%\d3d9caps.tmp (1324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\syncnoad[5].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\syncnoad[5].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\CA0VGDUT.xml (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\69KDOBKD\CA0D19AN.xml (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLOB2701\jwplayer1[1].js (76701 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@everclips[2].txt (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CAP3LRI1.xml (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\CA9OKZ91.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\29YX4RUL\logo[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U7IRMNEL\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (297 bytes)
    %Program Files%\fledged\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Program Files%\fledged\settings.dll (10068 bytes)
    %Program Files%\uncelebrated\jam.exe (1024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\58636.exe (1082 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\brewers.lnk (501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\AccessControl.dll (13 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\System.dll (11 bytes)
    %WinDir%\settings.dll (10068 bytes)
    %Program Files%\fledged\depreciation.exe (4884 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\ShellLink.dll (4 bytes)
    %WinDir%\depreciation.exe (4884 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\67511525.exe (3099 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp\SimpleFC.dll (5289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg7.tmp\ExecCmd.dll (4 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "madre" = "%Program Files%\fledged\depreciation.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "taneja" = "%Program Files%\fledged\depreciation.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dresden" = "%Program Files%\fledged\depreciation.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "social" = "%Program Files%\fledged\depreciation.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Jam" = "%Program Files%\uncelebrated\jam.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "upshot" = "%Program Files%\fledged\depreciation.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now