Dropped.Trojan.Generic.17338822_4dcee49e18

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:1744
taskkill.exe:340
69582.exe:164
tasklist.exe:1084
tasklist.exe:1344
tasklist.exe:276
tasklist.exe:1488
tasklist.exe:832
tasklist.exe:1540
tasklist.exe:1852
tasklist.exe:1692
tasklist.exe:652
tasklist.exe:1676
tasklist.exe:500
tasklist.exe:1700
tasklist.exe:240
tasklist.exe:1880
tasklist.exe:784
tasklist.exe:1636
tasklist.exe:1556
tasklist.exe:1724
tasklist.exe:1288
tasklist.exe:1364
tasklist.exe:1688
tasklist.exe:2008
wearily.exe:460
%original file name%.exe:312
20943149.exe:456
find.exe:576
find.exe:660
find.exe:136
find.exe:832
find.exe:1984
find.exe:1612
find.exe:340
find.exe:1392
find.exe:1860
find.exe:1864
find.exe:1496
find.exe:224
find.exe:480
find.exe:1700
find.exe:1620
find.exe:780
find.exe:1800
find.exe:968
find.exe:424
find.exe:1680
find.exe:828
find.exe:2008
find.exe:516

The Dropped injects its code into the following process(es):

uncorroborated.exe:1064

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process uncorroborated.exe:1064 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAY9EDUL.xml (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4LMNO5.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[3].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\abcd[1].mp4 (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[7].xml (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[8].xml (591 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jwplayer1[1].js (76309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\css1[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\page-3[1].htm (3953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6BKDAN.xml (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAH3E7VM.xml (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAA3GZYL.xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAIA5GXD.xml (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (626 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (597 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[6].xml (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[8].xml (679 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (609 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[5].xml (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CACP0V2V.xml (804 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\player1[1].swf (22077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (556 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.ivids[1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[6].xml (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (12941 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8ROLMN.xml (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[2].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[7].xml (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[5].xml (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAMFURQD.xml (752 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\analytics[1].js (1557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[8].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-3[1].htm (4309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA6NW1QR.xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU3G96R.xml (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAWTOXEZ.xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAKBSTKH.xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[6].xml (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[7].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYEJNZ0.xml (767 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAJMBGIP.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fla8.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ova-jw[1].swf (29005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACJQGXK.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[6].xml (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CANKAOOZ.xml (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\count[1].htm (47 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (0 bytes)

The process 69582.exe:164 makes changes in the file system.

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)

The process wearily.exe:460 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)

The process %original file name%.exe:312 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\ShellLink.dll (4 bytes)
%WinDir%\uncorroborated.exe (4952 bytes)
%Program Files%\orignal\settings.dll (11076 bytes)
%Program Files%\orignal\uncorroborated.exe (4952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\AccessControl.dll (13 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\possessor.lnk (511 bytes)
%WinDir%\settings.dll (11076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\69582.exe (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\20943149.exe (3125 bytes)
%Program Files%\athough\wearily.exe (1036 bytes)
%Program Files%\orignal\Microsoft.Win32.TaskScheduler.dll (8850 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\System.dll (0 bytes)

The process 20943149.exe:456 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

Registry activity

The process taskkill.exe:1744 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 53 6A 34 84 38 49 4A 4F 96 F0 C4 85 F1 DA 49"

The process taskkill.exe:340 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 12 EE E9 E7 96 0D 20 30 E4 2E A4 CC 60 9D 9B"

The process uncorroborated.exe:1064 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CachePrefix" = ":2016090620160907:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C FF 5A 85 E1 01 09 E5 45 20 80 19 31 F0 33 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016090620160907]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016090620160907\"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 69582.exe:164 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D2 77 D4 45 B9 71 93 98 80 4A A3 D6 B1 FA E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process tasklist.exe:1084 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 32 EA D4 53 5B 08 9C D3 01 5F FC 34 03 8F 68"

The process tasklist.exe:1344 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD FD 8E 12 8B EC 78 7B B7 DB 7D 6B 5D 13 51 F0"

The process tasklist.exe:276 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 5B DC 7E 4E 82 86 91 9F D7 8C 97 03 E0 A5 E8"

The process tasklist.exe:1488 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 93 27 5D 6D CC C8 A2 7C C3 77 1A FD DE 83 97"

The process tasklist.exe:832 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 A2 81 62 C9 44 4C 5E C6 0B CA 9A 8B 84 78 25"

The process tasklist.exe:1540 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 CE DB 09 65 6E 77 72 73 F7 6A 76 43 A0 39 B3"

The process tasklist.exe:1852 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 D6 23 04 E2 55 CD E9 36 05 C4 61 ED 37 8D FE"

The process tasklist.exe:1692 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 6B 64 83 EE 1A FF A8 0A 02 2E FB 7C C6 5C 69"

The process tasklist.exe:652 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8E CE C7 75 57 1D E4 02 A3 23 82 37 AB 14 35"

The process tasklist.exe:1676 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 70 97 55 21 A3 BE 07 0C A0 BC C7 42 BA 23 33"

The process tasklist.exe:500 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 37 53 85 4A 1B 57 45 13 EE A9 D9 33 06 A4 56"

The process tasklist.exe:1700 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C A7 7E AA 2B 23 B1 01 D3 A0 1C 5D 7F E6 57 AC"

The process tasklist.exe:240 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 E1 B0 8F ED 8E 00 1E 85 EB F4 BD AB 14 A3 D5"

The process tasklist.exe:1880 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 DA E2 F7 60 E2 90 0E DC 8E AA E4 F6 07 92 71"

The process tasklist.exe:784 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 42 09 B3 69 7D 10 27 6E 3F 37 99 68 81 50 44"

The process tasklist.exe:1636 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 57 3C AB E2 47 6A A9 A7 26 36 95 58 60 C4 5F"

The process tasklist.exe:1556 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 34 D0 AD 4A 68 DE A9 72 A2 0D 76 5D AA 89 9D"

The process tasklist.exe:1724 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 B5 19 BD 73 8F E7 80 E7 CD FE 17 9B D5 81 1A"

The process tasklist.exe:1288 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB AF BB 1F 36 D5 5E 34 9E 7E 98 ED B4 FD 48 AD"

The process tasklist.exe:1364 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 FC 2C 60 98 22 C9 88 AD BB A9 F5 FB 4C 89 56"

The process tasklist.exe:1688 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 FE 71 7B 82 3E 5C FA 08 4D 75 8A 06 CE EB 17"

The process tasklist.exe:2008 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA D4 3A 54 B7 DB 07 40 3C 0A 38 6C 5E CD C9 D7"

The process wearily.exe:460 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 02 0A 86 78 41 6B 8E B0 33 F7 EF 92 54 FF 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wearily" = "%Program Files%\athough\wearily.exe"

"linkages" = "%Program Files%\orignal\uncorroborated.exe"

The process %original file name%.exe:312 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 04 B3 24 5B 20 7A 70 CF FD 33 79 9F 63 EA 4A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adjournment" = "%Program Files%\orignal\uncorroborated.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"trappers" = "%Program Files%\orignal\uncorroborated.exe"

"midwestern" = "%Program Files%\orignal\uncorroborated.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"platzer" = "%Program Files%\orignal\uncorroborated.exe"

The process 20943149.exe:456 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 5B EE 05 23 6A A1 B4 0B BC 5A DD 98 09 7C 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:576 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E A9 EE 0F 30 1E A5 93 D2 6F E1 85 BA EE 61 A3"

The process find.exe:660 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE C1 DE 1D FF F8 E9 83 43 63 9C 57 A7 4B 7A A2"

The process find.exe:136 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 23 40 A6 1F 46 28 D4 9C 26 4A B7 19 DE A9 EF"

The process find.exe:832 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 5C 7E 71 A8 6E 9D 98 E5 87 F9 BF 13 D6 62 6C"

The process find.exe:1984 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 CB 97 85 BC 59 EB 2A 87 56 40 D1 72 B8 D0 14"

The process find.exe:1612 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 0E E9 D1 DB 7E C5 A6 2C AF E7 A0 47 12 2C 73"

The process find.exe:340 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 EE 3C FC EB 9C 8C CE C7 9E D3 E5 C6 DC C6 D2"

The process find.exe:1392 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 81 A2 FF 70 35 48 FA F2 84 A2 5C 5C 06 C6 9C"

The process find.exe:1860 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 E8 83 01 39 3E 16 B3 BB 96 DC 08 36 30 9A FD"

The process find.exe:1864 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 49 15 AE 16 87 FE 76 93 A5 3F 8F CD DF 26 3C"

The process find.exe:1496 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 E9 F1 E8 0F 3C 8C 3C D0 59 8A FA EF 6F 55 04"

The process find.exe:224 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 5D 2D 07 80 16 65 62 50 ED D1 D8 6B D2 A2 83"

The process find.exe:480 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E CB 62 DB 4B F7 12 B4 EF 08 73 20 7D 7F 65 D2"

The process find.exe:1700 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 3C DF 11 C1 27 27 A1 90 CF 71 6A F3 0F 78 9A"

The process find.exe:1620 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 80 D6 AC 03 EB B8 78 EF 07 71 6C 71 B3 6B 12"

The process find.exe:780 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 7F 7B C0 D3 DC 98 0D 82 C3 94 DC 69 BA 87 32"

The process find.exe:1800 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 C1 A6 AA 3A A5 B9 AA CA 10 4E AC 6D 66 8A 79"

The process find.exe:968 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 69 94 50 41 C2 67 3A 8D A8 48 E2 6A 50 93 54"

The process find.exe:424 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC F9 A5 02 38 2F 7F 79 AB 2C B3 06 73 D4 64 E8"

The process find.exe:1680 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 47 DE 98 E8 00 D7 A1 A1 E8 FB 33 5C 6C D9 5C"

The process find.exe:828 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 65 4A B2 8A 34 CE BD 02 1D B6 A2 7B 29 36 75"

The process find.exe:2008 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 72 10 89 E7 7B 73 71 11 01 30 9E B3 30 1C 68"

The process find.exe:516 makes changes in the system registry.

The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE B0 93 3A CA E6 AF BF 7F 69 9D 34 BF AF E5 F7"

Dropped PE files

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   taskkill.exe:1744
   taskkill.exe:340
   69582.exe:164
   tasklist.exe:1084
   tasklist.exe:1344
   tasklist.exe:276
   tasklist.exe:1488
   tasklist.exe:832
   tasklist.exe:1540
   tasklist.exe:1852
   tasklist.exe:1692
   tasklist.exe:652
   tasklist.exe:1676
   tasklist.exe:500
   tasklist.exe:1700
   tasklist.exe:240
   tasklist.exe:1880
   tasklist.exe:784
   tasklist.exe:1636
   tasklist.exe:1556
   tasklist.exe:1724
   tasklist.exe:1288
   tasklist.exe:1364
   tasklist.exe:1688
   tasklist.exe:2008
   wearily.exe:460
   %original file name%.exe:312
   20943149.exe:456
   find.exe:576
   find.exe:660
   find.exe:136
   find.exe:832
   find.exe:1984
   find.exe:1612
   find.exe:340
   find.exe:1392
   find.exe:1860
   find.exe:1864
   find.exe:1496
   find.exe:224
   find.exe:480
   find.exe:1700
   find.exe:1620
   find.exe:780
   find.exe:1800
   find.exe:968
   find.exe:424
   find.exe:1680
   find.exe:828
   find.exe:2008
   find.exe:516

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (633 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAY9EDUL.xml (933 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA4LMNO5.gif (49 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (796 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[3].xml (82 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\abcd[1].mp4 (771 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[7].xml (644 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\itd[1].htm (1118 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (82 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (685 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[8].xml (591 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jwplayer1[1].js (76309 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\css1[1].css (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\page-3[1].htm (3953 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6BKDAN.xml (854 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAH3E7VM.xml (718 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lbg[1].png (200 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v[1].xml (654 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@ivids[1].txt (173 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAA3GZYL.xml (803 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAIA5GXD.xml (767 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (626 bytes)
   %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1074 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (597 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (14072 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[6].xml (609 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (629 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\ivids.net\com.jeroenwijering.sxx (80 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[8].xml (679 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (550 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[1].js (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (609 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[5].xml (796 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CACP0V2V.xml (804 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (720 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wau-widget[1].png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\player1[1].swf (22077 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (580 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (556 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@ivids[2].txt (295 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\noad[1].xml (73 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@www.ivids[1].txt (288 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (608 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[6].xml (637 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (12941 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (144 bytes)
   %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ivids.net\settings.sxx (190 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA8ROLMN.xml (718 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[2].png (723 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (758 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\counter[2].js (1353 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (700 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index5[1].htm (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[7].xml (640 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[5].xml (758 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (687 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAMFURQD.xml (752 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (687 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\func[1].js (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\analytics[1].js (1557 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\collect[1].gif (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[8].xml (503 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-3[1].htm (4309 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA6NW1QR.xml (803 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU3G96R.xml (804 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAWTOXEZ.xml (706 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAKBSTKH.xml (706 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[6].xml (711 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[7].xml (599 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAYEJNZ0.xml (767 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (320 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (685 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (503 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (130 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (697 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAJMBGIP.xml (752 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\fla8.tmp (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ova-jw[1].swf (29005 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (588 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CACJQGXK.xml (752 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[6].xml (567 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CANKAOOZ.xml (752 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\count[1].htm (47 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp\ExecCmd.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\ShellLink.dll (4 bytes)
   %WinDir%\uncorroborated.exe (4952 bytes)
   %Program Files%\orignal\settings.dll (11076 bytes)
   %Program Files%\orignal\uncorroborated.exe (4952 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\AccessControl.dll (13 bytes)
   %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
   %System%\drivers\etc\hosts (123 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Startup\possessor.lnk (511 bytes)
   %WinDir%\settings.dll (11076 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\69582.exe (1082 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\20943149.exe (3125 bytes)
   %Program Files%\athough\wearily.exe (1036 bytes)
   %Program Files%\orignal\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SimpleFC.dll (5289 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "wearily" = "%Program Files%\athough\wearily.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "linkages" = "%Program Files%\orignal\uncorroborated.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "adjournment" = "%Program Files%\orignal\uncorroborated.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "trappers" = "%Program Files%\orignal\uncorroborated.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "midwestern" = "%Program Files%\orignal\uncorroborated.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "platzer" = "%Program Files%\orignal\uncorroborated.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 69
7bcde813c50a0b0e20e5f9f233bc3040
3bb658d8842811f2bb1727abfc9e8886
6fbb8fb46337e3f62482246f42d9b043
54f561eda86f1e84fc86247e6f2c8430
49839380f2b5206da8310e3e7a06a5ae
b341a56684c065e107316fd0df7f6581
c09676623f77c5767f18b933aaba2b62
acaa641b943db17b0caaf35156d8830d
bbfa9010ebef7ef8e0573cefda04c850
728ff14118449483f419515f9c0986a8
5ec17924d5a5120ceda2664f1b218ecb
4ad0fc6d5ebd598a467812b0f9740221
8ff5ebdddc64d38db37572540e7a1d7a
6cd19462f1f0d052f2737cc36afbcdf3
a14d0db7bb09e828c386a7ec35354e20
b1f342022972160628e55f97bc8be5cc
c3043b5ee111da57d2d1ca9bba8aef9a
838f1004aec0bf9f8092cb2bf33ace3b
d2ee31e9f93c861fb0f46832cf9cacca
4451756512961de3738d9540bafa34b3
7ad91245eac497f0b7bf8e9d2a01925d
3685385d957d8b037aed66637286a898
3e6648981ae491c49a84171eb2f8ffea
723ff258db1000397db7689ef61e55e3
050ec6260d617046e92eb82a47e46a76

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:54 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Wed, 09 Aug 2017 00:49:54 GMT

Connection: close

Content-Type: application/x-shockwave-flash

CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V$.;[Y%%%Y&.Y..1V6NNNV..V...h..a.W.H.........@.L../b...@...........bJ.....8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d........ .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6....UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O............w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s....ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... ....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f....9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h).._..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....

<<< skipped >>>

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:53 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Wed, 07 Sep 2016 00:49:53 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /counter/counter.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10114910.1473180257.0; is_visitor_unique=1473180257124270528

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Server: PWS/8.1.38

X-Px: ht h0-s1072.p11-fra.cdngp.net

ETag: W/"576924c5-654e"

Cache-Control: max-age=43200

Expires: Tue, 06 Sep 2016 23:24:54 GMT

Age: 19166

Content-Length: 9529

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT

Connection: keep-alive

...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u..?....@.h4..B.y..Z...Q..9..............]...K.%.<L....f...U...\..i.<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C........l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&....d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q......$|...._.;...Em..itPa......P..Gj.. .5. G..1m.....Ee...F70..ZUU&.&.?.>..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4.................#_.y..]./.y...?.....U...... ..].@...JX....v.?.H.ha8.b.*..EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t.........J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D...y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\....'..e..C.*.n..#.....-...h.M..Lj$.....@O....h.,6<,.:..8,.OA...V.`.Pa[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....

<<< skipped >>>

GET /page-3.html?lid=937115 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:17 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

e5c..<img src="hXXp://109.201.148.40/report1.php?url=/ivids/page-3.html?lid=937115" alt="" width="0" height="0"><script type="text/javascript" src="hXXp://ivids.net/jwplayer1.js"></script><script>var thecc ="ok";</script><script type="text/javascript" src="hXXp://ivids.net/1.js"></script><form action="http://VVV.ivids.net/page-2.php" method="get" name="redirect"><input type="hidden" name="lid" value="937115"></form>..<script type="text/javascript"> if (top.location!= self.location) { document.write('<head></head><body bgcolor="#ffffff" class="body" topmargin="0" leftmargin="0">');}</script>..<form action="hXXp://VVV.ivids.net/page-3.htm" method="get" name="redirect1"><input type="hidden" name="lid" value="937115"></form><script type="text/javascript"> if (top.location!= self.location) { document.forms['redirect1'].submit();}</script><script type='text/javascript'>..var cb = Math.round(new Date().getTime() / 1000);..var items = Array('mp4:lqbyul0x.mp4','mp4:hc6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t.mp4','mp4:peyjpa0x.mp4','mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4','mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','mp4:qgmcib5y.mp4','mp4:ifgfn0gh.mp4');..var item = items[Math.floor(Math.random()*items.length)];..var ffile = "http://thm.vidvib.com/abcd.mp4";..jwplayer('ova-jwplayer-container').setup({.. "flashplayer": "hXXp://ivids.net/player1.swf",.."file": ffile,

<<< skipped >>>

GET /page-3.htm?lid=937115 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

e5d..<img src="hXXp://109.201.148.40/report1.php?url=/ivids/page-3.htm?lid=937115" alt="" width="0" height="0"><script type="text/javascript" src="hXXp://ivids.net/jwplayer1.js"></script><script>var thecc ="ok";</script><script type="text/javascript" src="hXXp://ivids.net/1.js"></script><form action="http://VVV.ivids.net/page-2.php" method="get" name="redirect"><input type="hidden" name="lid" value="937115"></form>..<script type="text/javascript"> if (top.location!= self.location) { document.write('<head></head><body bgcolor="#ffffff" class="body" topmargin="0" leftmargin="0">');}</script>..<script type="text/javascript"> if (top.location!= self.location) { var rc = document.referrer.split('/')[2];if (rc == window.location.hostname) {document.write('<div id="ova-jwplayer-container" style="position:absolute; top:0px; left:0px;width:300px;height:250px;"></div>');}}</script>..<script type='text/javascript'>..var cb = Math.round(new Date().getTime() / 1000);..var items = Array('mp4:lqbyul0x.mp4','mp4:hc6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t.mp4','mp4:peyjpa0x.mp4','mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4','mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','mp4:qgmcib5y.mp4','mp4:ifgfn0gh.mp4');..var item = items[Math.floor(Math.random()*items.length)];..var ffile = "hXXp://thm.vidvib.com/abcd.mp4";..jwplayer('ova-jwplayer-container').setup({.. "flashplayer": "hXXp://ivid

<<< skipped >>>

GET /css1.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473180242.11F02FAE42BB4FA83FEB842D21424A13.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Content-Type: text/css

Content-Length: 1963

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Mon, 10 Nov 2014 09:13:53 GMT

ETag: "a1af7-7ab-5077d94d75640"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes

A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: #000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Arial, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 10%;..margin-right: 10%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR: #eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topmenufont..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:link ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..b

<<< skipped >>>

GET /img/lbg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473180242.11F02FAE42BB4FA83FEB842D21424A13.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Content-Type: image/png

Content-Length: 200

Connection: keep-alive

Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT

ETag: "a1c85-c8-4ebb56fac1880"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes

.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:.z!N.T@.l..4#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:44:20 GMT..Content-Type: image/png..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT..ETag: "a1c85-c8-4ebb56fac1880"..Server: CDCE..X-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-001.ams002.internap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:.z!N.T@.l..4#......|..-..z...D..g.f.![.....O...........IEND.B`...

GET /count.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.clangburkitt.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:18 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 47

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:44:18 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html........<meta http-equiv="refresh" content="300">..

GET /10114910/0/757d7213/1/ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:17 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1473180257.0; expires=Sun, 05-Sep-2021 16:44:17 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1473180257124270528; expires=Thu, 06-Sep-2018 16:44:17 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif

GIF89a...................!.......,...........T..;..

GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=11F02FAE42BB4FA83FEB842D21424A13&sc_random=0.3472518227683497&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.ivids.net/page-3.html?lid=937115&u=http://VVV.ivids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

Cookie: is_unique=sc10114910.1473180257.0; is_visitor_unique=1473180257124270528

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Server: Apache/2.2.3 (CentOS)

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1473180257.0-10675947.1473180260.0; expires=Sun, 05-Sep-2021 16:44:20 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1473180257124270528; expires=Thu, 06-Sep-2018 16:44:20 GMT; path=/; domain=.statcounter.com

Content-Length: 49

Connection: close

Content-Type: image/gif

GIF89a...................!.......,...........T..;..

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:53 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Wed, 07 Sep 2016 00:49:53 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /img/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1473180242.11F02FAE42BB4FA83FEB842D21424A13.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:20 GMT

Content-Type: image/png

Content-Length: 2536

Connection: keep-alive

Last-Modified: Thu, 10 Jul 2014 23:39:15 GMT

ETag: "a1c81-9e8-4fddf55270ec0"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes

.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...zIDATx..]]S.W..N.......7.NE.........(...H.8S..V.....H;j.v..%.3...^.`...3...3....7.6......>..r..n...$....a`M.ys.9.y..,..U.[..a.a9M..8M .....4.`..8..4...i...:M2MXd.&J..{..K....=.?........m.....!sX...M!.5.}...){.....].r..l.U..Vv9.afH.......Wr.i[FEX..v...;.... Y.=."d.bjy..L,.......Ph..$..I.B...]W...}.3*.B.....-..&....!..gT..{.q.`...hv.........i..8M ....#~z.|]......}a.......5y..!..&...NzV........>1....wb..A.E.|g..j....J7m./.w].Df.v.N.FN.}.%...#........g.7...G.wW..8"............SGe...x...M..%kV.%.B...7........gz.....K.....d.Da......../........=).....G?. ..<...Q...k0...v.B.....fn4.:._a...|...J7.g.(:...&..k.1.i......&.;........@....y.z..|[....w-....}.......c5....I=..J...j...5...."MV..[..8.Qw....w..........Ec}..~J.9m...A..v.?...m...FvU.; ....~...r...g..x=....... .....>V....9...~.....!.u.J.FZ.iB.L.T..S./L..*.q1..|..8.2.z1..5{....kdg....h.S..k...8.K.v.....Y..-.o.E@S..F.oo|. o.2.6.B...6..)m.T..Y........).O..........Q.'`.M.*J..p.tGW.....FO.C.=......b...*O..@....p*].h..Z.}.~....*G.....n$...D.....Q..4Y..8L..;...K...Z..H1...ai.t.*yL...`-)2E..ip..C.d.&$*....p..[{.......4Ez..Gf.V..T.D[....g....Rm......u(Y.o@HT.*>?;}..D2ks...6>-\.)}Rb..ky......Pc......-.\..?..s......319....^..D.i.C.....s.z.[..\...GJ...'8...Hi.s......-.S.#...1...)..._S.V.ocE.\..cB.*Y.Z..B..%..r..73.8..p....P.U..\......2.2u....S.....iQ.............P.y...{ 7i......v.s..N..-....K]\v.%..Vo$.P..<....}....Wb..9..7.p..$4=N Mj..0..4gj..Hie..5;-......6...8..m.(.

<<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 130

Connection: keep-alive

Date: Sun, 24 Jul 2016 04:41:02 GMT

Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT

ETag: "2cf4c5e3d4c1206209355ac1065b0efc"

Accept-Ranges: bytes

Server: AmazonS3

Age: 78843

X-Cache: Hit from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Uz05uryR34hC-ggWG3NA2zmosS3DJwBp1yS-TjzeM6CdWr8laBoQFA==

<?xml version="1.0" ?>.<cross-domain-policy>. <!-- Very Liberal -->. <allow-access-from domain="*" />.</cross-domain-policy>....

GET /static/noad.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Type: text/xml

Content-Length: 73

Connection: keep-alive

Date: Sun, 24 Jul 2016 05:41:23 GMT

Last-Modified: Thu, 04 Dec 2014 23:38:15 GMT

ETag: "074455bdeaf186ffa7b220bc14965cd5"

Accept-Ranges: bytes

Server: AmazonS3

Age: 24712

X-Cache: Hit from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: sVVjYEcceYkOmuOi_3jDCS2BE0AJ8pa_sDP12355xCQcA-2T9CAdWg==

<VAST version="2.0" t:status="NO_AD" xmlns:t="hXXp://tremorhub.com/ssp"/>HTTP/1.1 200 OK..Content-Type: text/xml..Content-Length: 73..Connection: keep-alive..Date: Sun, 24 Jul 2016 05:41:23 GMT..Last-Modified: Thu, 04 Dec 2014 23:38:15 GMT..ETag: "074455bdeaf186ffa7b220bc14965cd5"..Accept-Ranges: bytes..Server: AmazonS3..Age: 24712..X-Cache: Hit from cloudfront..Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)..X-Amz-Cf-Id: sVVjYEcceYkOmuOi_3jDCS2BE0AJ8pa_sDP12355xCQcA-2T9CAdWg==..<VAST version="2.0" t:status="NO_AD" xmlns:t="hXXp://tremorhub.com/ssp"/>..

GET /index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.bruindorsett.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 906

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Encoding: gzip

Date: Tue, 06 Sep 2016 16:44:17 GMT

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Ve6bY_ReGknHhXCro8OuRV5ECBYHKHegJ-SKMAix-IxvzWv_u0qI4w==

...........UMo.8..... x.....$N..t...&....b..9..Xb*..9..M..KR.r..X.lr....7o<..m...x......5.....W..tAFs..M...kF.M.:.|Tm.Q,...P.A.;.g............okXi0..[{.YfO.....,.....c^KUnH. l...d4..U.j.....[..{.{-..7.ft...\.4o..]0..9N.a.....Z...@L.\..P......Q...i..?......?..ln.......f..$;.d{;..J.....e.(.D.5.9%5..F.../..A..M.U..Y1*.......u..?.._].j ^...M......k.........P.JPC.t./..M.....k....Ith.k...P..Q.....!$\..@.d(b....u..6..W.g...N%o6(........... }..........s....?..W.Q....m...).D..w6,.'a .,.0.qf.B...5...*.]..:*.G..............O.....v.*[........l/....VJC.....Q8.Y.!.U.....JA...Yy.........1.d..h.JLH..`.>.I`Uy..p....M...{T..x..,........a..#U....t...Sz..|......Vdz..........n.>......wb.>.LDk.4../...%.........I..2.o{Y%.I....D*`..`.....l.?I'......u..._.NP}Em..F.....k).....H....h.n.kQ. m .."....>I.=<.k.N...Q............)..<.?..4K.....n...)......./>].[...]|>.t.`D2..c.K?..eH...m.Y.Bi02...t.s.....N4......v...?..[J0:...HTTP/1.1 200 OK..Content-Type: text/html..Content-Length: 906..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Tue, 06 Sep 2016 16:44:17 GMT..Vary: Accept-Encoding..X-Cache: Miss from cloudfront..Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)..X-Amz-Cf-Id: Ve6bY_ReGknHhXCro8OuRV5ECBYHKHegJ-SKMAix-IxvzWv_u0qI4w==.............UMo.8..... x.....$N..t...&....b..9..Xb*..9..M..KR.r..X.lr....7o<..m...x......5.....W..tAFs..M...kF.M.:.|Tm.Q,...P.A.;.g............okXi0..[{.YfO.....,.....c^KUnH. l...d4..U.j...

<<< skipped >>>

GET /func.js?r=5 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.bruindorsett.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 597

Connection: keep-alive

Server: Apache/2.2.22 (Win64) PHP/5.3.13

Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT

ETag: "90000001e1520-f7a-537ea953f7333"

Accept-Ranges: bytes

Content-Encoding: gzip

Date: Fri, 19 Aug 2016 01:35:05 GMT

Vary: Accept-Encoding

Age: 402

X-Cache: Hit from cloudfront

Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6rrRgBKGcPg4Pc5hvabRpWttMPUsV_ft1UAa7qQmVc0RqPujrjimAg==

............MO.@...H..k/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*............3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D....wZ..x.ZG....6..:a.5!....t:O..:.5MvM...(...f.@..S.\.......SuY....:.........>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-Length: 597..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fri, 19 Aug 2016 01:35:05 GMT..Vary: Accept-Encoding..Age: 402..X-Cache: Hit from cloudfront..Via: 1.1 e7b9cdca203ddf236ea718720742caf2.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 6rrRgBKGcPg4Pc5hvabRpWttMPUsV_ft1UAa7qQmVc0RqPujrjimAg==..............MO.@...H..k/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L..

<<< skipped >>>

GET /5/10/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: l.longtailvideo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=604800

Content-Type: image/png

Date: Tue, 06 Sep 2016 16:44:21 GMT

Etag: "3015243340"

Expires: Tue, 13 Sep 2016 16:44:21 GMT

Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT

Server: ECAcc (arn/46B0)

X-Cache: HIT

Content-Length: 1845

.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP....0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......cv..9sv...3g....A-.).8j......J..*.Ge9.@....Y u(.....k.Nt.3..yR....~*]. ...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !.....Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9kL....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j.}S...@.EmE./.....U.u.-.U\..../B......;..Q......@.9....=.'.~Jm0t<c.]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{......>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'....x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`...8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.bi..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se

<<< skipped >>>

GET /report1.php?url=/ivids/page-3.html?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:48 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:47:48 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=utf-8......

GET /bck.php?1473180240000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:49 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:47:49 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=utf-8......

GET /report1.php?url=/ivids/page-3.htm?lid=937115 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:50 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

....

GET /bck.php?1473180241000 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 109.201.148.40

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:47:50 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:47:50 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=utf-8..

GET /itd.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&rand= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cocomo.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:44:18 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 1118

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

<html>..<head>..<title>a</title>..</head>..<body>..<script language="JavaScript" type="text/javascript">..<!--..function reeadCookie(name) {.. var nameEQ = name "=";.. var ca = document.cookie.split(';');.. for(var i=0;i < ca.length;i ) {.. var c = ca[i];.. while (c.charAt(0)==' ') c = c.substring(1,c.length);.. if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);.. }.. return null;..}..function uapcc() {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.substring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new Date();..date.setTime(date.getTime() (60 * 1000));..var times = Math.floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times ";domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..document.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);..//-->..</script>..<meta http-equiv="refresh" content="300">..</html>HTTP/1.1 200 OK..Date: Tue, 06 Sep 2016 16:44:18 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..<html>..<head>..<title>a</title>..</head>..<body>..<script language="JavaScript" type="

<<< skipped >>>

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.html?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:52 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Wed, 09 Aug 2017 00:49:52 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'
>>

GET /draw/?w=colored&n=1114&c=000000ffffff&p= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cookie: uid=CgH9IlfO8mGPZnOK3cSQAg==

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.9.6

Date: Tue, 06 Sep 2016 16:44:17 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Content-Disposition: filename=wau-widget.png

Expires: Thu, 06 Oct 2016 16:44:17 GMT

Cache-Control: max-age=2592000
54f...PNG........IHDR...Q...........p.....PLTE...EEEYYY.........???AAA
..................;<=abdWXZ""",,,............GGG...'((.............
..uvyEFG...............kln...NNN>>>...qqq...~~.vwx...hhi.....
....OPQ...ooo...............uvv...opp......UVV......bbb......bcc...ijj
}~~......dee............SSS...QQQ...]^^PPP.........TTTaaaRRR..........
..___...HHHrss.........kllJJJDDD|||BBB.....................LLLNOO.....
....@@@tttkkkvvv:::WWW............FFF.........?@@888666ppprrrCCC......
...111............000...lll......XYZ(((&&&hhhfff   cdeZ[\788...dddccc.
........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```gggxxxjjj.55.....tRNS.@
..f....IDATH....[.1...-.@..J..R.]q.hTTp....Z.z...*..B.....(B9..4'C....
R.....{.H>...}....q.....NMN....?.....oL%|~Y8:..cX....V..._.....1&lt
;%q?.!.gp``.34/...snw_o........o..vI....t:=._.._p..q......3...........
;....-..o...ki..4....=...4.....P/q.^.l...).lOi.a.X.<~...-...4.|....
..5....*.=q...MUw...........Z.h%t. .I.`c....F......|..%E<....M.....
..^....%..C.........sg.:._@q F.i..R.S%.A..I.&,..W........cb.Q....."#..
..R.....x.....".....g4.........|..0.....B.J....]..a. l..l....BF. I.'.Y
..e3.@...i#n...V...@:5...N.*..2nXo.XD.h2...]...Q...v5.jL..a.....aF.^.D
.>|........\...f.aklF..d< ...M.fOCX7...t.m...^u)..%..hgf........
.....\..........OdI.x. .....b..q)1.......3..,i....k..h..sc..F...8q.F..
G,kc...2......hnB....: ....Q..P[.....jPF.{.....k.i.g....IEND.B`...0..
>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: we1sb-wwcgk.ads.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Tue, 06 Sep 2016 16:44:37 GMT

ETag: W/"144-1446501138000"

Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.ivids.net/3.html&contentLength=[CONTENT_LENGTH] HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: we1sb-wwcgk.ads.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Encoding: gzip

Content-Type: text/xml;charset=ISO-8859-1

Date: Tue, 06 Sep 2016 16:44:37 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Pragma: no-cache

Server: Apache-Coyote/1.1

Set-Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; Domain=.tremorhub.com; Expires=Wed, 06-Sep-2017 22:32:57 GMT; Path=/

Set-Cookie: tvrg_60409="2,1473180263"; Version=1; Domain=.tremorhub.com; Max-Age=46; Expires=Tue, 06-Sep-2016 16:45:23 GMT; Path=/

Vary: Accept-Encoding

x-tremorvideo-status: NO_AD

Content-Length: 517

Connection: keep-alive
...........RM..0....H.....Uh.D4.."..U!.a...{B....&....M7.8lO~.....M8?.
.....JF.p.9=.Lq!..Ye.o.g....$...QK....l....f.k5.J..|.T..S9=;3.lm"...&.
s.0..8....P.U...e.uo{i.../.;..gP..-..........\..J.h..n#.T..Z..1..1>
...?..|?.z>x.......*Jk..I....B.RX.A%.*..jE`-8..*ZJ.Tqho.:./........
...O.8X8....3( ......J..J.;.9.9..........S..e....E7..mPsA..a...4.x)...
.....m..lS.i.....nk<.de;.r.U.<.h.5.4..y...O....M`...y.p:.<&gt
;...|.....9..?c..Z.......<....-.._.n.Z&....?.v.^f[..F......M&.#. ..
.d5.3......G.....u.^..o-..]...x.... ......T.V...HTTP/1.1 200 OK..Cache
-Control: no-cache, no-store, must-revalidate..Content-Encoding: gzip.
.Content-Type: text/xml;charset=ISO-8859-1..Date: Tue, 06 Sep 2016 16:
44:37 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.c
om/en/privacy-policy'..Pragma: no-cache..Server: Apache-Coyote/1.1..Se
t-Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; Domain=.tremorhub.com
; Expires=Wed, 06-Sep-2017 22:32:57 GMT; Path=/..Set-Cookie: tvrg_6040
9="2,1473180263"; Version=1; Domain=.tremorhub.com; Max-Age=46; Expire
s=Tue, 06-Sep-2016 16:45:23 GMT; Path=/..Vary: Accept-Encoding..x-trem
orvideo-status: NO_AD..Content-Length: 517..Connection: keep-alive....
.........RM..0....H.....Uh.D4.."..U!.a...{B....&....M7.8lO~.....M8?...
...JF.p.9=.Lq!..Ye.o.g....$...QK....l....f.k5.J..|.T..S9=;3.lm"...&.s.
0..8....P.U...e.uo{i.../.;..gP..-..........\..J.h..n#.T..Z..1..1>..
.?..|?.z>x.......*Jk..I....B.RX.A%.*..jE`-8..*ZJ.Tqho.:./..........
.O.8X8....3( ......J..J.;.9.9..........S..e....E7..mPsA..a...4.x).
>>

GET /player1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:54 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT

ETag: "4403c4-1bb61-4fbe0230ad080"

Accept-Ranges: bytes

Content-Length: 113505

Cache-Control: max-age=2592000, public

Expires: Wed, 09 Aug 2017 00:49:54 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%Y&.Y..1V6NNNV..V...h..a.W.H.........@.L../b...@...........bJ..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
>>

GET /ova-jw.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/player1.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Wed, 07 Sep 2016 00:49:55 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT

ETag: "4403b3-39741-4fbe0551c3280"

Accept-Ranges: bytes

Content-Length: 235329

Cache-Control: max-age=2592000, public

Expires: Wed, 09 Aug 2017 00:49:55 GMT

Connection: close

Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/.B...$.@....Nx......A...Uuw........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
q..V..@...X..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`.@.7...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%.AZ..g3p..$.@.0..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
>>

GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Tue, 06 Sep 2016 16:44:17 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/draw/?w=colored&n=1114&c=000000ffffff&p=

Set-Cookie: uid=CgH9IlfO8mGPZnOK3cSQAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vi.ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:48:07 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Tue, 11 Nov 2014 03:08:25 GMT

ETag: "a1b01-52-5078c97abfc40"

Accept-Ranges: bytes

Content-Length: 82

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/xml
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hXXp://VVV.ivids.net/3.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vi.ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.1782559488.1473180242; _gat=1

HTTP/1.1 200 OK

Date: Tue, 06 Sep 2016 16:48:07 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Set-Cookie: PHPSESSID=in11rfp0hac5ldi60vqrtp3ob4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: private

Pragma: no-cache

Content-Length: 654

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>..<VAST version="2.0"&g
t;..<Ad id="1"><Wrapper><AdSystem>1</AdSystem>
<VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/a
d/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPositi
on=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Enterta
inment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageU
rl=hXXp://VVV.ivids.net/3.html&contentLength=[CONTENT_LENGTH]]]>&lt
;/VASTAdTagURI><Impression><![CDATA[hXXp://z.frightenedomn
iscient.info/chki.php?ww=tremor&aa=hXXp://VVV.ivids.net/3.html&lrp=937
115&TIMESTAMP=2127029923]]></Impression><Creatives><
/Creatives></Wrapper></Ad>..</VAST>HTTP/1.1 200 O
K..Date: Tue, 06 Sep 2016 16:48:07 GMT..Server: Apache/2.2.15 (CentOS)
..X-Powered-By: PHP/5.3.3..Set-Cookie: PHPSESSID=in11rfp0hac5ldi60vqrt
p3ob4; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: 
private..Pragma: no-cache..Content-Length: 654..Keep-Alive: timeout=5.
.Connection: Keep-Alive..Content-Type: text/xml..<?xml version="1.0
" encoding="UTF-8"?>..<VAST version="2.0">..<Ad id="1">
<Wrapper><AdSystem>1</AdSystem><VASTAdTagURI>&
lt;![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fs
pan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Enter
tainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.n
et&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.ivi
>>

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Date: Tue, 06 Sep 2016 16:11:49 GMT

Expires: Tue, 06 Sep 2016 18:11:49 GMT

Last-Modified: Mon, 15 Aug 2016 04:25:11 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11590

Cache-Control: public, max-age=7200

Age: 1948
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~(..B.v.g...&.y...@.f....S.9
..........<....8@........r..R..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<.....Y@.7.?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R .@..v...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
>>

GET /r/collect?v=1&_v=j46&a=735763056&t=pageview&_s=1&dl=http://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1914398824&cid=167001551.1473180239&tid=UA-74694740-5&_r=1&z=227060018 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=18Ape2xw6bXS5P5zyqF5&date=2016-09-03&p=none&t=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Tue, 06 Sep 2016 16:44:17 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 06 Sep 2016 16:44:17 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j46&a=116491976&t=pageview&_s=1&dl=http://VVV.ivids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=659244252&cid=1782559488.1473180242&tid=UA-74694740-2&_r=1&z=1176070523 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-3.htm?lid=937115

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Tue, 06 Sep 2016 16:44:20 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 06 Sep 2016 16:44:20 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Tue, 06 Sep 2016 16:44:23 GMT

ETag: W/"144-1446501138000"

Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Bidswitch,thetradedesk,google,eyeview,BidTheatre,ignitionone,dynadmic,mediamath,SundaySky,dataxu,conversant,_dmp_turbine,1,tremornet,appnexus,Videology,beeswax,adapTV,rocketfuel,TubeMogul-GP,centro,audiencescience&uid=575b8f7ad5d64d24a58ac20715400d3b&init=true HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:23 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1f4.............RMo.@...W.H.-...c....V..6*.=D.5.cX...v..............7.
ov........."v.....(%.......U.,.w.:...l..(P.....Z.p]....n.Q).......X...
.o.7...D).$.O.J..Y...M..b.Yv..o...)..z.q.D..W.i.>..).VPC...v....Rs.
.. `.p..p;..0.=Vx0g.|^z.C.WRV;.0Y.R..@X"y[.WY.../.Dy%.%.R.J.>`..5..
..-..6...k.P.d...5Z....g......O...ckz.2NSGS.....VK..83.n..p...]...e...
..`..C..~..5.5C.@4.8...Fml...p..d.._...0..S6...B9..<.:.....S.....Fk
..}...............g......N...o....K.&.J...Gs.ItG.........fO.2.v_.....[
..m.h...._................0......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:24 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1f9.............R...0.}.W.H.m.B!......Z..U.....M<..".#.......^^.`..
...x...*;[2Vj5.B..uH..R.S.).x.{..M../. ...8P...zk..I.8C.6.&....kk..&..
k....m5...d..4.a......`.Uiv..,..Ipq...1....C..}...g..s...S...W...J....
i4.".......(..a.y.c..c..t.......{........)o>=.).%.........:[2@p.o..
. j...I..8..59.HHv.&.h i...kE....A.b....=..3....v'.X3^4.....i... ).V..
*p..=[.p3l.Dv.{F ...kL..u..d8.....p....... ..Q8..z.>.yI..O.......E.
.>.&/I.Rl|V ....Y.uQ.Jq..8.m.....{~..dE..>.......6d.E......rK...
.3......./...e...~..Wr.[......g%.....d.......vh.m#.....0..HTTP/1.1 200
 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 06 Sep
 2016 16:44:24 GMT..P3P: CP='This is not a P3P policy. See hXXp://trem
orvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accep
t-Encoding..transfer-encoding: chunked..Connection: keep-alive..1f9...
..........R...0.}.W.H.m.B!......Z..U.....M<..".#.......^^.`.....x..
.*;[2Vj5.B..uH..R.S.).x.{..M../. ...8P...zk..I.8C.6.&....kk..&..k....m
5...d..4.a......`.Uiv..,..Ipq...1....C..}...g..s...S...W...J....i4."..
.....(..a.y.c..c..t.......{........)o>=.).%.........:[2@p.o... j...
I..8..59.HHv.&.h i...kE....A.b....=..3....v'.X3^4.....i... ).V..*p..=[
.p3l.Dv.{F ...kL..u..d8.....p....... ..Q8..z.>.yI..O.......E..>.
&/I.Rl|V ....Y.uQ.Jq..8.m.....{~..dE..>.......6d.E......rK....3....
.../...e...~..Wr.[......g%.....d.......vh.m#.....0......
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:24 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1d8.............R...@... .....8.c...w....*f..je5t.........O..u....T.5]
.....j...6B....C.G.P(.&v......'o.U....Q ....l....3...*..&...r........1
....:.u.(.^...P...jy2..$.......}%;..3.<~.O..O..4K..v5h .A..|O...p..
..4.p..a.... .}.s...M..GpS.Y....iv.O..F......J.W...Pg ........$.x%..Nm
N-_....d.\.....m...tlL..../..;.)HZ..|.h...%.e#.N.m..O......P@..<...
...ENd.pd...^.F.B.M....?._&.>.c.......'.?...}...D..I.i..?.....}Q.PY
U...3.v....9^<..Z.i..M...y....&.g..X.i(...w{...........Z..k. u.1.).
.e..@.....1=.T......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Conten
t-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:24 GMT..P3P: CP='This i
s not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Ser
ver: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chun
ked..Connection: keep-alive..1d8.............R...@... .....8.c...w....
*f..je5t.........O..u....T.5].....j...6B....C.G.P(.&v......'o.U....Q .
...l....3...*..&...r........1....:.u.(.^...P...jy2..$.......}%;..3.&lt
;~.O..O..4K..v5h .A..|O...p....4.p..a.... .}.s...M..GpS.Y....iv.O..F..
....J.W...Pg ........$.x%..NmN-_....d.\.....m...tlL..../..;.)HZ..|.h..
.%.e#.N.m..O......P@..<......ENd.pd...^.F.B.M....?._&.>.c.......
'.?...}...D..I.i..?.....}Q.PYU...3.v....9^<..Z.i..M...y....&.g..X.i
(...w{...........Z..k. u.1.)..e..@.....1=.T......0......
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:25 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 517

Connection: keep-alive
...........R...0.}.W.H......%A,..R/.M....r2.X.... ...K.^........rf...8
.N.4/Ed....B......V.........4I.4...G..&........E..U.....ZZ-3...JG..o..
...)....bR.j.....8..m%.S..;.I.....y..._f.i:}...L.A.u..[.\..&.C4...0...
.l..A...d...;.......NpCM..mo..a.d.&...KE.-.@Cx...c......b...@&.x.xnBH)
.R..V.IP..."O.......}.&..N*..N.MX..........f.o.t...!#C.gv!..BnL.2..]Q.
.........>x}..,..C..w...^_...]..R..Kae.c..z.U........<y"...v..&g
t;..s"..mfb..W......^..>....f9.....L.Z...e!..f..8.)...P.a.~&-.1S...
m..D.kb;?_.;..%......7.......... .s$...HTTP/1.1 200 OK..Content-Encodi
ng: gzip..Content-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:25 GMT.
.P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priv
acy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content
-Length: 517..Connection: keep-alive.............R...0.}.W.H......%A,.
.R/.M....r2.X.... ...K.^........rf...8.N.4/Ed....B......V.........4I.4
...G..&........E..U.....ZZ-3...JG..o.....)....bR.j.....8..m%.S..;.I...
..y..._f.i:}...L.A.u..[.\..&.C4...0....l..A...d...;.......NpCM..mo..a.
d.&...KE.-.@Cx...c......b...@&.x.xnBH).R..V.IP..."O.......}.&..N*..N.M
X..........f.o.t...!#C.gv!..BnL.2..]Q..........>x}..,..C..w...^_...
]..R..Kae.c..z.U........<y"...v..>..s"..mfb..W......^..>....f
9.....L.Z...e!..f..8.)...P.a.~&-.1S...m..D.kb;?_.;..%......7..........
 .s$.......
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:25 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 467

Connection: keep-alive
...........R]..0.|....zoG.%!.$(...I..jr..tB......e;@.}..G?^....x.3.dq.
......L.`8..$Y.\nR...|.{..]....J..4.P..M..Z5.}.I4.n.!k.o...vn,........
.....Y.C.R.....%.........o....K.<}........../..h ......$...BsL.Y..,
..(~.DQ...V..0..X@p....x...\9.`..:p..d.^q.f.l.._....d.........R....a..
EH....a$.n......e..E ..b..b'..g..B..l}..5... *"s..Ck.jm[]qI7...N.*~...
.Mp<.0.6.M.p2.....%K.?......dz.=>@..-...% ...,...ez.v...J..w....
vV....f.....Yj`[.s.{..ql....%..I.oK...b/.)@......5......HTTP/1.1 200 O
K..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 06 Sep 2
016 16:44:25 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremor
video.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-
Encoding..Content-Length: 467..Connection: keep-alive.............R]..
0.|....zoG.%!.$(...I..jr..tB......e;@.}..G?^....x.3.dq.......L.`8..$Y.
\nR...|.{..]....J..4.P..M..Z5.}.I4.n.!k.o...vn,.............Y.C.R.....
%.........o....K.<}........../..h ......$...BsL.Y..,..(~.DQ...V..0.
.X@p....x...\9.`..:p..d.^q.f.l.._....d.........R....a..EH....a$.n.....
.e..E ..b..b'..g..B..l}..5... *"s..Ck.jm[]qI7...N.*~....Mp<.0.6.M.p
2.....%K.?......dz.=>@..-...% ...,...ez.v...J..w....vV....f.....Yj`
[.s.{..ql....%..I.oK...b/.)@......5..........


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:26 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 459

Connection: keep-alive
...........RM..@...W.H...R ....n....*lzX."..a.e@3C..}M6.....<{...'.
.S.<9........kB.jQ.]b......*}.o.....#...^.......m.5...rV...ugM.R.0.
N./_......N.....#5F...5iq......~M..fX....]..}X.dE.pi..2.....w..l.WJ`.D
A.Q...>yA........QT..............z./z....@j...0.k2.....C.. .....t..
.{.l....p."iT...@}......D...(...lD..!...._.EM..pP..#..m....W..4.yE....
........~...Y...8..||Lc.O#o.j.?~..XW.MTv.W..{...|<7...5."=....k. ..
. L..<;0.PP...n...f........$....#..... ......c.....HTTP/1.1 200 OK.
.Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 06 Sep 201
6 16:44:26 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvi
deo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-En
coding..Content-Length: 459..Connection: keep-alive.............RM..@.
..W.H...R ....n....*lzX."..a.e@3C..}M6.....<{...'..S.<9........k
B.jQ.]b......*}.o.....#...^.......m.5...rV...ugM.R.0.N./_......N.....#
5F...5iq......~M..fX....]..}X.dE.pi..2.....w..l.WJ`.DA.Q...>yA.....
...QT..............z./z....@j...0.k2.....C.. .....t...{.l....p."iT...@
}......D...(...lD..!...._.EM..pP..#..m....W..4.yE............~...Y...8
..||Lc.O#o.j.?~..XW.MTv.W..{...|<7...5."=....k. ... L..<;0.PP...
n...f........$....#..... ......c.........


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:27 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 479

Connection: keep-alive
...........R]..P.}...$.V..D..V.d.M...>l6f`f.(.r.E..wp......=3......
....;.TE%.........B..c..?y."..?Eqr..:...5...k].-KK* .7. .JK...........
.l......B....&.Eq.4.ar....W.zO^.F..n..!.?>/WQ.=_.. .`A.?.."...B...3
...7...:q].slLm..=.e6A...4..s.|k#H3~*..C.k.|NZ....sH-..:1.........v.Tv
y8....bpW.:.:....@h.}..[.X.......t.FOr...AJ.Npf.....F...~..9S'.^......
M.. ....3..q.........RV./.;...P....,.F....l......7.Qb.W...E..U..\.h..y
(kI..* ...7/..n0..ye`f"!..U...Z.l...u#[......O..F.C........9.....HTTP/
1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue,
 06 Sep 2016 16:44:27 GMT..P3P: CP='This is not a P3P policy. See http
://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary
: Accept-Encoding..Content-Length: 479..Connection: keep-alive........
.....R]..P.}...$.V..D..V.d.M...>l6f`f.(.r.E..wp......=3..........;.
TE%.........B..c..?y."..?Eqr..:...5...k].-KK* .7. .JK............l....
..B....&.Eq.4.ar....W.zO^.F..n..!.?>/WQ.=_.. .`A.?.."...B...3...7..
.:q].slLm..=.e6A...4..s.|k#H3~*..C.k.|NZ....sH-..:1.........v.Tvy8....
bpW.:.:....@h.}..[.X.......t.FOr...AJ.Npf.....F...~..9S'.^......M.. ..
..3..q.........RV./.;...P....,.F....l......7.Qb.W...E..U..\.h..y(kI..*
 ...7/..n0..ye`f"!..U...Z.l...u#[......O..F.C........9.........
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:27 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 484

Connection: keep-alive
...........R...0... h.rkL(..%A)P.i..H.VZ."....q"........m............s
y..AiQ..r.....*....6....5....q..h....ROMh...SB...RE...*....3Sm.ith}...
...1.E..E..T.%.6PF.%..$...zxi....6.U..../.4~....2.....m%...3%x.M<.O
...............L&......l...p. 8T.j."6..E9p.{......"......6\.Y..e......
.g..I.V N..i.........!,..ZRS<...(.. ..'zF....L.r!.........1...F|8..
O.p0v..`.?.OOQ@~.m.T..rO.'.e6.......`.....6a.^~._.U......mV..av..#t.e.
...".*nU..t7[$.....:........L.e{..<..........M..:l8XWs._...........
...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Da
te: Tue, 06 Sep 2016 16:44:27 GMT..P3P: CP='This is not a P3P policy. 
See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1
.1..Vary: Accept-Encoding..Content-Length: 484..Connection: keep-alive
.............R...0... h.rkL(..%A)P.i..H.VZ."....q"........m...........
.sy..AiQ..r.....*....6....5....q..h....ROMh...SB...RE...*....3Sm.ith}.
.....1.E..E..T.%.6PF.%..$...zxi....6.U..../.4~....2.....m%...3%x.M<
.O...............L&......l...p. 8T.j."6..E9p.{......"......6\.Y..e....
...g..I.V N..i.........!,..ZRS<...(.. ..'zF....L.r!.........1...F|8
..O.p0v..`.?.OOQ@~.m.T..rO.'.e6.......`.....6a.^~._.U......mV..av..#t.
e....".*nU..t7[$.....:........L.e{..<..........M..:l8XWs._.........
.........
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:28 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 495

Connection: keep-alive
...........R...0.}.W.H.VL.....,...j .....r..X.;..@...J.^..O>c......
....Ai.E`......I..1.v...g..w.s.'.....G.g&.rc..!FA!U^..L.D.....6.T:.&gt
;}.GK .#......%.6..m.....N.......h..z.m7...e.....^....l..[.FdBR6W....u
.....w....96Km:e.t..@{e.....<6....`.e.@.0..j..D...k.[X1....n..d ...
.8..n..q\.F....e..........5.wz....1H...^..YQ.M.R..W....I...2..c6.S...p
0...`.F..k.._.Z)%...1...i[.L....-."..dR.8..]?7.|.I......9........;Z...
.e.y....~.h....n........n ...B.x...C.#jF..(..p.W5z..M~.........$..]...
......-s......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: t
ext/xml..Date: Tue, 06 Sep 2016 16:44:28 GMT..P3P: CP='This is not a P
3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apac
he-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 495..Connection:
 keep-alive.............R...0.}.W.H.VL.....,...j .....r..X.;..@...J.^.
.O>c..........Ai.E`......I..1.v...g..w.s.'.....G.g&.rc..!FA!U^..L.D
.....6.T:.>}.GK .#......%.6..m.....N.......h..z.m7...e.....^....l..
[.FdBR6W....u.....w....96Km:e.t..@{e.....<6....`.e.@.0..j..D...k.[X
1....n..d ....8..n..q\.F....e..........5.wz....1H...^..YQ.M.R..W....I.
..2..c6.S...p0...`.F..k.._.Z)%...1...i[.L....-."..dR.8..]?7.|.I......9
........;Z....e.y....~.h....n........n ...B.x...C.#jF..(..p.W5z..M~...
......$..].........-s..........
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:28 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1b6.............RMo.@...W.H.......X.I.HQS......v&a.....6.........of...
y.xu..G{.F6*q.......J..8.....Y.o..Y^\h.....,m.T..K....FW]9.M...:#.4.lg
....6.r.8.Q.......(...:-N..<......h..<m.......UVd.g...U<../.^
......$....p...q..a.{Xz...E.#.....j@B2.w.5...t`.#*:vf..J6..8=....n.|.h
....q.).>....W....kB.5...^T.<2.%.9.....vk;]JE.....~.>..}..8..
...M..?.N.C.......\k...\...X..l.'.>..&..........v......v.>....&3
....k...=..L.[^..Yh.;>..=[g..............E..M....d..........x......
0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Da
te: Tue, 06 Sep 2016 16:44:28 GMT..P3P: CP='This is not a P3P policy. 
See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1
.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connection: kee
p-alive..1b6.............RMo.@...W.H.......X.I.HQS......v&a.....6.....
....of...y.xu..G{.F6*q.......J..8.....Y.o..Y^\h.....,m.T..K....FW]9.M.
..:#.4.lg....6.r.8.Q.......(...:-N..<......h..<m.......UVd.g...U
<../.^......$....p...q..a.{Xz...E.#.....j@B2.w.5...t`.#*:vf..J6..8=
....n.|.h....q.).>....W....kB.5...^T.<2.%.9.....vk;]JE.....~.&gt
;..}..8.....M..?.N.C.......\k...\...X..l.'.>..&..........v......v.&
gt;....&3....k...=..L.[^..Yh.;>..=[g..............E..M....d........
..x......0......
>>

GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:29 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 450

Connection: keep-alive
...........RM..0...WP..V.)....f..JU[..=.V..s...X.!....M7....y..3o.....
..\.....<.u.d=.y...........oeU_i.....Y..m.UkB..]....X..c.......&w?}
..7n.....wM..z...X.....SU_2..y.-.....wE..a{S...ENQm%.....$.=.....i.C..
.O.a.'I.@....4e..........,..I..`f8....a..w..V....0GaY...$..z...$)t.!.8
..Q.>...S..E..9....tjg......:.VQ..W.".CX.4J([.. .}..5..EF...V.^....
...`...^..[({"........X.;....-..*......l."}.)..<.......#7WXd..?..z6
.#u;b.........oO....y..^.. ............HTTP/1.1 200 OK..Content-Encodi
ng: gzip..Content-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:29 GMT.
.P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/priv
acy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content
-Length: 450..Connection: keep-alive.............RM..0...WP..V.)....f.
.JU[..=.V..s...X.!....M7....y..3o.......\.....<.u.d=.y...........oe
U_i.....Y..m.UkB..]....X..c.......&w?}..7n.....wM..z...X.....SU_2..y.-
.....wE..a{S...ENQm%.....$.=.....i.C...O.a.'I.@....4e..........,..I..`
f8....a..w..V....0GaY...$..z...$)t.!.8..Q.>...S..E..9....tjg......:
.VQ..W.".CX.4J([.. .}..5..EF...V.^.......`...^..[({"........X.;....-..
*......l."}.)..<.......#7WXd..?..z6.#u;b.........oO....y..^.. .....
...........


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:29 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 419

Connection: keep-alive
..........dR.o.0.....!...C.." bi'U..j..CUE..-Vg.l...~.4K.......=.s....
.V. {]..,.=.y.R?..}..}...7...n....F...].w..K....7...x.......u.F[._.n.k
.. .....a..p.'..*.c.W.w9;..C l....m..}X_WM.p.7.q.....;i.{...X$Y.`.F..O
Q..i.b.B.a..P..P..-..}7_.....,?...B;...(......z..S.2..I.*..*.......t.H
.]Z!....6....M ...I_....i..c..<.8.>..a...~h........1....g....$.R
......(sls*.U....FV.kC".V..,.......z.7.......w.]......W..Ix.K.........
.a...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..
Date: Tue, 06 Sep 2016 16:44:29 GMT..P3P: CP='This is not a P3P policy
. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote
/1.1..Vary: Accept-Encoding..Content-Length: 419..Connection: keep-ali
ve............dR.o.0.....!...C.." bi'U..j..CUE..-Vg.l...~.4K.......=.s
.....V. {]..,.=.y.R?..}..}...7...n....F...].w..K....7...x.......u.F[._
.n.k.. .....a..p.'..*.c.W.w9;..C l....m..}X_WM.p.7.q.....;i.{...X$Y.`.
F..OQ..i.b.B.a..P..P..-..}7_.....,?...B;...(......z..S.2..I.*..*......
.t.H.]Z!....6....M ...I_....i..c..<.8.>..a...~h........1....g...
.$.R......(sls*.U....FV.kC".V..,.......z.7.......w.]......W..Ix.K.....
.....a.......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:30 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 425

Connection: keep-alive
...........R.n.0... T.....J.d...I..EZDr{..c.e,"%%..c.}i...8.'........Q
.p.Li.......0I;.r.......-.7..../...f..^..m..W...D.....N..{.1 m..:so...
 7OKt.....g.t.Fm........)yy...X.~{....w.......zPFZA........P..(."L....
!..8.}l|H.O..3.......L..x.XS&..,..Q?qC[..A"...h1..Ppj.`.A.i..u......1.
.G.v(...T.%..VT....a..b..".0....~.x.~h........R........QO{.......)....
U....oRz....b.....ke}.../0O?[..2k......`...M~..........f..M.S......a..
.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..
Date: Tue, 06 Sep 2016 16:44:30 GMT..P3P: CP='This is not a P3P policy
. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote
/1.1..Vary: Accept-Encoding..Content-Length: 425..Connection: keep-ali
ve.............R.n.0... T.....J.d...I..EZDr{..c.e,"%%..c.}i...8.'.....
...Q.p.Li.......0I;.r.......-.7..../...f..^..m..W...D.....N..{.1 m..:s
o... 7OKt.....g.t.Fm........)yy...X.~{....w.......zPFZA........P..(."L
....!..8.}l|H.O..3.......L..x.XS&..,..Q?qC[..A"...h1..Ppj.`.A.i..u....
..1..G.v(...T.%..VT....a..b..".0....~.x.~h........R........QO{.......)
....U....oRz....b.....ke}.../0O?[..2k......`...M~..........f..M.S.....
.a...........


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:30 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 442

Connection: keep-alive
...........R.n.0.}.W0..6...D@..NJ.....CUE._.X...&..?'..u{.....>...l
..~Y;&..En..g[L...x.......^....eU.i..f..Z..n....h..^.c...#J....J..Un..
..k..J.....a`.PU... .c.UU.2.rx.-......"{..Z.uy{..@ja....N...p)9.q...&!
x.}..I.........g..9eB..C...Q=qM[..Q L..d0N......!..t.L.[.F...c....m...
z.......h.5...0.8. .(..xs?.=.g..]....^H.....{/t%.).].4..ga....Gf.sg^.\
..^]..W?r..1.i.....y.3.-.....o.A2u..Rd i..;.....L*`....h6.bg.W.M...3..
..yY.............S.......HTTP/1.1 200 OK..Content-Encoding: gzip..Cont
ent-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:30 GMT..P3P: CP='This
 is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..S
erver: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 442..
Connection: keep-alive.............R.n.0.}.W0..6...D@..NJ.....CUE._.X.
..&..?'..u{.....>...l..~Y;&..En..g[L...x.......^....eU.i..f..Z..n..
..h..^.c...#J....J..Un....k..J.....a`.PU... .c.UU.2.rx.-......"{..Z.uy
{..@ja....N...p)9.q...&!x.}..I.........g..9eB..C...Q=qM[..Q L..d0N....
..!..t.L.[.F...c....m...z.......h.5...0.8. .(..xs?.=.g..]....^H.....{/
t%.).].4..ga....Gf.sg^.\..^]..W?r..1.i.....y.3.-.....o.A2u..Rd i..;...
..L*`....h6.bg.W.M...3....yY.............S...........


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:31 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 418

Connection: keep-alive
............_o.0....).....2 ..G,..J.Z..=TUt..... .$.....f.^.v.........
...qmD.r?....U..P..._}...s..~/..b..mnP...........l....M .1.....`{...n.
...h...?4t........U.Y.,.(yk...V.|..f........3..m.{../........<....4
. }..$M....2....9....@....|.,.^!..vp...(E...(@.=Z...ppLW...=..Z......P
|.;r<...i..c..$.8.f.L.8...T?>2J...........26.r...=et._.... n....
.j..v5...'..w-;..q....v.....d......44[./.;..qn.zB.f....m.n............
...r...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml
..Date: Tue, 06 Sep 2016 16:44:31 GMT..P3P: CP='This is not a P3P poli
cy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyo
te/1.1..Vary: Accept-Encoding..Content-Length: 418..Connection: keep-a
live.............._o.0....).....2 ..G,..J.Z..=TUt..... .$.....f.^.v...
.........qmD.r?....U..P..._}...s..~/..b..mnP...........l....M .1.....`
{...n....h...?4t........U.Y.,.(yk...V.|..f........3..m.{../........&lt
;....4. }..$M....2....9....@....|.,.^!..vp...(E...(@.=Z...ppLW...=..Z.
.....P|.;r<...i..c..$.8.f.L.8...T?>2J...........26.r...=et._....
 n.....j..v5...'..w-;..q....v.....d......44[./.;..qn.zB.f....m.n......
.........r.......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:31 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
181.............._o.0....).R.6.....#.vR.j..m..*.p.bu6.6i..s.......k.{.
.>t..?.-.F.... .=....z......._.......l...Ae...;k.%!Vs..nl.........X
..)...6...h........}WM.r....WU.)y?<..X..........e]>....V.....N.U
=.J.,.<M1.b...8M.,... .(....l(.Q!L..t6_....h])9..`;W...;...5....v..
..6v..P|6:.d.4...0.4.y.I..<\DI....y|d...t.u..A...@.*l.......}h..:..
...q...47....k.P...S...c...5./...-W.85.uCNb..........~...d.......}.o5U
.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xm
l..Date: Tue, 06 Sep 2016 16:44:31 GMT..P3P: CP='This is not a P3P pol
icy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coy
ote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connection
: keep-alive..181.............._o.0....).R.6.....#.vR.j..m..*.p.bu6.6i
..s.......k.{..>t..?.-.F.... .=....z......._.......l...Ae...;k.%!Vs
..nl.........X..)...6...h........}WM.r....WU.)y?<..X..........e]&gt
;....V.....N.U=.J.,.<M1.b...8M.,... .(....l(.Q!L..t6_....h])9..`;W.
..;...5....v....6v..P|6:.d.4...0.4.y.I..<\DI....y|d...t.u..A...@.*l
.......}h..:.....q...47....k.P...S...c...5./...-W.85.uCNb..........~..
.d.......}.o5U.....0......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:32 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 388

Connection: keep-alive
............O..0.....i..mqB.. .(.*...V%l...I.@..c..K...D...{.......N..
.w..4...p....u.......z.....>...&..dnP......jL..\.z.U......{vl,.....
.M1..-.c.....>u..X.Xy......\......[.x`..j: .bu.S..t......Z....`.dI.
Y.A.n.$I.8.*...,.C.w*.^....4......{W.i..sp.]Sqn^............:....*...c
L".F..P..Q.GA.....Q.7.\.V..sh..t..7/.......G.......A(..)1..T;.....d..a
.S.........5NM~.......\#tq].........XY..L...HTTP/1.1 200 OK..Content-E
ncoding: gzip..Content-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:32
 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en
/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Co
ntent-Length: 388..Connection: keep-alive..............O..0.....i..mqB
.. .(.*...V%l...I.@..c..K...D...{.......N...w..4...p....u.......z.....
>...&..dnP......jL..\.z.U......{vl,......M1..-.c.....>u..X.Xy...
...\......[.x`..j: .bu.S..t......Z....`.dI.Y.A.n.$I.8.*...,.C.w*.^....
4......{W.i..sp.]Sqn^............:....*...cL".F..P..Q.GA.....Q.7.\.V..
sh..t..7/.......G.......A(..)1..T;.....d..a.S.........5NM~.......\#tq]
.........XY..L.......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=dynadmic,mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:33 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 403

Connection: keep-alive
...........R.n.0... <..m............[....(..Tk#.,H..... m....)>.
.G..w..7rm.^.~....e.c'......%..... ...6=.\.4.[...jA..\.......1F..]..v0
........-.c.^.R\....X.Xu.....J....%V.|.........*.Nt...NP...^6..\...4OS
.....)N.,K".#.1..&.0Q......^LW_;.Z.n.Kj....\.A.6v.u'.dpc.yRgOs.....1$.
4.p.%q...~|d.. .J.^........K..G..;bG2.@.j.....H....,...#...X?j<...J
ss8-at......s..wg.....l.........k..............?........~.u...HTTP/1.1
 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Tue, 06
 Sep 2016 16:44:33 GMT..P3P: CP='This is not a P3P policy. See hXXp://
tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: A
ccept-Encoding..Content-Length: 403..Connection: keep-alive...........
..R.n.0... <..m............[....(..Tk#.,H..... m....)>..G..w..7r
m.^.~....e.c'......%..... ...6=.\.4.[...jA..\.......1F..]..v0........-
.c.^.R\....X.Xu.....J....%V.|.........*.Nt...NP...^6..\...4OS.....)N.,
K".#.1..&.0Q......^LW_;.Z.n.Kj....\.A.6v.u'.dpc.yRgOs.....1$.4.p.%q...
~|d.. .J.^........K..G..;bG2.@.j.....H....,...#...X?j<...Jss8-at...
...s..wg.....l.........k..............?........~.u.......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=mediamath,BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:33 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 411

Connection: keep-alive
............Qo.0....)(.y[...D..M.)R.V.t.U...&h.A....~&J.n........ww...
.i..TM R.....D..FlR....b{J..s../2...D.&:..Zw...d...]5.[...lKO...S.}.Pf
s...Z....uL.........k...../....aS<-..~...<{9.u .0@..|.E-Z.S..4J.
.&q.n..DQ....<H..$..`..7....L...U.._p0QIyW......;S*..U.6...(.~.a...
..0p]:.^_.F...J....{.!....9...o.\...[%..h#..v...>..-..j...Nx.Z.E.4.
|.....'.%.$S.z..3i&........Q.Q.....{................o.....o..........y
...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Da
te: Tue, 06 Sep 2016 16:44:33 GMT..P3P: CP='This is not a P3P policy. 
See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1
.1..Vary: Accept-Encoding..Content-Length: 411..Connection: keep-alive
..............Qo.0....)(.y[...D..M.)R.V.t.U...&h.A....~&J.n........ww.
...i..TM R.....D..FlR....b{J..s../2...D.&:..Zw...d...]5.[...lKO...S.}.
Pfs...Z....uL.........k...../....aS<-..~...<{9.u .0@..|.E-Z.S..4
J..&q.n..DQ....<H..$..`..7....L...U.._p0QIyW......;S*..U.6...(.~.a.
....0p]:.^_.F...J....{.!....9...o.\...[%..h#..v...>..-..j...Nx.Z.E.
4.|.....'.%.$S.z..3i&........Q.Q.....{................o.....o.........
.y.......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=BidTheatre,beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:34 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
161..............]o.0.... ..........u...-...c...B6.i........fw.8.=....
....2!....c...x....cs..^...\..$..2. .F..*6K...BJ....&...FR....R......X
&c.......h[&..t/..I.y.4}.....&4...iJ..|4N.d~.kA(..._.{^...PT4.. .Q....
. .C.....u..p...8gL.....-i...F..g..v.}?.W}.>.<.z..P.v..=..7.bA0.
.8....PkPEi..... .J.........".2.)...L..A....Zm.<......Vf..W..d...Z.
.~.Y...@..t..-.....d.........z.,.....0..HTTP/1.1 200 OK..Content-Encod
ing: gzip..Content-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:34 GMT
..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/pri
vacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transf
er-encoding: chunked..Connection: keep-alive..161..............]o.0...
. ..........u...-...c...B6.i........fw.8.=........2!....c...x....cs..^
...\..$..2. .F..*6K...BJ....&...FR....R......X&c.......h[&..t/..I.y.4}
.....&4...iJ..|4N.d~.kA(..._.{^...PT4.. .Q..... .C.....u..p...8gL.....
-i...F..g..v.}?.W}.>.<.z..P.v..=..7.bA0..8....PkPEi..... .J.....
....".2.)...L..A....Zm.<......Vf..W..d...Z..~.Y...@..t..-.....d....
.....z.,.....0......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=beeswax,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:34 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 365

Connection: keep-alive
............[o.0....)...I...)%D].d.....1............../..rN.....O.a.T.
Z......(....6....0.St......F..3r=1..3FN.0.2.vM.T....m..6.4:......F0#..
..KIU....P..............x.x}@.v9.eE.<.I.....?..^q.I.j..q..8...m.0..
.#..c..q.Q<...0.6.*kN.M...A.m...$....A...;...u.].Z!.~...... ...9R..
.5QN-@%.............5...N..L*.....SE..[./K...aq.,...]...r.;5....1...8W
..t...%@......`.3D...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-
Type: text/xml..Date: Tue, 06 Sep 2016 16:44:34 GMT..P3P: CP='This is 
not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serve
r: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 365..Conn
ection: keep-alive..............[o.0....)...I...)%D].d.....1..........
..../..rN.....O.a.T.Z......(....6....0.St......F..3r=1..3FN.0.2.vM.T..
..m..6.4:......F0#....KIU....P..............x.x}@.v9.eE.<.I.....?..
^q.I.j..q..8...m.0...#..c..q.Q<...0.6.*kN.M...A.m...$....A...;...u.
].Z!.~...... ...9R...5QN-@%.............5...N..L*.....SE..[./K...aq.,.
..]...r.;5....1...8W..t...%@......`.3D.......


GET /syncnoad?rid=6966d984a08f4668851db1a9d199c1ea&p=_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="1,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:34 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

Content-Length: 353

Connection: keep-alive
..........d.]o.0.... X/.........1Y.e..0..Z.qP.vd.. ..>..s....o...~.
:&..M.\...k*AysH.........u..W..13...N.Q.v.......^....R-..Di..U...v..`.
Q..WI......*.j\..V.?#x)...-.a....v3.gE.9.U...X./^.F.j...[..o...B.S.T..
.'..AG...jr.4]{;?...H.....ZHS.........}..$.I.9....C.....$.i.....~..q..
.%.u..r...;o..[.T...h&.yH......o.1d!Iu2...X....w.^a.C.^.6...._.......h
......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml.
.Date: Tue, 06 Sep 2016 16:44:34 GMT..P3P: CP='This is not a P3P polic
y. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyot
e/1.1..Vary: Accept-Encoding..Content-Length: 353..Connection: keep-al
ive............d.]o.0.... X/.........1Y.e..0..Z.qP.vd.. ..>..s....o
...~.:&..M.\...k*AysH.........u..W..13...N.Q.v.......^....R-..Di..U...
v..`.Q..WI......*.j\..V.?#x)...-.a....v3.gE.9.U...X./^.F.j...[..o...B.
S.T...'..AG...jr.4]{;?...H.....ZHS.........}..$.I.9....C.....$.i.....~
..q...%.u..r...;o..[.T...h&.yH......o.1d!Iu2...X....w.^a.C.^.6...._...
....h..........


GET /syncnoad?rid=cc730cd37857478e93f07a08d2307af7&p=SundaySky,ignitionone,centro,Videology,google,TubeMogul-GP,eyeview,dataxu,videoamp,adapTV,mediamath,beeswax,thetradedesk,_dmp_turbine,1,audiencescience,dynadmic,Bidswitch,conversant,rocketfuel,BidTheatre,tremornet&uid=575b8f7ad5d64d24a58ac20715400d3b&init=true HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="2,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:37 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1e6.............RMo.@...W.H.-.lS..X.I.H...q.Qd..cX.....1..............
.....f?:.6B...'.3B....J....U.,.7.:...l:.(P..M...v..Vc.t............`;.
8..o.k'.3>J.........Xl...;....}.<..x.....4~.......\..m%...U..L*.
K-x.X8....Q....?..^.^..3:...M*..=.....C. -.. .......;....R.J.J.>...
k..,.;..6$..k.Q.U...5Z..9..Q.. .iH.qA.F.N.`.....G.....&.w.C...\......6
..4`.gyQ#.."%.y.#........7..v.....M&..2.....~..s."`S/.....Y.........Z.
..a...e..Y..... ......<...9.m.j4...i....8...4.B..)..lGKzs...R./....
.-...u.a..._...d........6........0..HTTP/1.1 200 OK..Content-Encoding:
 gzip..Content-Type: text/xml..Date: Tue, 06 Sep 2016 16:44:37 GMT..P3
P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy
-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-e
ncoding: chunked..Connection: keep-alive..1e6.............RMo.@...W.H.
-.lS..X.I.H...q.Qd..cX.....1...................f?:.6B...'.3B....J....U
.,.7.:...l:.(P..M...v..Vc.t............`;.8..o.k'.3>J.........Xl...
;....}.<..x.....4~.......\..m%...U..L*.K-x.X8....Q....?..^.^..3:...
M*..=.....C. -.. .......;....R.J.J.>...k..,.;..6$..k.Q.U...5Z..9..Q
.. .iH.qA.F.N.`.....G.....&.w.C...\......6..4`.gyQ#.."%.y.#........7..
v.....M&..2.....~..s."`S/.....Y.........Z...a...e..Y..... ......<..
.9.m.j4...i....8...4.B..)..lGKzs...R./.....-...u.a..._...d........6...
.....0......
>>

GET /syncnoad?rid=cc730cd37857478e93f07a08d2307af7&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,_dmp_turbine&uid=575b8f7ad5d64d24a58ac20715400d3b HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: partners.tremorhub.com

Connection: Keep-Alive

Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; tvrg_60409="2,1473180263"

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/xml

Date: Tue, 06 Sep 2016 16:44:38 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

transfer-encoding: chunked

Connection: keep-alive
1f8.............R.n.0... \..-....@..:i. m.Jq.A P..LX$.......]..K..g...
......{[4Vh.x.?.z......{.?.L.Y.&^...J.v4*T..%....6..A...-}.e`m....u..6
..~ .w^.....?.k.4]...C....^.=..%y.:..U........n.._...f."A._s.. .`f.$.G
...(.N.q4...U..p.......$\..YL.w.E...EWm}...BQ)...Z!E....&_.....%p... _
.@]..............[...E...F...e8*g4....N8.&....!.t....H..J..$s..=_##...
.v......&.....p.)..~K.L.I9]E.&.~..1.L....`2.C....i..i..1..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xlf5t.ads.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Tue, 06 Sep 2016 16:44:22 GMT

ETag: W/"144-1446501138000"

Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 3&mediaDesc=Entertainment videos ivids.net - 3&mediaId=2&mediaUrl=hXXp://VVV.ivids.net/3.html&srcPageUrl=hXXp://VVV.ivids.net/3.html&contentLength=300 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xlf5t.ads.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Encoding: gzip

Content-Type: text/xml;charset=ISO-8859-1

Date: Tue, 06 Sep 2016 16:44:23 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Pragma: no-cache

Server: Apache-Coyote/1.1

Set-Cookie: tvid=575b8f7ad5d64d24a58ac20715400d3b; Domain=.tremorhub.com; Expires=Wed, 06-Sep-2017 22:32:43 GMT; Path=/

Set-Cookie: tvrg_60409="1,1473180263"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Tue, 06-Sep-2016 16:45:23 GMT; Path=/

Vary: Accept-Encoding

x-tremorvideo-status: NO_AD

Content-Length: 571

Connection: keep-alive
...........S.n.0.}.W...[I.%....PVH{...}.*...`A..........=T.......3.xv.
..#H..O...;.....W.../o#g....l............i.L=OK.....W..S.q:z.4.F%....l
..qF;i.S...i..Yi.....Y..b...%.hN....4..4_dy.t.k.......{.%...$.I8.C:...
.^.a.E......`2). .&.cT.2]...\.@KB....[.Q...8... Z..w@...Vq.Q...G.....h
.@....9..Sr^...B49.4J....kt..n.....y.[H....F.8..Bs.(...l..@....P...4.(
.._....M._Ee....,#p-.E..p.....5(.h<*..1.#..i.HF.)..8..}.....F.-.&lt
;?....X..........K....Q..Nfv...Y.....I.zd1..T#Q^..N,.;.........X^w.|\m
2w.p.wG............K......&xi<........._p....$..7.... D{.....~K....
..E...W......#7.....HTTP/1.1 200 OK..Cache-Control: no-cache, no-store
, must-revalidate..Content-Encoding: gzip..Content-Type: text/xml;char
set=ISO-8859-1..Date: Tue, 06 Sep 2016 16:44:23 GMT..P3P: CP='This is 
not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Pragm
a: no-cache..Server: Apache-Coyote/1.1..Set-Cookie: tvid=575b8f7ad5d64
d24a58ac20715400d3b; Domain=.tremorhub.com; Expires=Wed, 06-Sep-2017 2
2:32:43 GMT; Path=/..Set-Cookie: tvrg_60409="1,1473180263"; Version=1;
 Domain=.tremorhub.com; Max-Age=60; Expires=Tue, 06-Sep-2016 16:45:23 
GMT; Path=/..Vary: Accept-Encoding..x-tremorvideo-status: NO_AD..Conte
nt-Length: 571..Connection: keep-alive.............S.n.0.}.W...[I.%...
.PVH{...}.*...`A..........=T.......3.xv...#H..O...;.....W.../o#g....l.
...........i.L=OK.....W..S.q:z.4.F%....l..qF;i.S...i..Yi.....Y..b...%.
hN....4..4_dy.t.k.......{.%...$.I8.C:....^.a.E......`2). .&.cT.2]...\.
@KB....[.Q...8... Z..w@...Vq.Q...G.....h.@....9..Sr^...B49.4J....k
>>

The Dropped connects to the servers at the folowing location(s):

Map

Strings from Dumps

wearily.exe_460:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp\ExecCmd.dll

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp\ExecCmd.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp\ExecCmd.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp\ExecCmd.dll

"%Program Files%\orignal\uncorroborated.exe"

"%Program Files%\orignal\uncorroborated.exe"

.reloc

.reloc

EnumWindows

EnumWindows

ExecCmd.dll

ExecCmd.dll

Kernel32.DLL

Kernel32.DLL

e%uy%u

e%uy%u

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp

nsa7.tmp

nsa7.tmp

rogram Files\orignal\uncorroborated.exe"

rogram Files\orignal\uncorroborated.exe"

q uncorroborated.exe" | %SystemRoot%\System32\find /I "uncorroborated.exe"

q uncorroborated.exe" | %SystemRoot%\System32\find /I "uncorroborated.exe"

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa7.tmp

"%Program Files%\athough\wearily.exe"

"%Program Files%\athough\wearily.exe"

%Program Files%\athough

%Program Files%\athough

wearily.exe

wearily.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx6.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx6.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%Program Files%\athough\wearily.exe

%Program Files%\athough\wearily.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Nullsoft Install System v2.46

Nullsoft Install System v2.46

hough\wearily.exe"

hough\wearily.exe"

l\uncorroborated.exe"

l\uncorroborated.exe"