SearchProtectToolbar_pcap_1efb6e92f0

by malwarelabrobot on August 14th, 2017 in Malware Descriptions.

Trojan.Win32.Sasfis.FD, SearchProtectToolbar_pcap.YR, SearchProtectToolbar.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1efb6e92f0986e3e12c53102d155de2e
SHA1: 4616db2e15675c0e4370ee0fdb9b73a5c11e0879
SHA256: b9dca6aa60f04f2150f74150ed1b13e76d9aba4fee404047d534d72fe36a07a3
SSDeep: 49152:fqYRHcNRygOSk55l0Q2c0h5mbFsqlpBLV5QbcLRRV7Tw26f:tHcHy955CQkAFsWBtrFU
Size: 2406080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: BitTorrent Inc.
Created at: 2017-06-19 23:11:01
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

mshta.exe:3584
%original file name%.exe:600

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mshta.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HE.locale (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\CA.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SL.locale (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HI.locale (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\IS.locale (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\BG.locale (223 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\97332779.log (174371 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\NE.locale (334 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\CS.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SQ.locale (149 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bg_test_B[1].png (3644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\main.css (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\EU.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\UK.locale (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ET.locale (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\RO.locale (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014369A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\bootstrap_52852.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\DA.locale (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\GU.locale (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\BE.locale (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\MR.locale (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\UR.locale (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\LT.locale (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001434D5.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PS.locale (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TR.locale (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\UZ.locale (169 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS.part (711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\FR.locale (163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HR.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\NO.locale (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\AF.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SK.locale (164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143514.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KK.locale (218 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SR.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ES.locale (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS (4340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HT.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\LV.locale (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KU.locale (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\VI.locale (180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KO.locale (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\DE.locale (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\RU.locale (266 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014368A.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\AZ.locale (177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PA.locale (257 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\IT.locale (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\MS.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ID.locale (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TE.locale (320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ML.locale (360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json[1].js (322 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\JA.locale (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KA.locale (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\YO.locale (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\EN[1].png (1184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\FI.locale (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\ie6_main.css (1 bytes)
%Program Files%\001437C2.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TA.locale (330 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TL.locale (163 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\MK.locale (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\NL.locale (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HU.locale (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\LO.locale (305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HY.locale (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\EL.locale (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\FA.locale (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ZH.locale (137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TH.locale (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\EN.locale (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\index.hta.log (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PL.locale (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SV.locale (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs_bg[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ZU.locale (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PT.locale (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\BS.locale (159 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014368A.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001434D5.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014369A.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\bootstrap_52852.html (0 bytes)
%Program Files%\001437C2.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143514.log (0 bytes)

The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\it.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\br.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DVVEN1YQ.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\common.js (349 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\pt.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ERB2UUC9.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\ko.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\install.1502626712.zip (281721 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\initialize.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttF8BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.ocx (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\index.hta (739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\shell_scripts\shell_install_offer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\yandex_horz_ru.png (7 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DVVEN1YQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttF8BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp (0 bytes)

Registry activity

The process mshta.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}]
"(Default)" = "ActiveBinderX Control"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "2164726829"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb]
"(Default)" = ""

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0]
"(Default)" = "ActiveBinderProj Library"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}]
"(Default)" = "FS"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\FS.ActiveBinderX]
"(Default)" = "ActiveBinderX Control"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.ocx"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.ocx,1"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}]
"(Default)" = "IActiveBinderXEvents"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\FS.ActiveBinderX\Clsid]
"(Default)" = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID]
"(Default)" = "FS.ActiveBinderX"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control]
"(Default)" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0]
"(Default)" = "Properties,0,2"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1]
"(Default)" = "205201"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.ocx"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\"

Dropped PE files

MD5 File path
eaba486ca44ce139b1a6c2520fe61837 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.dll
3150db366b17ec12a837bf6d7e501d4d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.ocx

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: BitTorrent Inc.
Product Name: HD Player
Product Version: 3.5.0.43916
Legal Copyright: (c)2016 BitTorrent, Inc. All Rights Reserved.
Legal Trademarks:
Original Filename: uTorrent.exe
Internal Name: uTorrent.exe
File Version: 3.5.0.43916
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 3739648 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 3743744 2265088 2265088 5.5451 5572ac8c0e7990a8cedf39c3cff3374e
.rsrc 6008832 126976 126464 4.87901 87e4e4f7693644a4b23aa460001ae7a7

Dropped from:

Downloaded by:

69e33494cbf20112c76046e564bbea24

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
dc1c17f2e33a22e0322b5953ad300c50
f8d6a2b33140978a4b16952f1c2b859e
fc83d5d0d588097b94dd4eacee94f2d2
2de873446797eeb1dbb30980f00e28b5
3b3e267471909705939af47985ff4bf7
e607b9fd8cb7a0468754c1f9e0e967a7
255132f5666518b9b1022e5235bd4a7b
56b5322b0160a51ea822a3c9ef32a336
42c1fe0573a3b7083a75562630d69eb3
c57fc4be89467657eecd43c9583bdc56

URLs

URL IP
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258508/
hxxp://ip-api.com/json?callback=jQuery19105098857784470667_1502626713858&_=1502626713859
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=366140566 54.76.37.1
hxxp://os.robotitor.com/BitTorrent/?v=6.0&c=54364638&t=1325072 52.210.43.9
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjYwMCIsImgiOiJrNFFMbEhaS1hLWW1WMmE2IiwidiI6IjExMTI1ODUwOCIsImIiOjQzOTE2LCJjbCI6InVUb3JyZW50IiwibG5nIjoicnUiLCJvc2EiOiIzMiIsInNsbmciOiJlbiIsImRiIjoiV2luZG93cyBJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjkuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiNDkuMCIsImV4ZU5hbWUiOiJmaXJlZm94In0seyJuYW1lIjoiR29vZ2xlIENocm9tZSIsInZlcnNpb24iOiI1NC4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJ2ZXJzaW9uIjoiOS4wIiwiZXhlTmFtZSI6ImlleHBsb3JlIn1dLCJvZmZlcnR5cGUiOiJwcmltYXJ5IiwicHJvdmlkZXIiOiJJcm9uU3JjIiwiaG93bWFueSI6MSwib2ZmZXJzaG93biI6MCwic3RhdHVzIjoibG9hZF9ETExfc3VjY2VlZCIsImlyb25zcmNfb2ZmZXJfdmVyc2lvbiI6IjEuMCJ9
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjYwMCIsImgiOiJrNFFMbEhaS1hLWW1WMmE2IiwidiI6IjExMTI1ODUwOCIsImIiOjQzOTE2LCJjbCI6InVUb3JyZW50IiwibG5nIjoicnUiLCJvc2EiOiIzMiIsInNsbmciOiJlbiIsImRiIjoiV2luZG93cyBJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjkuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiNDkuMCIsImV4ZU5hbWUiOiJmaXJlZm94In0seyJuYW1lIjoiR29vZ2xlIENocm9tZSIsInZlcnNpb24iOiI1NC4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJ2ZXJzaW9uIjoiOS4wIiwiZXhlTmFtZSI6ImlleHBsb3JlIn1dLCJpcCI6IjE5NC4yNDIuOTYuMjE4IiwiY24iOiJVa3JhaW5lIiwicGFja2lkIjoicnVfeWFuZGV4X2lzIn0=
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=593579122 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=705240951 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1421987893 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1726773493 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1364936724 54.76.37.1
hxxp://img.robotitor.com/img/Rawabere/FS/bg_test_B.png 199.58.87.110
hxxp://img.robotitor.com/img/Pipupimiwad/fs_bg.png 199.58.87.110
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=931862904 54.76.37.1
hxxp://cdneu.robotitor.com/ofr/Solululadul/asgnd.cis 85.159.237.103
hxxp://img.robotitor.com/img/Tavasat/15Feb17/v1_fs/EN.png 199.58.87.110
hxxp://img.robotitor.com/img/Rawabere/bg_B_FS.png 199.58.87.110
hxxp://cdnus.robotitor.com/ofr/Solululadul/asgnd.cis 199.201.110.78
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=2014793796 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1398293442 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1328061411 54.76.37.1
hxxp://rp.robotitor.com/?v=2.0&subver=6.21&pcrc=1339583871 54.76.37.1
i-50.b-000.xyz.bench.utorrent.com 23.21.139.158
router.utorrent.com 82.221.103.244
download-lb.utorrent.com 67.215.238.66
router.bittorrent.com 67.215.246.10


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE Win32/InstallCore Initial Install Activity 1
ET POLICY External IP Lookup ip-api.com

Traffic

GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJvZmZlciIsInBpZCI6IjYwMCIsImgiOiJrNFFMbEhaS1hLWW1WMmE2IiwidiI6IjExMTI1ODUwOCIsImIiOjQzOTE2LCJjbCI6InVUb3JyZW50IiwibG5nIjoicnUiLCJvc2EiOiIzMiIsInNsbmciOiJlbiIsImRiIjoiV2luZG93cyBJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjkuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiNDkuMCIsImV4ZU5hbWUiOiJmaXJlZm94In0seyJuYW1lIjoiR29vZ2xlIENocm9tZSIsInZlcnNpb24iOiI1NC4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJ2ZXJzaW9uIjoiOS4wIiwiZXhlTmFtZSI6ImlleHBsb3JlIn1dLCJvZmZlcnR5cGUiOiJwcmltYXJ5IiwicHJvdmlkZXIiOiJJcm9uU3JjIiwiaG93bWFueSI6MSwib2ZmZXJzaG93biI6MCwic3RhdHVzIjoibG9hZF9ETExfc3VjY2VlZCIsImlyb25zcmNfb2ZmZXJfdmVyc2lvbiI6IjEuMCJ9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: i-50.b-000.xyz.bench.utorrent.com


HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 13 Aug 2017 12:18:39 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: keep-alive
{"response_code":200}HTTP/1.1 200 OK..Content-Type: text/html..Date: S
un, 13 Aug 2017 12:18:39 GMT..Server: nginx..X-Powered-By: PHP/5.4.30.
.Content-Length: 21..Connection: keep-alive..{"response_code":200}..



GET /img/Rawabere/FS/bg_test_B.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: img.robotitor.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Type: image/png
Content-Length: 60535
Connection: keep-alive
x-amz-id-2: vrXAI9lXEtPlMfWq1TAXFrnx/CTlIWWHJeT91f18nBikVapdQ0hrQhdlb9jkfNc4VyF9XAqIh0o=
x-amz-request-id: 84C5E505D0E70839
Last-Modified: Mon, 19 Jun 2017 10:46:21 GMT
ETag: "f6d24a5c0bba5b766c0c57c6dd66dd08"
x-amz-meta-cb-modifiedtime: Mon, 19 Jun 2017 10:42:39 GMT
x-amz-version-id: 2_EumuZMUwGG5WRCKOcgaKHZcK4VeJf3
Accept-Ranges: bytes
.PNG........IHDR..............u......tEXtSoftware.Adobe ImageReadyq.e&
lt;...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:50430DE54D0011E790
AFA3BED276D6E7" xmpMM:DocumentID="xmp.did:50430DE64D0011E790AFA3BED276
D6E7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:50430DE34D00
11E790AFA3BED276D6E7" stRef:documentID="xmp.did:50430DE44D0011E790AFA3
BED276D6E7"/> </rdf:Description> </rdf:RDF> </x:xmpm
eta> <?xpacket end="r"?><.......IDATx.....e.U...s..k......
. .<a<.....a..,. ..... ..f.a%Y...nV....1iH...`0.e,....,K.....\RU
..7.{v...s.......s_UI%........{.}.=._...a&................6....}......
2.......I^......[.........gc..._ .\..\..2.....R.%um.........~.}.S.F...
N.......'..:.......Y._J....k.....Y........-.c>?tf....o.|.......5.H.
.s.}[..q.S.._.=..r../......)'W......,..{.;....%_......Y....O......x..[
.h.>....y..............~. ...;.z..W........s.s.e........[...MgyB.D.
.....z*.Z...*...6y.mE......1....}&...A............O._.(.].....?...|...
.....W..Hy..g.x.../fy..^.........L.'....1.Aê.....=.'..W../_?D...
<<< skipped >>>

GET /img/Rawabere/bg_B_FS.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: img.robotitor.com
Connection: Keep-Alive


HTTP/1.1 403 Forbidden
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
x-amz-request-id: 8D288BA8F20FE090
x-amz-id-2: hgU/5OwAszudPpmq1Ywh3zl2ayAgNM 8jTdoZkaimaoK8r1QM6pht1XWS0J9fIDIuZwW  N6NHQ=
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code
>AccessDenied</Code><Message>Access Denied</Message&
gt;<RequestId>8D288BA8F20FE090</RequestId><HostId>hg
U/5OwAszudPpmq1Ywh3zl2ayAgNM 8jTdoZkaimaoK8r1QM6pht1XWS0J9fIDIuZwW  N6
NHQ=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Server: 
nginx/1.10.2..Date: Sun, 13 Aug 2017 12:18:41 GMT..Content-Type: appli
cation/xml..Transfer-Encoding: chunked..Connection: keep-alive..x-amz-
request-id: 8D288BA8F20FE090..x-amz-id-2: hgU/5OwAszudPpmq1Ywh3zl2ayAg
NM 8jTdoZkaimaoK8r1QM6pht1XWS0J9fIDIuZwW  N6NHQ=..f3..<?xml version
="1.0" encoding="UTF-8"?>.<Error><Code>AccessDenied<
/Code><Message>Access Denied</Message><RequestId>
8D288BA8F20FE090</RequestId><HostId>hgU/5OwAszudPpmq1Ywh3z
l2ayAgNM 8jTdoZkaimaoK8r1QM6pht1XWS0J9fIDIuZwW  N6NHQ=</HostId>&
lt;/Error>..0..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 259

{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"2","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"600","h":"k4QLlHZKXKYmV2a6","sid":"k4QLlHZKXKYmV2a61502626712","order":"2"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 13 Aug 2017 12:18:33 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /json?callback=jQuery19105098857784470667_1502626713858&_=1502626713859 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ip-api.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript; charset=utf-8
Date: Sun, 13 Aug 2017 12:18:36 GMT
Content-Length: 322
jQuery19105098857784470667_1502626713858({"as":"AS31561 Pitline Ltd","
city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline 
Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.
96.218","region":"63","regionName":"Kharkivs'ka Oblast'","status":"suc
cess","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Cont
rol-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Dat
e: Sun, 13 Aug 2017 12:18:36 GMT..Content-Length: 322..jQuery191050988
57784470667_1502626713858({"as":"AS31561 Pitline Ltd","city":"Kharkiv"
,"country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9
808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.218","region
":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone
":"Europe/Kiev","zip":""});..



POST /?v=2.0&subver=6.21&pcrc=366140566 HTTP/1.1
Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2336
Cache-Control: no-cache

...3E.Q)_l.y...K....2l~..}5.M.4..*........>..W.a.......1^.[.@du..W.T.k..... .*.4....k2H..(_.Rhb.....0...|........ ..........2nnX..a... ...V..4.Ec..:.....R.C.P.{y....<...)|..Y..M6..|......dF.[...e....,.......T..{.u.C.../.e.......>I...O..c..5..h.I.....x.. .....w.AJb.O1....R.s.S....8
M.....] .!.....q...n..j&......./..y..z.A....M.YU.
.I.@.B....f...A.........|}<........A<..Y#pm82."O..g...h.W=..i..........v5J.#..lK.g....."..^.#.|...TjX.."...r.HY....s...>r.%A..æS.`......._g.a.H.[2~..d.}.m.]....f...U?.7..... .KF.&N.P.q..FF.........P>..!:..$.*rM.....]....Q..z-...6.V[].......VfJG.z.=w......|.L<...|J....Y...K..... ..x.....4v...!.....2.E.....k/.-.G.....2..=...3ds..pl.. ..P..... z.xT4..T...<.U(.o......3....T.8."..i.G..F.&.=6...s...{%iZ....x...Ml0.;.....l.....17...Q.m........'K(.oB."jQb.7.*^.5..F!v.%"...D.D..n...%d......p....TN.J....A.."D.$..
.",....4x~.p.........$a.w.cn......=..L./*.KP..$B.G.....x.%..J..%!$..V....c........D
...#Kx(.~.hA.J..........G.T~..  }M.H...D..........h.Zs..y....WB....lX....G...X.>._.|
*.` ..Bream..Z..o.C.. ....-..P\.v9..y..T|X:j05...2._.z....a...~...)4..z.....^....%.......cY........-.]..4........X..W......n.k.8.P.......\\Z.7X..#(ywk..F6..@..MB..W.....q.,....s..R.X2......n...y...Z.."..n..d.q<u...B.w..Pj.1.....6v../C..5..........Q8...^.....CG.*..r.1|..$.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:39 GMT
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun
, 13 Aug 2017 12:18:39 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=593579122 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2976
Cache-Control: no-cache

.I..~...$$.......Nn8>&....''9LZ.I.)...~.B.!"...K.n../.;.9Ja%....d..l..3*..
.u ..Q..].?.....e..B......;".T.}j)..IjyF9*..G.rv..8n.r3.
.) .ud.!^.. .."..2.......u...u..;x).1.....#.n....EyA.....Rj.x....'.Lxq.=P...?.r..F....I%.....j..B...k.....I.x..9i..-.O%......W...;V.@..q.`...?.....2o'Br.m.M%..q.M.,6..b4.u.n.....h.r..(.0o(..W.g.!..'H.B.H.a..f9%.^..I.(*......\.[.E.2xx.....
5...gIC....;..G.G....S.....:.....lI..ed.\4..( ....ka.(}..j.q..%..e>*w..M_.d[...R9.@b.....T......m.P...Qj?.r..._.=.Z^l....p..!.|....t..9..l.........<*.Y..c..RY.~K.B.(dh..%,....<...*,.....0yI...1..N
..j....4~t..{..H.56P.....M....-.(.gK.....B.r.......(d........2.a...:_8Di..K.DP.G,.1P.....6[z..0,T...........@....$K..B....`t...|sf...o..H.3.....[...8.:.X.7&...x`.....1........U.~...i?..k.t=....g........'.^.....=}..
g....W#.#.V..Y`...1.{....n)c.m.n...x...aK.~.)`...`I .B.....D%...dy.>!x.9A........ 8...x.t................%.s.dx..$...........KR6^.!....k......G.5.........i.N...
!.51' ....g...RL......).R.......m..I.?
;B..{.1....."A.....^~8.A.C......b...Qmo...4Mb.j.......C.........f....p.<4... ........H.y7S..-.*(.../...C..~{,=0B4T...........8k.....*;......j'A5"..?.7/...].....~Z.'4.7#qw.iYI.t.x.....?.W..?5....;.E....C.n......W..V ........<.F..we.8..{.....5..2..c}..O. ....f.U..b.......K..7.....u...gzbG.*|.Tj?X%s..B!....f..
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1421987893 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1952
Cache-Control: no-cache

....V.....2$......@..........
@V.Y.jN.nt.d..o.wI.....A.........6.DR..3~..<.....Y..^...l`..,g.a..~..}.ed..$."xHm.......$.7..b......F..5Zr.P....m.G.vXp@.. #h.q.Q.b.........7{.v.....j...q.}"~...j....a.....Q.~)G
. .E]....d.W.....).O(.Kb:....VC...d.xea..-fO....H.~@..Gw.. .9..
[.....]/...........$......Wc..*.....3.k0.Ud.H..G...
g..X\L....;3.o..7..%1....I...I........NN.....c.wN......m.i.........H...yI..\.....$....R?..?,..v%...!A..m:......K.].M......W.o.).\....u...,..DMU.....;...R.>n.Y.
.k..S......7t5;.....&[=b.....y.B...I5.
..m.<l........A..V.5L...
'q(b.:....f-...-......r.^.&b....L.$..&..................T..1{.....8..b~.r....&...KC.fG....r...S......{..E.t.]V..~.....}....._.6..uCk5..n ./.....2.2..v.-dY...&%.../yc.d.......u.z.....>..~....z........BH:.,z..>$....U%7!U..<..-|.......B=|..P..._..`.j.....X......:?d..}E1.6k.ph...o...s.~...,.Y)*;...[......i...k@.FX:N..e..Q.MMk...Dds.........u......V>)$..C.p.
.D.._..&.v........kh.5 ...iA.0..b..eil..G)...~"...lK.Tu.7.Ra..g..m.e..."rh..p||...%...=...9...1....f....<!I.~.....Bs1{o......W.).,.D{H.:.!w.4jK.px.-........lC.'.... .......-Z.l.o..0...$U...Z}
.d.r|;.>..
.j^ni.yD....=..d?.0......Vh..x.K.E!.)..U.a....
........m.....bt.G\O.....N..;.>..h.%...q.M"m...\..d.~]Do?.9.q......x....`.o".dCGqR..r..'.8bH=....r0)Fdb.`*.....!.......h."w
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1364936724 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1952
Cache-Control: no-cache

I'.........a.o.~<..=0..T.|O.......c.r..M.jc.y{r.si !....X..w2...%..V.....O..X.. ....A.P...b/u.....M..q...3..gb...4...4{.d.. 6.....FX....GT.M". zM.....$.&..V..B.t>I.H.R...b....-.N..@.X...}.5........*z-.k.&L*.9....i....<=.n.....&...i...I.H....F-..o[.....M8...j.p..A.....Q..4)Y.4.Vq..h...s>.G.Jng...~..WI>.H....qf.c.\.2.o`.d@X..&4.r..bj.._...A.g..=._..^i..A.Y..E..._....B...2m..7.?J..%...5dd.../.[.[.. ..-.%.<.2.../Z2....K......H.@g5..,..}..M...N:...G..J.r....-....\.x..?{..k.>..........*'..i&....FW............F..`.$.....KoW'........j.Wz.B0......1..F...n.....j.r_L..0..V...<./G......_...Bw.|....u..........(
..-|.mBy..8....*c...t...Iyd^..!ht.......S.:.G.........|..S ..6. .IT.....L.i..q.e...k.......N.N.5.GQ{]....|
....sA...k >,....!G.b..95d...)nx].6`....P..T{:..C... ..2....P2.s.V.......`.x....T.....N.........[.]<.M. ...)&.; O...n..a....m. ..._....N=..(;fL.gP...S_.D.....wLx.\..yYXgp...u...z.dYxr..2.F.'.]..[....S...LX..i...........Z..v...<<m......v..A.,..T$.V...Y*,..@..7NGVM.:xf...2.. ............'9....qt..|p.C5.....1...OgD....01.wpy0E..T....{en..4......-.e....y..A3.C.c
x..i.d...-
..Q...c`....t.....
.......C...P..H...T........").=;......a.Wq.N.........Ho}?.1.t..j.J{....5...<.L......V ...h........:..-?.H.|.......'.........('dI .6".[.Qc.iN..oafH.D...G'...5............
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun
, 13 Aug 2017 12:18:41 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=2014793796 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2032
Cache-Control: no-cache

...QzK....i.....xAz(....B.O$|.~W.<.....WW*.m..`v.S.mB..-.).7........Y..=.b..o....t4)....=?..E..f ...l..e5.
\......Ns6....%.V&..oq.9.{Y....w...8.t.[..9...7....r.5.R.)\.|.*..../l!.hY.........@83.K.^......@.G."... ...z...e5>dU2...;.d.4..iW...`0.......4.alRY;az.F..;.....1..U.v....H9I...T!.....u........a..Y.I@.{p}....w..!.>.v*j..`.h..c...{.
C..h{.i.....3d...J(mF
...#..~.........19....\L..
..O.O..E.6ar.Zk.a..{.r/
.i.-.....J..Y.2$s.E.N...b.......2.
Q..N........%...?..2A..`....._.h..#..n iy....bixm.z.QI@....|...b...V[U.1......ut......?)Xe9I........w[ [
..a......d....A#...gu.\...3.._^y..7i.......V.CF...B..|F%t...v .T.NH...?.|......34..D.1................*.L.......Y....eh.)\.........A2T.S....s.......E.h...`n...1.P5.$./.K..q..AX.j8O'.Qr.s...v_#....i..`..9.@.!....U.0...TB:...[.9...n..... ..zA..XLb/..*%...yI...{... ..i..'.....n[.G...<..\.2.....F..l..].6:......d-]iI........B?...s..jMZY..k.._...../.....7]cE...@Oy0....Z...../...$.FO...5...,CY.@..F.=...]..ml.$p..D...#LyDq.F.M<jY.I. 3_C..Hb.f.@...0.........oMN.u
={..K...i..b..oJ
.s....f......a0.....(..0....?|@_._ ..g,.Q..yc....=.X.6.].M...S...z..z.m..}....h-.r..)r......#.../.c|W.. P......Lg.ID9.....a..k.......d....z
.$r.....P..P......T.b.KX].D...F....'...%G]..Jl..$.}M.`.3/D.s...)......_5.Au'.[..*o..
...P3C..T.......m.=h>..l.W.....V...@.....
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1328061411 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1952
Cache-Control: no-cache

(:.] .N
.......O_V..._8_.S.c.C......^..S4.
.......FF..G.......-.S.T\.i... 4...9..,lR..&G...5.8..3~.......=...HB.....L.e,..~..|....aG.&kMv.o.W....t......#h^.L#.=K.WI9...Z....y..%..D'..e.'......B/.E.e...i..-.0.. gn..q......K..X.*h.9.lvYKs...i......T.S&........6s......uJ.....p. .\...G.?...<4)....e......8._.rI...).u.6..:..D.f.K...@.&..~.$......]...f.0.{..t..bU...h<.".......:.<.3I.4k.._......2-....H..ne5........^............ ....!.B.g..  .,.,y....&.........P..O.-......pw..(/.e..$.Q..{......Z..;.@.@...R..W..../....&.F.92.....X:,..f..Ga.....8.D.O.......s.)O.....x.$..*b....8....{............OT.....H.."{9&
}...%"ONU..O.ex..M.mL..I...>.. ......g.\6@....!`;9.~.
r....W......a......e...C......1n....^."xk..R...kb..
...Wl...*.k. ......It....7l....0...?K.'A..s.B....\~ 
..\.......E :..5o...B..>.x...}8\O4z..v........F...S2.`.....\.}
.;.=.CfTg.zJ@.j....?...{.O..>%...i(."...S.......}kIi.....&....iE.P...o.....\qk..Hx#Z...E*b.:...1,9I.......;..p..0...E..
....h 2x..s...I..H..SBL(..`..R ..y..u...x...].O...nM....7.....^0Sl.../,!=......9.YI..$8.n:......Z.B{E.....!.X.*6._...o..Tjxu.,......h..(.Y.f2.Y..J.....f ........ A....y.vg.5.E...T.iY....s,.6..*.....7..X.u.~...US.......E.<P..FC...I..5O...D......1.{z<v..#.....%#....LZ.jC.....H}.xe...n..:...... ..C=..JL..-..\...Vr4...W..-..R:ZN<...}....
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:42 GMT
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun
, 13 Aug 2017 12:18:42 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 268

{"eventName":"hydra1","action":"INFO","type":"i","res":"1276x846","cts":"1502626713","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"2","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"600","h":"k4QLlHZKXKYmV2a6","sid":"k4QLlHZKXKYmV2a61502626712","order":"3"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 13 Aug 2017 12:18:33 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 247

{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"600","h":"k4QLlHZKXKYmV2a6","sid":"k4QLlHZKXKYmV2a61502626712","order":"1"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 13 Aug 2017 12:18:24 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /ofr/Solululadul/asgnd.cis HTTP/1.1
Range: bytes=0-101028
Accept: */*
Host: cdnus.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Type: application/octet-stream
Content-Length: 101029
Connection: keep-alive
x-amz-id-2: 3aHJ3oXBJH/HLXF61tXp6BSAv4KSEU8OGKiq36lgzZli2KIVXiU5BsppSL6S5mWH94Q6ONlsmvI=
x-amz-request-id: 26A7769F73936611
x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3
x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT
Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT
ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"
Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>


POST /?v=2.0&subver=6.21&pcrc=705240951 HTTP/1.1
Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1952
Cache-Control: no-cache

...4.....>.K..~......#f~.7N.. ...P.Mh.?|C.u.pmB.........ZVX.....- 9.~.%S.4.....0%..<{.>1.MPk.Y4j..M.2h...G.x..>. ..}.!......5.1..9hxroh....;.Uk..
Y?m.2.....#..zn..o.k...z...........(h...J6.N.u..F.;?..'....k...X.d0@Ji..r......... ..=.c*.xC.G..k.T..Z..R....`...pD5...d.G..._m...F .........~...h..2y..e..........`....h...!...yx8.I .L"...
V.Q..9./5..=._.)x..z..."a....W..C...b.....N....?C...d6@^,..W..XS......4..v....y.(...O.s..T
z.0..m?H..;....6b.af..>.%P*AK#..|.2kC._.e....l.cF.0.&..,.#.}....(.6.dn..1..R...V.*Y...X;8.M...z......n.\...C.n..5........D.......... I^.M..}..1..[....B.......a0`.h._.$E...a<...
.[.MG6Bg..3. M/}.G.6.I`..K...sw.2..mn..$....AJG....9Wf.s.P....K....'y M{..4...x4Yf&.x.V.....Hh..Z..}..............*...g._..:|.......F..
.].d...*..
.J.e..C.f ...U....5.4I..... i./V
..Jm\h7.@.....{.Ms..H.........\...yZ..O....Q31.P.v.1$.....'$....I..............WN.^>.;.......Q8y..#& .{ 6..Ip.A.SV.).Y.<V*.T.Hvy[..Vb....?............[.<......";..@..K..~]Gkf`k..).....E..V...
.`...[.f........u..J..CN....].K.^..^.....6.b........C...V.........n.P....=YJ:21.>.....elZ.H..Q..[-4....5.h;.k.}M....ri}n.....`...<X> .......ZVI@.c>5..........z.p^.).?..F4J.....V.$H/@.......vtrHd0.....X8lY>.o.....G....[.,. ...o..x....'..P.Hc....'M.;5'.J..3..o.."_.<.N...O......D.
"...
._..b. .4.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1726773493 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1952
Cache-Control: no-cache

.I..G.)E..,(D-..V.....]4.......]..B..4...iUa.@...T..6BC..[....}....<....=....y....wZ.B...f[.
v..gN.~...0.,)"............,6.9.....{rG...........4.M.F26.O.82...{.Jm..S....L...f........c..9b.L.....>k..t........(RU..<=....3....&f..#.VI.z.-.V.tk..iB....Y]PU1..=.........s..u..*..F.(\..n..w....d4.P3A.....h...).1ip.?..%.....q!.R..v....9.a.G.u..*m..wG6I.Wr...>..S..RW.L....)..}. ....3#a
Ww'Z.r.d.m.._%.....q.....O.....R..tE.nn..pc>g..R.......u.&X.._.<b.....t}a..9dgtM.cFM..a.r.92..!..#
..o./....J......A.P.....J.x{..P..g=..LLz.~@C.]#h.............-c..!..M...G..@.T..8E.G.W;..[.$E..
..5Ciw...\.#.t.....J......
v.@..u*.......E..a.Q..L.....^.....&,..~rr...T#}. u...|.&4..{....T./..C.v...%...`.7Q.Q.1..3\.n.1B.U.v$.....0xZx........?...{.J.P.3|U@h..8&.....e..Y...V$B.."...,{7.O.?.B....&..7a.id.@.....(..}.....a50c.!..p.\.-J....nY.....b.....>..O.t....`.P....X.T.B ..e}.9h..~.).O. 
.......&...-f.H5...C..W.q69.6%R..*.......4[.s.{1`XN6...g.n...Im.!.mn].{..&Rb......B.7.8J.P...~xA=..m:@......Z.q."..Nj.E...l..C.. ..;..T.
..H(
t..V.;.K.J.I......d..l..........d.."\.H..<...G.\..{.a....J.Q.m].[..S....(r..[.=.Z42[c..s..#...=..#zC........e\..{.A.../M..S.....^...#k..F....q... q....".._Q.&.N[.}&q...a0..Q.;.1......k..<
.a....Z.)6wy.U.1.Q.9V....y..4.......'k..............'T.......g.e....^l...P...N: ...T
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=931862904 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1952
Cache-Control: no-cache

W..$...1.:.A].PP.].A%.v...q.......g.WH........".....A!$s.c!.y.].rw.N....xQ#|.......bB..c"..9..A_.t...`.l.F..=d.w."d.`h....y.= p.........K8....B}.Z]..........3z.._5..;..].S....J.7...:....^.e....a..u..V|b.yvn.rD
....NC....M._:....y q.h.mS....`%.e..^.....G..7.[.0.sq...l..t.%B..7.H...E.4v..v......g.=....Q`.......^....lP......J....7Cx......0.s....?p~...d....zt`;....93..=Q...gl.w.ofK|yn.Z
l....V.....O.K=[$@...z... 5.\..6_}]..<X/2U.Q.s...`..{.O.jqN...,0.....w.io...[.......L...s9..a._5.Mr..C.@....C.'.....P_....M=..w4.K. U0TY....}D..a.A...gN..Y.!..Y`....@4..<......D.^....j38.W.YM.@.NQ.. .W.,>......TW.E,*.JOK;&...x...O...U.x7.,...gp{>....5.. ".|..|.&t..t
\..6G.Fn.....b].A\..,.2.....VF[..."1q....6..s..
....#..:1L<.T....h.....3..[s... .W.,j...
&..(.p..z....;...yV..a..GOL....2\/..t0...10..C....).q....".#.o.s.8.....x_.9y-.{E......%..o..N."K..R.08.....QH.e.....2..%.<........d_....T.4.*...E........8....0..:.V.UmQ.....X FD....]]...b........{c.....Y...V&5h,...7M.$<..z......Z.._n...G...X|t?T$.....}...R.>..g.........t<.v.
W...Z.z..$iD...T..M....Y_.NZT. .z.ue.......d.5..Ij.p.."Y.?.j............._h...b...(0..i.Q. [6D.>..99w`..40....s......w/%.....s#...S...s.fB....e...;8..A....N]
... ...!...ed\.\..&........*.$......?=y.>......?.ir.Bh."......I.0....k....sm...._ZR....4....@a..w..'.(
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun
, 13 Aug 2017 12:18:41 GMT..Content-Length: 4..Connection: keep-alive.
.DONE....


POST /?v=2.0&subver=6.21&pcrc=1398293442 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1968
Cache-Control: no-cache

xg.
.......F....P...~3....K...n. M........Oc...-.v.0...W.,G2.].G..A.w..{r.#)..O_..<.vK.............*" :|lh...,.CL...Z.......|..4..s...OY......fy|...P...B..;.....n.i..Zr..'....$-.[..;...;$....=.9..A....9......ae.#..Q...Q....3..1N*....H~...QE...O].K4........\...a<..W..`D!<~..2.J.Q......N...9.........4...R...T.i.....
.q@Q...Zj9...d3W.... .. s.....gV&.z..F.Sl..\..KO..vl^.....f.S.V....~...v5w....NE.....'B.....^n.1.....Y....=....Rs.5.s.#>....dK..8.....u...c*..6..Q_..N.G..]iMA.....
[.|..(8.....y.N.">n..%z....1..K..t...x...M...(.nz...G!....{0pV.
......{SUqR......k...s........XL..=.AJ...#./.3.
.....&.....B.\>e
6v....r....\..<..M.... .v........ ........../ ... xsr.. .......-9.'..)...yH...B.G..Ob.....7_`...CVr....I.,|b.$.mD4.i2.F.;...1f.A....y.O.....Q0..m...z.t/{........%..:."2~."..R.....!....6...B...j..lV.|v@......f,.l....w..WIO-..../x....K...7..!|.&.uF..-..`k..u.Ik..g.`..../....*.1...pAK4 .9..=..j.C.T.SC..N.v;...B.aQ-.b......,...s
....y.$..7a.%..}x.. rEP{.f.....X...7r.)."..J;fu.r.....kXD}}.....-.Z.......;;g@..%8&.*..I...C....e)...\bLy"........WY\..-1v.y'z.,.............6]. .A.U8.k}...)I...B^.......]....V(......A.R.z .....
.
...<..*.M...9.xS....t....`U*...mqW..D....j..
..t\...i........$C.F[8..$..uI.....yU...=.....a).T..A.
.{..j."zn.F..ag.B.....H.........N`.X.D......pO..;.. .:...
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Length: 4
Connection: keep-alive
DONE....


POST /?v=2.0&subver=6.21&pcrc=1339583871 HTTP/1.1


Accept: */*
Host: rp.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1968
Cache-Control: no-cache

..Sq.XZ|.....~ ....]Q.....>...Y3
>N.vc....3..E&.W=.6.E...[...rH.<....y...6.|..!..l...>.63.~1.`..p.L..q.....?...5
<.wY."E..\....|.....%1..qY.1.w.......Pu.....].k..C.d.
A.*..(....S.'..,..<6........&@.K>).}f..XGp..[...{..cR..[..@.q .C...PM...b......p.b.C.......O.(........u&.9.}6. MM@.*.Y.D.0.....GP....'...$.l1..7...............3.v.
..$ $^s0.[P..b.su...9.2..;.CF2C.....?.....n..,)...E...{.......|../.Q*......_...\~.7.....9.......DMH.w....qQ
.-.......U.._.........?..t.........!Jih..4.y...
.z.g]$.........U.....\......@..OM.]x....V.ys.....5.:.....wn.".s.L`k.$6.~.....7....S.y*.y.*M&.m..
.Fs=.i.............Q.V.Y-..{...:
\...x...p...55.K....2.....8..~^.....Z`YR.gPU,....<0V.[;V1i.jgt..*.....u........D.c....Vwv.........u?tx.Cd.......{.G....nd.F.x.z ....0/.~E
...V...H.d..r.v..8..O.Q.i..w2t....~.....].kTs.[.R...tv......l........q."...$...F/I.5.8..Y..6...2...."....k.u.. ..6.....I'...../8.p..Mv....E.'.g...n
.W...U."....<n..TO.l#j..}^BQ.9..1.N:.B..^E..........2.......{.....O..,.P.n..G.....c...J....0.Xh:..=..@....I..@..>.X?.....|....c..qQe
.H.......x....B..C....:0j^.._....mBl...CPj.pj.W.X..o.4=... ..P............
$<*/.S...........*8MG<..k........v.Ih@...KG.... ...7...i.4.j..d......:...
..?P.!......Vim..f..{ /"k..|..7\.-.....M. ..........dhW.....r-w....r..M%'4...)P.Z..i
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 13 Aug 2017 12:18:42 GMT
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun
, 13 Aug 2017 12:18:42 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..



POST /BitTorrent/?v=6.0&c=54364638&t=1325072 HTTP/1.1
Accept: */*
Host: os.robotitor.com
User-Agent: ICAS
Content-Length: 1792
Cache-Control: no-cache

.^.S...N)Tw?.G{&W.....}jL.vI^.!1...c .dm$r5...
...L8..{.;..|q........1|;.N..#M.o...bbU3$.. k..y`..2njh.[...QU.....=.b.............q.I..~.Q..r..P....t.h....Vw....`.....{...".J...6.a... 1U..00............Cg..C..r..E.G..../.y. ..|.........=n&q..!........'<.........YI..0.2..$!...\5~..0..L.[.M.Fg......1...1.)...I.T@....W.......LXD..9..m.^...$2g`.....3.o<.^.O......i..T."*...Tg......i}.....I..:q1..6..Z....'...VvS.,w.....^......-......|...KD.r...(...}.....p.t<..Jr.. 0.t...w "?lq{.&<...$....m.Z...V...._..,BzH..F.3.G
.[.....6.,Hz.t........0...~N*.9/....UKWV...W6..?..B...p....
........-.....`.$*Q..c4..b...0=D...z.~
r#T.BA..B.....K.......o.O..H.Y[{K...'.....evq._.X.........f...n.Mr.>0.$..m_"... .1.....}..D.....
3.:..mx.=...... .N..`z...{!.V... ...*...N..jAR.....2.@.z8.%.>.?]kJ{.:9.-..F^iMsog.._.E...x....y..j)H[<..=..^[L....Z.T........c....lEW..o.c.(...2...
Q..mj)....~.0a.W.3.(..F.@.g.-M.g..L.N.0....,..kz......(V].H..M......1b...J.....
....Dc.NO.mUH.7O..j..X.!....`.6X7..i:XC.ny......F&O..W&'...^.".%...g../4.....m.^ TV.a.7.E..B.../Z....v.5.sewF.*y.fU......?.../."........=!..O>nM.G. _...O<......d..........:..&.aU..G..>....=.......pv.fX#......qt..&lb]..I....U.g.....D.EG_...........i..
....q...'.B..[,...a.XdNBt..Z.g=..<...*.Nk....J,< ......[Q....Z..T....]!..t.4.a..\.;^..Y..
cG..#6G`..G..rm.X.~".h../.dj...v.I..k>.j`A.
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 13 Aug 2017 12:18:39 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-GICSET: 13716
X-ICSCT-IP: 194.242.96.226
X-ICSCT-ISP: Pitline Ltd
X-ICSCT-ORGANIZATION: Pitline Ltd
X-ICSCT-SERVER-NAME: ads-slave-173-production-eu-west-1-i-0298a885e96094a16
X-ICSCT-TIMESTAMP: 20170813071839548
X-ICSCT-VERSION: v1.7.3
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-ICSCT-XS: 91bba9083b637bbb85f2bc525458ea3d2e0cb405
X-Powered-By: PHP/5.5.38
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
360d..".z4=^r4=]...-...y.IK.g..c t,.p.&.&j/ZAM..P......&n..\s.3....o.W
.CSm7u..m.1:B.*....>.}..@F..........R....Br......#.....lF..........
BC.....K.j.....t.......9.....)$S...]........]...e.2......\h...;......%
..v.`nz3...!.....>..3f.A.ys...........`R....*.9F...0..J...@..b.V.Z.
...nRN?...ZL."....$.T.......Lx........oFCh..&..`.._Z...N..J...........
..b......P.A,SN.L.....0.....M,@...\..l....G..U.....%.". J.....c5..;...
....T..j...G.(.=...A.......Lf2..i.......A*lJ.:'..}h3h.X. .....i..?DdN.
.G..R 9...v=..r.$v..G..:-.....1^...Y...p.......".......$....d......>
;....J..7I&.../.E......f..T...2v..f...b.Q]L...O...... Ox....V.=Q......
sW..o.. L...2..#C....lX.gQ*...........diD..z.J?..t...*A.y....V..}..;..
."I.A...2.j..|...<..e.....}......... ...u\O......'2d).G...9.....c..
AF...\.:K..=.R...7D\.4..:j..P.....J.R@n.....k!*.$U.{S..r)lD.S.......w.
.......b.....S.w..?..->.......-....2.7...PJ..t.Bq.x...._g...H.]N...
.vL...r6...S.u..s.V.=4\@r.~An.T..BU.(..K.j|.l...A..zA..UU........V.le.
l..9!.F.XF.N.&.$.........k...H.oz:].......R~.......$W....)..Y..>..7
.........Z...}...o.....-.....:...,*..o..}..y......e}.g.k..e*....!....^
......... .9...7.6{Lu..E.c|o.b.0}8...._....D...#./...KH...3<9......
.M. e..AR.*15. .?.,..{...l`.]..S6.........f^......4h.....L&oJ..`YOH,..
....=L.....Qhy...X.H..f..... E3.....w.Y.U.P......'d#f...:....P.......Z
.fR....2J...i.K".......,7/...p.?.U$..0.aE:S..l9....S.AD...n.pD..:.c.e.
...9.Z...B.8}......%W.HAG/!..._SjT..#3`...yD..`...z..)..z..0.5.....t Z
....`.A'.}Q..<...zF.I.d.(.m.....k.2XR....H8.....`HL..j ...\ P.e
<<< skipped >>>


HEAD /ofr/Solululadul/asgnd.cis HTTP/1.1
Accept: */*
Host: cdneu.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Type: application/octet-stream
Content-Length: 101029
Connection: keep-alive
x-amz-id-2: o8o4JXS q/nIEv01SMmiWml5VLVCIz/BJDvdMsLbcic5trfuVwS2LbYGbpYvojr7v6eleOvgOTo=
x-amz-request-id: FDADFC18F441E17D
Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT
ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"
x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT
x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.10.2..Date: Sun, 13 Aug 2017 12:18:41
 GMT..Content-Type: application/octet-stream..Content-Length: 101029..
Connection: keep-alive..x-amz-id-2: o8o4JXS q/nIEv01SMmiWml5VLVCIz/BJD
vdMsLbcic5trfuVwS2LbYGbpYvojr7v6eleOvgOTo=..x-amz-request-id: FDADFC18
F441E17D..Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT..ETag: "638ebcd
93f900c3908f5dde6d8bc2d9f"..x-amz-meta-cb-modifiedtime: Wed, 20 Jan 20
16 14:37:36 GMT..x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3..A
ccept-Ranges: bytes......


GET /ofr/Solululadul/asgnd.cis HTTP/1.1


Range: bytes=0-101028
Accept: */*
Host: cdneu.robotitor.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:42 GMT
Content-Type: application/octet-stream
Content-Length: 101029
Connection: keep-alive
x-amz-id-2: o8o4JXS q/nIEv01SMmiWml5VLVCIz/BJDvdMsLbcic5trfuVwS2LbYGbpYvojr7v6eleOvgOTo=
x-amz-request-id: FDADFC18F441E17D
Last-Modified: Wed, 20 Jan 2016 14:38:52 GMT
ETag: "638ebcd93f900c3908f5dde6d8bc2d9f"
x-amz-meta-cb-modifiedtime: Wed, 20 Jan 2016 14:37:36 GMT
x-amz-version-id: ak82ScyXtEXeOWL8crBo3MgwwdwO6r.3
Content-Range: bytes 0-101028/101029
CIS................?...............P..............M.U....$..q.X]....9u
..9u...#a!.s..2.....{8.u..i3.\...Q.....X..}.E..c.).........&`.......B&
gt;Zr..|...E....=..>.o.u..........=|....:._-@.6.d.b.......F'/.C^..t
...e%.s^.3..4..&..o)Y....UrU.R@.........i.%?...lW.-..g.'..KC...'..0E.m
.d.....x.#]...y..u...?.x.V[....o5.x..MQ\....nX.@.9r..iJ.8...L.E...c.4.
.6.x..@'..[..C(4.&.../A..i........e...`T..H. ........)....9(!.D..m...0
..e.,...~..<. ..L.}...................../...sC..#..}.... .......9.9
.....Ji..Xb.Yjk.../...6.@b...i..&....F....M..a....u..B..~_2....h.:nu..
..-..QiL.P|.LB.).....X..v5Z.$aP.".*...z.b5J..z....h.a>?n~h.$..;.V.'
i...2......Y..q^Z4..\....=`....o.M....~.....:u..^.....A@......k..b...Z
<.!..;......&y..!4...#..S.p;wb....@a...._.......At.5..pz........t.5
H.. 8.-..7...{.P.a;..ia..@.Ac.1.....T...,dmoE's;....5...B.7.vQ$9......
y{.j...F....|...9.u....M......1./.-t....dI#d..C9..Lg...../. .v.......1
T..60.2........#..B..............8.....y#~5A...~t...K...{a.|.z....~.*.
.b*.49k.2....>..]s...W...B.n....zK.,..Vk.....h...........w...".....
.I..XW[..}W...y0f..k.~..O6.97#Gk8.5(....Y.W..k...Lz....6fz.....)|.}../
h(8....0dzx.\........._..b...'..Y..w/*H..\.B...\.......1&..Vg..[..N(.Z
I.......G..[.x....0:.eJ.J~..)o..,....T...i..Z.Q......P!.J......_...F.1
er.8...#d...).......Z..im..F.i....%".o.....F.z.V..Q..K....R..W ./.".E.
.dR...y......'Tu....9U..$4."..wP...d9.....x$...W`....8....#u...1..\,.S
.:.kdU..[...,.a"....". P....!.V.K.Q"M.G.e....w!C..../..... m9J1..&I..z
&.2.I..-B.......{.=Ftm....6....A...3..=@t..67.-M.U.Z/..c..^W/Wo .h
<<< skipped >>>


POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 233

{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"111258508","cl":"uTorrent","osv":"6.1","l":"en","pid":"600","h":"k4QLlHZKXKYmV2a6","sid":"k4QLlHZKXKYmV2a61502626712","order":"0"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 13 Aug 2017 12:18:24 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /img/Pipupimiwad/fs_bg.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: img.robotitor.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Type: image/png
Content-Length: 10681
Connection: keep-alive
x-amz-id-2: UXhZCV6lpS1JX/2VvoQ MQTn6oZoU2Cpnlarn3b0CUka0M2wAvg5Aq7Tjr0orqyAM7euvzmI36Q=
x-amz-request-id: 034F451F60C3B6E0
Last-Modified: Tue, 14 Mar 2017 14:39:55 GMT
ETag: "f99f4215b5828f50aa09a4b231c992e5"
x-amz-meta-cb-modifiedtime: Mon, 27 Jun 2016 13:05:01 GMT
x-amz-version-id: jFptmCTTvh4Xao9YuhsxAEAuX4FfvtgT
Accept-Ranges: bytes
.PNG........IHDR..............u......sBIT....|.d... .IDATx...y|T..?...
.;3.7......ln.Z..w..,...\.R..>...*.....V}j...u.F..\..Vq.x@..P.;..u.
Y.=.?&.L. .....~......{.....s....DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.9..
j...U.2,.,..B.C.6l[.....P...O<.ND.x......8..~Sk3..oSCuu....kY....Q.
.'....[.e[...o.G...&..lv..5#ss..9..Pw....Qo......U..!.....cMC...3...t.
.R.R......m#....`0...|........@(.uMM.{..z.../...C"""......m....>...
..'....a.P. .....pY......y...x..........LDD.^...........x...........3#
.0.Wz.......x.....7._U%.i.p?. .C...N.....s.. 4..0m.K...;..N.|....~.6,.
.o.Y.b...7..{..B.t....~..m..}....j...mo..~.%.....O6tu.DDt`:....C.u..e#
.~'.|..".!...|.q.....x........N....h..sd*..sS....(;Y[{....y...9A.7.TV.
 .|.....G.q[..%........9.. %.....x<;...3g...R...3.c6...9v.p........
%0|.G.Y.b..[.h..3.t...|m.._.dI...w..EN..=......v'.b.#66.ZT....c&..@...
N.[Y.>..lW.^d...............Y.`AG...n.B.....~.......Cuf....:....6.T
..a.B...a.].`.m.C ....1.w. .....-.a.HN.........n..>.."h.q......T.0}
.t.r.o......]..v.%%%..@..Q....A...6....Vr..~[[rr.[.....\.&O..@...'_}.#
.z.0...4.h.s....s.....E..J........s....;o. ..,. h..V..}]II..v...s.[K$,
e.......L.. r..p}l....:Rn..."..3....k.,.....i.q..v....OM:u...Q.N...R..
....."..r.a..L%p.....s.X.G.!..#.....B.... );..p..../-=s...bCk....a....
.X.L.<...h.Rb..../8.R......../}.......r.....@.< .E.f.zl..%.s...T
CN.Zo.C..4..0k..j..u?).9f\..1.>.){...S../..j...._..m.w...-......[P.
.........~.J.}$.wR....8..w(....]L}84|Z..".Ou..:...r...y<.u........Q
.w....V.V.,^..&.....'b.5.{.~a..I.................K..Z.`.Y... .:m..
<<< skipped >>>

GET /img/Tavasat/15Feb17/v1_fs/EN.png HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: img.robotitor.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Sun, 13 Aug 2017 12:18:41 GMT
Content-Type: image/png
Content-Length: 17086
Connection: keep-alive
x-amz-id-2: U27Wq84CTZBSiwXCAAwMwu4vlNOcRUf4ZDAkdxHAuRrSIRzaBSBd3kECLTGVdQTOtzgphhXKcqg=
x-amz-request-id: E4A379BA1C1C7534
Last-Modified: Sun, 19 Feb 2017 16:53:33 GMT
ETag: "c5ba68eff9f6d46f3a4b5676a129fbf5"
x-amz-meta-cb-modifiedtime: Thu, 09 Feb 2017 13:17:54 GMT
x-amz-version-id: 5siYo6NUIJ7JPw4lZdISqbPwj4b.NXB5
Accept-Ranges: bytes
.PNG........IHDR...............G.....PLTE-6Le4.8BY-6L-6Le4.8BY......*3
I..K.|..7L)5M#-D..8&/F...09O..1.....Y(1Hb0.7AW *A3<R.~..$<6?T.z.
.v...4....u..'>..;sx.....v..r..x..i..p.....`..........<EXg3....M
TfW]n.U....bhx\cshn}......^ ...........{....nt..........RYk...AI\3CQ..
..c.y~.EL_Y%.IQc($............\....L.................F......b./S...../
k4.qG5._.<9J.Q.*)...;.S..M.& }..NR...p.kA1.n..O......_...#.u...l>
;...d.F.........q.O6..$..(...`D?...../........l#2PxN...$.......\$...i9
....N?E~X..j.Z,.......a5...T.\..R0.f...1...>>d.......y.a/.[5.U8.
..}.f................pF.24...(.9..q..*Y...._...D.Y0...N:...M...H>w.
.....~E...B..2....n;.w....F...{Y.n..e....#.W.Y....V .B<nc=V.....5^/
(.P......m.J..b..xM..G4 ~..w.[)......rm.L#.5 a..U.......{.......``....
.gj.y?..VR1M\M.c_...K.=......8.K...>......4 H...>A....X#.5...Z{.
D._....i.....tRNS......."..?iIDATx......0...O:...........a..&8Np..8.q.
.......'8Np..8.q........'8Np..8.q........'8Np..8.q..>....8.......b.
n..o7....3.ihJ.X...GJm)m..N)L..`.Y......=z..."x..../s.......x.y..8....
.....a.....y.....}3...5....\/._s....DuS.e.eY.c.$Q.........&..........Z
...#.3...(..3...5.E.{...t$H....@>.N{.7i~S._q..N.0]........?e?.y...O
$.h......8./.;..}..g...I.....q..TU.....<G....oT*.._.%.]..s..D.P).._
~.\F..8......ITLK. d3."..E%A$.P..q.1%.Q..h.,.Ne.qr.K.W....g*._..n.`...
..........n|t.....0...Z.G.,(.........y.........8<...x.q....^.:....H
&. ..q.. ..[.........y......z.....w....._},^&...pY.....~!n...h.......`
.q1..=;!.6..S..Z....!A....pQ....>.}......?....=...t......./....
<<< skipped >>>


GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111258508/ HTTP/1.1
Host: download-lb.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 0


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Sun, 13 Aug 2017 12:18:24 GMT
Content-Type: application/octet-stream
Content-Length: 2422352
Connection: close
X-bt-sig: aab785dff9d2e469fe2f7cf0b017e9acc68511e2db7159128886044cce4597b0d0b48fc21312b774fb1d4c9e8865f1ff910b4133a4fffed902949f99b7bafd3bca35fcebeb960f7e17f80e472268dc2c7ac19514d5eb03b02a23dc2134e8c4718f0974da498a498606e5f49ca732a92428758906339bce65ce01d7333e20bfdb6bcd9836c98d2fbeb2768fca884a70f0abeb0a30dc6da73bcc2ce64890db047d633d71df255650a2c3c532d71d99c6d9891905922220dde98c2674fbe420bd204576f2396109387c12215ed6b7281770dc8bb0da834e07281b976683fb3c265028c2c377cde59de5ef3bf990f659d728f09a675ec3b9e91561e2d8156d453d5c
Last-Modified: Fri, 28 Apr 2017 05:30:30  0000
Accept-Ranges: none
Content-Disposition: attachment; filename="hta.zip"
X-bt-size: 2422352
Cache-Control: private
X-rl-mx: true
Rule-UUID: de7f6050-4f7c-45cf-a888-37b23152e2e9
Content-MD5: c5aafa98f633fdd4b55bc1e06a620e32
Expires: Tue, 01 Jan 1980 00:00:00  0000
X-bt-hash: 6dc7a1b2d78f8a036606f61d1c9f2c88b6be26e5
PK........U{.J..c.............index.hta<html>..<head>.    
<title>Loading...</title>.    <meta charset="utf-8">
.    <meta http-equiv="X-UA-Compatible" content="IE=9">.    <
meta http-equiv="MSThemeCompatible" content="yes">..    <script 
src="scripts/initialize.js"></script>..    <link rel="styl
esheet" href="styles/common.css"/>..    <!--[if lte IE 8]>.  
  <script src="scripts/es5-shim.js"></script>.    <![en
dif]-->..</head>..<style>.    * {.         overflow: hi
dden;.        margin: 0px;.        padding: 0px;.        z-index: 0;. 
   }.</style>..<body class="installer_body">.    <!-- t
his is the loading img while loading offer page -->.    <div id=
'loading_img'></div>.</body>..<script src="scripts/c
ommon.js"></script>..<script src="scripts/install.js">&
lt;/script>..</html>.PK........U{.Jw[Yy?...?.......uninstall.
hta<html>..<head>.    <title>Loading...</title>
;.    <meta charset="utf-8">.    <meta http-equiv="X-UA-Compa
tible" content="IE=9">.    <meta http-equiv="MSThemeCompatible" 
content="yes">..    <script src="scripts/initialize.js"></
script>..    <link rel="stylesheet" href="styles/common.css"/>
;...    <!--[if lte IE 8]>.        <script language="javascri
pt" type="text/javascript" src='scripts/es5-shim.js'></script>
;.    <![endif]-->..</head>..<body class="installer
<<< skipped >>>


GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjYwMCIsImgiOiJrNFFMbEhaS1hLWW1WMmE2IiwidiI6IjExMTI1ODUwOCIsImIiOjQzOTE2LCJjbCI6InVUb3JyZW50IiwibG5nIjoicnUiLCJvc2EiOiIzMiIsInNsbmciOiJlbiIsImRiIjoiV2luZG93cyBJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjkuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiNDkuMCIsImV4ZU5hbWUiOiJmaXJlZm94In0seyJuYW1lIjoiR29vZ2xlIENocm9tZSIsInZlcnNpb24iOiI1NC4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJ2ZXJzaW9uIjoiOS4wIiwiZXhlTmFtZSI6ImlleHBsb3JlIn1dLCJpcCI6IjE5NC4yNDIuOTYuMjE4IiwiY24iOiJVa3JhaW5lIiwicGFja2lkIjoicnVfeWFuZGV4X2lzIn0= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: i-50.b-000.xyz.bench.utorrent.com


HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 13 Aug 2017 12:18:39 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: keep-alive
{"response_code":200}HTTP/1.1 200 OK..Content-Type: text/html..Date: S
un, 13 Aug 2017 12:18:39 GMT..Server: nginx..X-Powered-By: PHP/5.4.30.
.Content-Length: 21..Connection: keep-alive..{"response_code":200}..

The Trojan connects to the servers at the folowing location(s):

mshta.exe_3584:

.text
`.data
.rsrc
@.reloc
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
msvcrt.dll
KERNEL32.dll
ADVAPI32.dll
RegCloseKey
RegOpenKeyExA
_amsg_exit
_acmdln
mshta.pdb
name="Microsoft.Windows.InetCore.mshta"
version="5.1.0.0"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
Kernel32.dll
2kernel32.dll
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
MSHTA.EXE
Windows
9.00.8112.16421

mshta.exe_3584_rwx_04E70000_000B6000:

.rsrc
kernel32.dllwG|
ORT_(_.SCK_LI
=(()@-3$-
Keyworm
9qP.VI]
%s[%d]`
%s_%d
.FDiag
|.rz$
d@.LPL
L("%s",4),"
4'.Yt
$.ZZZJKr$
GHotkeys
\s0^%F
=-%Si
%uorT
'p%uG
tLcibD.ZP
jn^Io.ye
.DZOLdyE
.Miz'.
,-\ T,/.Om
UFyfse,.ft;:/*&
webqskv`T-Y
s:.LGw
v/.ejyvb`Xx
U.Fl/1
hgl,.Jfkw
BxPf-?.CG N
%uJzpc
R.tV.cP
uYvT.whxyW
fpRWup(.Jk
.1.2.3
THttp
,M.DJ]
[W 	u
.kZv4
rvaT.fk
2N0RhwbG.xb@ 
4,0404~3
.PD&B
ic6.fAW
RI.AT
.GGIj7
mw.ll
{d.vLO0V
R-T.FK[[
%5x6.
uz`dm,.enumnqc
p/).Lq
.Kdkgfbz
z.gwp
?ET.Rn
/v.mo
rk/(.yJ
n?.:0_FAJ@T.cgm)
.dDHY
.dlp:0Xc
Zw W.dLP$
>?59:;.ZQ
6?0N2=.Lq
OW]E).rG
(l.ch
8Ah%D
E-.ow%
4*:.ep
.jkgWd`omt-@.r
Tc.UvX
x`z5.yH<
BbG[DO.wL
xTz.yOrs
.Lb/[y
)hix.CBOb
"O.vR
NAER_[URNDT].Lw/OFL[^\\
@e.vi
s`SQ.OG
5.gCo?F
Ib@,bnprbe.RG57]
n/vk0/B.uP
LJ_.ge/ROUHUO
ym^rk.Um_gt%B
Cffiw.jqW
Oo&%s
..WAHO9[Zcn
xj.Cj
UrlHk
pKey?q
URLMONT
U:.mI2
.PP.'
wu>%x
'%s' (\B=
0fMsgD
VVV.U
Q.HH0
wi A Ô
%F[" 
un`iyni</.VqL
.Advi
PPi`djv D.zYZ
\Z@Y_MZNn.JL
W.QX&I
KPERHCV.Zblf)kq,
x!.JK
ZnyzgcEi.Tc/OnAOhEd
t,T*.lJ,e
V.OS2
&e"<.oo(
lMSGg
anldf.RW
r.vY?
gc/.vgH5
_3'.rB
|<Sl.jq-6$.
TmjC.Oo
rf.aeW(/
/jehGbeags.qBhkk$
$6-A%D
NPIPE_
HKz).jGN
LNYCD_^.eJFLKPV.c,S
HMVH9>.PE
.CONTA
v=.vN
!~.oEh
xEXE&
$.Pg$
zfc.bz
h*y.Mw!_
%uKjK
>~z>7(.cT;,_
:K`.vuKn
a4-I.cW*/Bdhc
BR5EtcPS
idz.fw
ooc.KCWW
.kdek(o,
0.HLAB
f'T4m]5D.Cw
oMfnaqk:VsoP.xX
UvOifj<-6.vZ3-\
daG,.Voyn
zdi`%cz
rK.Ikcct*QiDhW
Ro.JD&ZU
s.ZR3
MS%Sl
%C}(BV('
F=.qn
.FVc[qZ~_~WbN
ÖI!
Ff%Fl
.FI0^
wEBd
ÔL*
G1J$6%C
jRT.dJ
D%FN>]
T.Ri[
.zy8s
-%f)k
J_.Jc5
ZU.bHHl
/z.lV 9
"$ %),'8
$"!(&&$' )#
H.JXA0Db
1 0 .'7(2':
.PMDF<7I
KERNEL32.DLL
advapi32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
mpr.dll
ole32.dll
oleaut32.dll
shell32.dll
URLMON.DLL
user32.dll
version.dll
HtmlUIInstallerDLL.dll

mshta.exe_3584_rwx_05FE1000_00180000:

kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordH=
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys
AutoHotkeysd
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowStateH
OnKeyDown8
OnKeyPress
OnKeyUpD
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
A`bng`@ikc-4,uUxlxs-4,Ht.HA
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
TThreadExecuter
TScanAllWindowsCallBackData
Portuguese
ZkkdDocjn^g-4,o.ye
^ioM-3,iiziGmwItI.cG
\h-2,Jfal\`dgxj-4.DZ
,-\ T,/.Om
Hokk,.`h-1-.,eh`mgsk`gsk,.bhk-2,h P,z,.c-4,g-2,rt4,..b,n
hcl.sf
 U -,yfse,.ft;:/*,--1,jcd-1,jdy,.ft,-``s,-.yR
wt-3,xkszm` Q,lq T,N](bn-1,( V,IEM]^M]VSKFP^[[ASR[kgz-4,eskT V,:,.igbk-0,w Q,javdm-1,hx,.-2,jekz TS,FCAXQKQS\MJUQ]WD\TWnh-1,s`-1,mXVa-4,25=:Jnjm V,/-C D
webqskv`T-Y
oj-2,`ac<<*kcb.jo
ak-2,`ob<< T,jcb.je
Bng`Rveoi-2,dbhunhLj-4,dnk SUQ,kbho(-4-,,lnemfjo,,u`, -1,s`hir-1- 1,sj-2,enzx`x/zydznh Q,bnxi`o-4--,/d-3,ejy,,b`-3,`e/ii Q,kb-4,sz-0,xdk U.Fl
Pjzkef(]-2,lkfvmfg-3,c-1,gkl(caa`ojk-0,c T,ui-2 T,aibhgl,.sk-1,fkw-1-.,fga`c R,a`mvaopgl,.bkz-2,p,,.c T
IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl
1.2.3
THttpTimeOutThread
THttpCallBackShell
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W
TPipeServer
TPipeObject
TPipeServerListener
TPipeClientU
isrPipe
@altc T,Bnc T,Bdrab Q,mw,.rap,.uk>,. N,D
Ecezcb-4 S,Tmeic6.fA
Bc/K-33,`-1.jG
Jbhblnrefc V,H-0,bv-1,li.AT
Uju-0,c-2 W,Ht-2,h-4.Rq
Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l
Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F
Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL
V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a
ebP-3,dLfnda`-4,`yj-4.PL
Vks-3,mkqi`,.Aehk W,_mtb6 T.B_
Hlcc U,iezkaela,--3,ewhki U-3,ohh-3,*yj,-hh U,kxb-4,hd,-,-`e-4,`,--3,edc*.UP
Ibs-1,htrgb W,uz`dm,.enumnqc-1,dc VSQ,uc S,ehq`mhgjdc V,znh V,ctdn,.efro/ W,Aahia,.uh V-1,dtross V,zib V,jnphbnfb P,/).a,q
Bdah T,lxyk P,nae-33,dbdhi T,l-3,7 T.XO
Mooanj V,zygrh, zi,-j,.`dgk VU.Qf
Mdyke, -4 U-2,ev`,.e-4 U,`ikdzez` R ,-3,`-2,ixl`k,,qa,,v`-1,c,,(,.xdl-2-,,od`,,``oh,,ka-0-,,qa,,ndj,,xmgbkv P,\.I
Zorqo,.ug-00,bq-3-.,nedaugn RW,qo-1,qgx-2 W,uczom-4,z W,J^ZW R,Xoieo,.twz-3,hp-3-.,pkfb W,ak-0,tg*jhudbhcn,.ugyzfp-3 PW.e
Hg`jnj,.-0,nw-0,lxr,.`lha-0,nb R,)fs-22- ,dk)bh,.Mdq`edgj)fijl U-S,k
Bo`hdbbboi,.-4,ik,.ony`gnoj U,/ P.9\
Spb-3 V,qzbtgj,-ol,.Nnw`fu R,Clv R,jd`dk-4 V,d-1,bk R,zec R,accq,.-2,tmxdbgj QV,kicipgca R,zec R,Mesle-3 V,Oo-2,< R.Y V
Mhv,-Pbt-4,`h Q,nqh`yfi,-,-v-4,m7 S.LN
Janyjnkdyfij S,XncJAby S-1,b-3,pfhc S,gfcgcb-3 S,ifdojc,,.Rn
Vkszmkqm`,.Kiwz*Ekjnnmkc(lkfla-1,=(-<._
, ,--:,[
\kj,.zf-30,mp-0,kl S-2,ofdj,.imk,.xq`xagjj(lak(gfhnf-2-. P.j,8
Nmgk[mqk(qekptnm-1,ao,.klj`oa W .,gho,.-3,eg-0,m>, .f,H
\ekvynmzlo,.-1,lxkz)dh,.-2,ck,.obbk)xgtl W .,gnea-1,lo5,.-0,n-23,fe-2,k)ckomn-1,4).i4
Zol W-2,h-1,umb)cabz W,`h-2 W,ff-4,b,.uhiib)t-0,wyh-1,s)*,.nniaulc,.uhiib)ukv-1,b-2,s W,y-3
L_LCUNTF, KHC.op
0.0.0.0
3?:96=>?59:;.ZQ
6?0N2=.Lq
;768>1-80
cabinet.dll
\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y
000000000000
Xkzlxz*jy,.-3,le,.fldi VS,no-3,b*ycof,.hf*bep-3,5*Qo-3,Im-3,4*:.e
 ;7.Q,>N-Y,[ T,Tc.Uv
 Q .,Y-1,a4,,.gh
K`o-0,Kebj,--0,o-1--,iv-04,mm-0,hh,.i-4,cc/NE] S --3,k-1,x`z5.yH
Y]H.if
d-3,tdcQqdc.Lb
)hix.CB
Dg`c_-1,clj-24,5/eiv2.wj
ch_strtup_urls
,.Fqmz S,_ebvl>,.I>
]DKizHi-4,exc-1,Hc`hk-3.GI
Mhcn`mhh,.qv/obrj-1 T,vnmoghkw( QP.q,N
G`cojehi T,yv,.gck-3,hirk U.a?
CJ[hx.Xu
_.Wo*BC-T5p7d.V-b,
(/tdolb,-`ahyiju,-rjdyh`i,-vfse Q-0,oh Q-1,f`d/illj W,lm-2,blev W,knzii/.Rl
Gfrhba`)c-2,h-2,gxe-0,z(F-1,`lhl,.zaz-3,gjzk(,,``nk3,.-IC
NAER_[URNDT].Lw
Gotqomkdzhhk,.bhkhhuhke)W N
Uctaur T,cfoj,.wgvoj< T._,g
Gdd`ceki T,Ek-2,pmiba-3 U,@ea`,.vit-0,a-4,q,.smv,.`ikgah U,jqi U,zk,,iogg U,ab,,U-1,mzlbak`,.Icak*.`?
CdyzkffkxDkco*kb-3,oxkn*kh-3,ox,.k-3,*bokyz*edk*xo-3,ex-3-.,kfxkkns,.yodz T.e-_
LJ_.ge
fxk S,Cym^rk.Um
Ulegdjc,,clo``i*,,`-4,tcw7 V.AP
ole32.dll
MAPI32.DLL
LeftPopup
,.Ggazb2.s-c
,.gyxap, xokxoj,., -2,gvc*cgxyoen*4 R-`-.
/`gx/-2214,azxjj.Cj
olepro32.dll
IWebBrowser
IWebBrowserApp`
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable
OnWindowSetLeft4
OnWindowSetTopl
OnWindowSetWidth
OnWindowSetHeight
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.
hXXp://
hXXps://
B])i-2,`j-0,aag/-0,wgl U,kqjk-02,fg`)iigejl,.-3,f-1,f)bm-2,znok3/.tc
Gdxfbcj W,DY,.bxo`s,.iokbhode0,.-3c
L\, hpjey V-2,n`iyni</.Vq
A`bfmv(wwrm S,oll S,Ktmmz R,fbcg(`olflz R,jf,.gesz-0,(pzpamiq2 S,8,.
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyUp
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
YR-0,xh]izn.cQ
2.1.0.0
This exe was created with an old version of HtmlAppMaker.
Ekcjfn*rl*fgvdin S,b-3,ko_C V,exek S-3,bc S,lejoe-2,omm*sqf0 V,j-X
-0,cnyzgcEi.Tc
Qwgfc T,jmfqi(mjdmgpggj T,hzki,.kkjhac T,haha P-C,D
https
Sf[.t,T*.lJ,e
Bfh U,Cfk`,.jgd`nja,.-2,`?,._-S
Hoe V,ea-4 V,xfdq, zcc, ^yil-1,nux,.miyc, ub`hc, g-4 Q,x,.jjykjbr,.yse`bhl P,k.f
MSGALL
Clri,.ancjdoe,.ksmc,-gkbh Q,jo-3 Q,dodmgj QQ,dgad8,. Q.Y
irsoMsgDialog
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoGetRegKeyInfo
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoExecuteDllInProcess
irsoSaveExecuteUsingCMD
irsoIsMutexExists
irsoCreatePipeServer
irsoStopPipeServer
irsoSendDataToPipeServer
irsoSetDebugLogUrl
irsoGetDebugLogUrl
irsoGetWebBrowserHandle
irsoGetCurExeCheckSum
irsoGetExeInjection
TExecArgs@
iubnyybRolkanldf.RW
b-1,[-1,e.Hv
.html
H-4,njBdi-2,o-4,r.vY
-4,fhxXahcxgw.rg
gghYcjrf.ae
jehGbeags.qB
PIPE_DATA
PIPE
LNYCD_^.eP
HMVH9>.PE
\gld-2,vyt,.gey-10- 4,kod-0,kf1,-Fvfa[K, O-1,m-13,kp, blhnnz U,x,-GG<,-hcgalchf,.q-323,myy,.kx,-`m-1--,kljobgo S.V..
F-1,`b[A,-L-1,gz-2,kz,-albhmz/-3-.,GM:,.hiabline,.ia-1,kiiw,.ld-2,ojakj V.h-C
-3,1 T-1,`-4,b-4,w37 P,abov=.vN
irsoExecutePackage
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoReportPackageInfo
irsoGetPackageFilenameFromHttp
irsoGetPackageExecExitCode
irsoGetPackageExecResult
irsoGetPackageDwnldUrls
irsoSetPackageRelProgressShare
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoReportStart
irsoReportInfo
irsoSetExclusiveExec
isroSetReportUrl
-11,jycmjaOaahDgvyc-11.Pg
Pfc V,potaaz V,`k-1 V,g T-2,nivzesp,.ou T,`ir T,k-3,owz< V,f._
zfc.bz
]no^dun.Vx
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
\GCAPMA][.oj
Fvonszedm,.ojvid-4 S,ydnm,.ojob,,-4,l,.,.oobMyfAjmf-14,Glohng,, P  ,F-13,dq4,,.7^
Lukkyyaag,-ko-1,j`z)z`kg,-koea(zf,-*jeaA-2,HcqAokm-1,[hijp/ T .,L-4,za-0,7(.cT
Apmft-1,glj(mbqofw T-4,ffj(mbhd,.wk(,,ghd]kk-4,Aebm-1,p VT .,Fvzaq>(>-9
AAjcM0WrUSlfbBR5EtcPS6EMoD3wF3FKlaGHXQ0Ox4qre4LUBQYa0/SWyvZ26RV14TwPpmqepAntqZ6qJId/PBwcgibQr7vwIboNrrDj5AVp/wPGGHVmiZst7cluh/ViMeGGMZAAz7lGwPsuLdz12JDqfbhN9grpmVeEBOQxUqj5qNawTJR9SSe3w8tDp7AEEHgTSs xWrpFPMj
Mgsejf Q-2-.,dihj(@-12,aig,.-4,o-2,fgs-2-.,is-2,fmh-2,gkg-2,ggh)em-4 W .,]ul,. W,Blcg@-12,aig,.njhi(i-0-.,noeb(OZQAEVH]U@AFYZZZYH[\NVEM_)yara,.-1,nl,.ccp,.(qagkn)-3,zi-4,glcm,.j-4,)wgs-0-.,ieja-2,h-2-.,eggooc-0KC
Ukszv.ra
Ool,-x,.kdezkk`gxo,,zjo,,glyxonfi-1W.g
]k-4,vfk-2,ak,.HLAB1 T,K.j
Aczgv7,.FanbkjhAdbh-1,*,-,-^cvlcq>VS,. T,IbnWyova7,..O
Baezgjc6,.JatzKbjkv,, URT,fimeq-4,k T,SilGkbzembkv T,bap T,m-2,wmk`a`,,av T,HbhWxopa23JkAavaChba-32,( T,HbhWxopa6.?,N
Gozgp;,.KlrzcnmAddd-1,q*(,.Rcsooq;U_,. B
Itdj-1,xn`b,,dnyko-0-,0,ojb,,dn`` W-0,c,, U,k``D`bjn-2,aEi-1,xmkci-3 US ,,Iu-2,c-3,=/.rG
Narky5 V,In-0,IhmjtMj-4,rgdaG VR,/Voynk-2,1TEo-0,Mshm2.av
Ihhht,.-3,lak,.Ng-3,zdi`,.-3,cz,.yi4,..Ya
H-1,ug-4-.,p`h` W-14,wnfj,.sg,--2,b-1--,aanh-1 P-0--3,foh,.di-2,zngc4 W-<.h
K-3,gi-3,rmc` V,gm-0,alx,.qli` V,gmbj T,xa VV,hbjCizEq-31,IbjktRmbsa-4-,,* T,I-1,tk-3,4 V.?,n
[nzwaei S-1,ck S,gmhfzx,.aihedzd-0,ml, zl2, >.3
_g`oeli, xg-1,felo-4,em`, -4,kiemn,.-4,c R,zci R,cjel,.-4,dpkjh,.,.cmljgi8,..9.,
Rmbaop,.mowzemhophk` T,djmktjzasaj T,umca,,k-0,p/ T,]kla,.t`geefa-2 T,lmilu T,`ku T,ladj,.mowzemhk`NA
1.2.1
inflate 1.2.1 Copyright 1995-2003 Mark Adler
deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly
?456789:;<=
!"#$%&'()* ,-./0123
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
%up2N
%C}(BV('
F=.qn
ÖI!
5IØ
4K×M*D8
ÔL*
dN%CgM/
G0I%D=
RT.dJ
~=kEY
5/x.fR
T.Ri[
{'{.6`^(
-%f)k
J_.Jc5
%5U"r
ZU.bHt
GetProcessHeap
GetCPInfo
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
38000=344
4? 3!0 3!6
H.JXA
&)"%&$&'&",,/- '
1 0 .'7(2':
- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)
944(@32%2u8
.PMDF<7I
.idata
.edata
P.reloc
P.rsrc
H.JXA0Db
SOFTWARE\Microsoft\Windows NT\CurrentVersion
errorUrl
\bin\SubWCRev.exe
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid GUID value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HE.locale (166 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\CA.locale (161 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SL.locale (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HI.locale (284 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\IS.locale (155 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\BG.locale (223 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\97332779.log (174371 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\NE.locale (334 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\CS.locale (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SQ.locale (149 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bg_test_B[1].png (3644 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\main.css (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\EU.locale (161 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\UK.locale (255 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ET.locale (145 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\RO.locale (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014369A.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\bootstrap_52852.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp\asgnd.json (6341 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\DA.locale (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\GU.locale (318 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\BE.locale (256 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\MR.locale (289 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\UR.locale (211 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\LT.locale (166 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\001434D5.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PS.locale (195 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TR.locale (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\UZ.locale (169 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ns480180C7\3B1DE5F8_stp.CIS.part (711 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\FR.locale (163 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HR.locale (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\NO.locale (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\AF.locale (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SK.locale (164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143514.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\button-bg.png (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KK.locale (218 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SR.locale (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ES.locale (150 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HT.locale (143 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\LV.locale (144 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KU.locale (132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\VI.locale (180 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KO.locale (141 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\DE.locale (161 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\RU.locale (266 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014368A.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\AZ.locale (177 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PA.locale (257 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\IT.locale (154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\MS.locale (143 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ID.locale (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TE.locale (320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ML.locale (360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_utorrent.ico (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json[1].js (322 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\JA.locale (195 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\KA.locale (335 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\YO.locale (146 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\EN[1].png (1184 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\FI.locale (143 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\ie6_main.css (1 bytes)
    %Program Files%\001437C2.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TA.locale (330 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TL.locale (163 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\MK.locale (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\NL.locale (146 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HU.locale (172 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\LO.locale (305 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\HY.locale (219 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\EL.locale (235 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\FA.locale (186 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\checkbox.css (190 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ZH.locale (137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\TH.locale (264 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\EN.locale (147 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\index.hta.log (33 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PL.locale (155 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\SV.locale (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\fs_bg[1].png (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\ZU.locale (138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\PT.locale (150 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd132430843855\locale\BS.locale (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\bt_icon_48px.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\it.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\fr.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\br.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\styles\installer.css (587 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\es.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_icon.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\main_bittorrent.ico (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\search_protect.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\styles\common.css (102 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\uninstall.hta (575 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DVVEN1YQ.txt (89 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\common.js (349 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\es5-shim.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\pt.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\yandex_horz.png (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ERB2UUC9.txt (89 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\ko.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\yandex_browser_setup.bmp (204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\install.1502626712.zip (281721 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.dll (933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\ru.json (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\en.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\initialize.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\install.js (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttF8BF.tmp (0 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\3rdparty\FS.ocx (965 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\index.hta (739 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\i18n\de.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\scripts\uninstall.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\shell_scripts\shell_install_offer.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYDFE3C.tmp.1502626712\HTA\images\yandex_horz_ru.png (7 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now