Gen:Variant.Mikey.51077 (B) (Emsisoft), Gen:Variant.Mikey.51077 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4c1f48a6b56af294f983453bdd21e6af
SHA1: 8bf843c8186a864365d8be0b20b2851399957d77
SHA256: 28d50dba18a0a2458692adfcb2f4f28127db7d8911c23a657bcd1ecdd659ef6b
SSDeep: 12288:mlzcNRuu/0zxHGSAsbl/JgisB8SwkbFsVCTKXDtRv2VyGXLL:mU7/GHmOJlCXwkaVzTzvO
Size: 724536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Catalina Group Ltd.
Created at: 2015-10-24 01:28:22
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
citrio_50.0.2661.271_1.exe:3084
CatalinaUpdate.exe:1284
CatalinaUpdate.exe:1948
CatalinaUpdate.exe:592
CatalinaUpdate.exe:624
CatalinaUpdate.exe:1228
CatalinaUpdate.exe:2724
citrio.exe:3452
citrio.exe:3508
citrio.exe:3560
citrio.exe:4076
citrio.exe:1228
citrio.exe:3376
citrio.exe:3420
citrio.exe:3436
citrio.exe:3468
citrio.exe:3496
citrio.exe:3412
citrio.exe:3520
citrio.exe:3648
citrio.exe:3572
citrio.exe:3528
CatalinaCrashHandler.exe:2672
%original file name%.exe:348
setup.exe:3544
The Trojan injects its code into the following process(es):
citrio.exe:212
citrio.exe:1080
citrio.exe:3364
citrio.exe:3016
citrio.exe:2260
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process citrio_50.0.2661.271_1.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\setup.exe (20838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\SETUP.EX_ (1731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\CITRIO.PACKED.7Z (443233 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\CITRIO.PACKED.7Z (0 bytes)
The process CatalinaUpdate.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install\{2EE34F43-5047-454D-A00C-8C4791C44D77}\citrio_50.0.2661.271_1.exe (449813 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.271\citrio_50.0.2661.271_1.exe (449813 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{4DD1FD9C-4C27-40AD-9A58-CCC3BAA59079}-citrio_50.0.2661.271_1.exe (0 bytes)
The process CatalinaUpdate.exe:592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll (19 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll (28 bytes)
The process citrio.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GPMFO96B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\debug.log (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HHZ07SG0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDUB0TY7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ON4PSBMF\desktop.ini (67 bytes)
The process citrio.exe:1228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\manifest.json (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\uk\messages.json (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\fil\messages.json (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\video.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\play_track.png (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\audio.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\open_in_folder.png (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.html (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\en\messages.json (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\citrio.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ms\messages.json (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ru\messages.json (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\th\messages.json (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\id\messages.json (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\128.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\pt_BR\messages.json (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ar\messages.json (374 bytes)
The process citrio.exe:3376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ms\messages.json (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\id\messages.json (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\popup.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon35.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon48.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.fb.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.tw.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\css\template.css (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\background.js (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16-old.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\manifest.json (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16.png (497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\en\messages.json (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon128.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\locale.js (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\fil\messages.json (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\pt_BR\messages.json (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon64.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.gp.png (1 bytes)
The process citrio.exe:3016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\LOG (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000003.log (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_3 (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_2 (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_1 (7112 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor (5093 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (162124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data-journal (13750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOG (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_bzErAGqsXYnpIzL (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\citrio_ext.crx (114298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\LOG (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\17.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000001 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (305478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Visited Links (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\15.tmp (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_un2S1bucDLFPyFj (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\media_downloader.crx (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\download_all.crx (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\13.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000003.log (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\share_page.crx (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\19.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data (29629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data (3478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor-journal (11985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_a5iDZNqB3HvkBEZ (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites (5232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1C.tmp (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_y2LoLvnnttwawLo (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_IYtZfL4RjyYddJy (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\7.tmp (1478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\README (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_kSEsv1UeGSodnIo (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History (21181 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\14.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\10.tmp (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_0 (6092 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1A.tmp (999630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\proxy.crx (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Current Session (7167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_qAfo2hnyMisAbxx (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RF65016.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RF64c7c.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Secure Preferences~RF64d86.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (0 bytes)
The process citrio.exe:3436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\th\messages.json (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\search.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\fil\messages.json (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.inactive.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.interface.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\uk\messages.json (862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\pt_BR\messages.json (525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\id\messages.json (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ru\messages.json (868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\en\messages.json (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\locale.js (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\css\template.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\manifest.json (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.ui.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ar\messages.json (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon.close.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon128.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.popup.js (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ms\messages.json (503 bytes)
The process citrio.exe:3468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_empty.png (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_19.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_stats.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libcurl.dll (22840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\_bz2.pyd (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\manifest.json (988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_16.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\citrio_ext.dll (34392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pyexpat.pyd (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pywintypes34.dll (7784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtCore4.dll (152471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\ssleay32.dll (18768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\youtube-dl.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\zlib1.dll (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcp100.dll (27336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcr100.dll (49672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_dv.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libeay32.dll (76989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_dv.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\base_library.zip (206432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32wnet.pyd (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libtorrent.dll (129574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\dlnlib.dll (38624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\unicodedata.pyd (48768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtGui4.dll (541377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\background.html (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32api.pyd (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_stats.js (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_notification.js (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\python34.dll (164484 bytes)
The process citrio.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_detail.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\agent.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\th\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\doT.min.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\popup.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\sandbox.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\new.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ru\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\logging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\id\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\manifest.json (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\mochi.js (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\popup.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.js (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\base64.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\sandbox.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\mochi.css (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\model.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\uk\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\en\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_list.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.local.js (619 bytes)
The process citrio.exe:3520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\disable.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\sprite.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\style.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-active.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all-disable.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\open-icon.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\en\messages.json (981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-hover.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\theme.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\background.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\id\messages.json (994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\jquery-1.11.0.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\js.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\manifest.json (557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\active.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\locale.js (244 bytes)
The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (0 bytes)
The process setup.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bg.pak (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\proxy.crx (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-TW.pak (219 bytes)
%Documents and Settings%\%current user%\Desktop\Facebook.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\he.pak (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\resources.pak (150724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ru.pak (1688 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\am.pak (1647 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\download_all.crx (1766 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ar.pak (1641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\citrio.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sl.pak (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ro.pak (268 bytes)
%Documents and Settings%\%current user%\Desktop\YouTube.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-BR.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-US.pak (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libexif.dll (307 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sk.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\chrome.VisualElementsManifest.xml (342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_32.nexe (20507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\external_extensions.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sw.pak (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_200_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\smalllogo.png (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\metro_driver.dll (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ja.pak (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\de.pak (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libglesv2.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hu.pak (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ms.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\50.0.2661.271.manifest (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\gu.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es-419.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\pepflashplayer.dll (124061 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\logo.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\tr.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\id.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_100_percent.pak (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\el.pak (1752 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fr.pak (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-CN.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fil.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\widevinecdmadapter.dll (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_child.dll (321430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\cs.pak (268 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ml.pak (3743 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lt.pak (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fa.pak (1654 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sv.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_watcher.dll (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\secondarytile.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\version.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_64.nexe (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\natives_blob.bin (1711 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\citrio.7z (1358422 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\uk.pak (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\share_page.crx (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\delegate_execute.exe (3802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hi.pak (1820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-GB.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\mr.pak (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\te.pak (1870 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sr.pak (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\da.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nb.pak (238 bytes)
%Documents and Settings%\%current user%\Desktop\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fi.pak (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\et.pak (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\it.pak (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nl.pak (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio.dll (259439 bytes)
%Documents and Settings%\%current user%\Desktop\Chrome Web Store.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libegl.dll (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_100_percent.pak (6303 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\kn.pak (3680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ca.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_200_percent.pak (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\wow_helper.exe (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\snapshot_blob.bin (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_elf.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ko.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-PT.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\th.pak (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bn.pak (1839 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\media_downloader.crx (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lv.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\citrio_ext.crx (110258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ta.pak (3691 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\vi.pak (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pl.pak (261 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\citrio.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\wow_helper.exe (0 bytes)
Registry activity
The process citrio_50.0.2661.271_1.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 A8 A0 DA 2F 53 E8 E3 48 53 36 C0 EE 66 84 68"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap" = "-full"
The process CatalinaUpdate.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"
[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"
[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"
[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"
[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"
[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"
[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"
[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"
[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\CLSID\{3EC095D7-1164-4B7C-B570-92B48F6E82DC}]
"(Default)" = "PSFactoryBuffer"
[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"
[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"
[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"
[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"
[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"
[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"
[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"
[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"
[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"
[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"
[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"
[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"
[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"
[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"
[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"
[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"
[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"
[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"
[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 45 E9 53 81 1E CD 31 AA 1B 14 A2 74 3E 05 FE"
[HKCU\Software\Classes\CLSID\{3EC095D7-1164-4B7C-B570-92B48F6E82DC}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"
[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"
[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"
[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"
[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"
[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"
[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"
[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"
[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"
[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"
[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"
[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"
[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"
[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"
[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"
[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"
[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"
[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"
[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"
[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"
[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"
[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"
[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"
[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"
[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"
[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"
[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"
[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"
[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"
[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"
[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"
[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"
[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"
[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"
[HKCU\Software\Classes\CLSID\{3EC095D7-1164-4B7C-B570-92B48F6E82DC}\InProcServer32]
"ThreadingModel" = "Both"
[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"
[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"
[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"
[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"
The Trojan deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]
[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"
The process CatalinaUpdate.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"pv" = "50.0.2661.271"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_succeeded" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"brand" = "GGLS"
"LastInstallerError" = "0"
"LastInstallerResult" = "0"
"referral" = "1:citrio_website"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_download_total" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_total" = "01 00 00 00 00 00 00 00"
"worker_download_succeeded" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update]
"LastInstallerError" = "0"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
"lang" = "en"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\CatalinaGroup\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "04 00 00 00 00 00 00 00"
"worker_install_execute_total" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"bt" = "1"
"LastCheckSuccess" = "1471278600"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "04 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 7C 12 1B 33 57 E3 DC 9C 40 DA D5 5B 66 8D A4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallTime" = "1471278585"
[HKCU\Software\CatalinaGroup\Update]
"LastInstallerResult" = "0"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"iid" = "{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"browser"
"LastInstallerError"
"LastInstallerResultUIString"
"eulaaccepted"
"UpdateAvailableSince"
"tttoken"
[HKCU\Software\CatalinaGroup\Update\network\secure]
"c"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"experiment_labels"
"InstallerResult"
"LastInstallerExtraCode1"
[HKCU\Software\CatalinaGroup\Update]
"LastInstallerError"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerSuccessLaunchCmdLine"
[HKCU\Software\CatalinaGroup\Update]
"LastInstallerSuccessLaunchCmdLine"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerError"
"LastInstallerResult"
"UpdateAvailableCount"
"InstallerSuccessLaunchCmdLine"
"ap"
[HKCU\Software\CatalinaGroup\Update]
"LastInstallerResultUIString"
"LastInstallerExtraCode1"
"LastInstallerResult"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"iid"
The process CatalinaUpdate.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"opt_in_uid_generated" = "01 00 00 00 00 00 00 00"
"setup_should_install_total" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_install_google_update_total_ms" = "01 00 00 00 00 00 00 00 59 04 00 00 00 00 00 00"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"ProductName" = "CatalinaGroup Update"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"
[HKCU\Software\CatalinaGroup\Update]
"UID" = "{C10F4F9D-DF6C-4164-824A-840C447357BE}"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"
[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_phase2_ms" = "01 00 00 00 00 00 00 00 C0 02 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"
[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.223"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"
[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"
[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1471278479"
[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"
[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_do_self_install_total" = "01 00 00 00 00 00 00 00"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"
[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_lock_acquire_ms" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"
"ProductName" = "CatalinaGroup Update"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."
[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_files_total" = "01 00 00 00 00 00 00 00"
"goopdate_main" = "06 00 00 00 00 00 00 00"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Version" = "9"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223"
[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.223"
[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"
[HKCU\Software\CatalinaGroup\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "06 00 00 00 00 00 00 00"
"setup_do_self_install_succeeded" = "01 00 00 00 00 00 00 00"
"setup_install_succeeded" = "01 00 00 00 00 00 00 00"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Version" = "3"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B5 0B 14 68 5C 21 DD 1C 7C EA FD D0 6B 24 8B"
[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.223"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_should_install_true_fresh_install" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"
[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_files_ms" = "01 00 00 00 00 00 00 00 86 01 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_install_total" = "01 00 00 00 00 00 00 00"
"setup_files_verification_succeeded" = "01 00 00 00 00 00 00 00"
"setup_install_task_succeeded" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"
[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"brand" = "GGLS"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_install_task_ms" = "01 00 00 00 00 00 00 00 B7 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update]
"ui"
[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"
[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"
[HKCU\Software\CatalinaGroup\Update\network\secure]
"c"
[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableCount"
[HKCU\Software\CatalinaGroup\Update]
"LastChecked"
The process CatalinaUpdate.exe:624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 46 3C A3 32 32 3F 01 FF A3 99 E7 DD 64 09 36"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "05 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "05 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"
[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"
The process CatalinaUpdate.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 0C 4F C8 36 38 0B F1 99 92 E2 5B 10 FE 13 CE"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"
The process CatalinaUpdate.exe:2724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 BB C2 D0 90 A6 F0 2C 39 6C 8D 22 C6 4D 4D 18"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "03 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"
[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "03 00 00 00 00 00 00 00"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"
The process citrio.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C0 49 52 45 F3 D0 31 AC 88 5B 8C 21 BB D7 F0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process citrio.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 11 C7 0C 4A FD 1A 1D F1 A1 C1 AE A9 D9 53 68"
The process citrio.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB E3 7D 0C 41 D9 88 40 4C F5 D7 0F 62 DF 66 71"
The process citrio.exe:4076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 44 5F 15 2F 02 4C F7 2B B8 1A 5D E6 2D F5 44"
The process citrio.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 F7 47 7A 3E 68 94 9E 1E F1 06 4B 8D C4 BA 17"
The process citrio.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 4F 49 63 D6 F9 05 A0 7A E3 C9 BA 71 1F 85 55"
The process citrio.exe:3364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 C8 43 AF 44 5C 89 AA 11 1B 19 38 2C 2A 6F 77"
The process citrio.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 0A 92 6B FF EA 22 89 75 FF D1 C1 B8 88 BC 34"
The process citrio.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F DB 95 1D C6 5D 12 F9 1F 57 79 9A 68 0C 91 A1"
The process citrio.exe:3016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"dr" = "1"
"usagestats" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"Version" = "50.0.2661.271"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"
[HKCU\Software\CatalinaGroup\Citrio\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"
[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"State" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"lastrun" = "13115752212794125"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastWasDefault" = "Type: REG_QWORD, Length: 8"
"_NumSignedIn" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"
[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"failed_count" = "0"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 6D 00 C0 25"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 21 1B C0 12 B8 48 E7 F2 07 BA A8 DC 8D CD 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"_NumAccounts" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"
The Trojan deletes the following registry key(s):
[HKCU\Software\CatalinaGroup\Citrio\BLFinchList]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"FirstNotDefault"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F"
The process citrio.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 20 E3 A3 00 28 FA 97 F3 65 7F 03 92 9A F9 ED"
The process citrio.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 15 AC 64 0B C8 38 F0 48 FA 07 79 49 B0 4A B9"
The process citrio.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 6D 5F 11 6A C6 08 95 D1 9E FE 85 CC BC 5D F2"
The process citrio.exe:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 6B EF 70 16 F5 13 F2 05 7F 13 64 0A 72 41 1C"
The process citrio.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 4C 20 27 97 61 39 71 7C B3 DB B0 A8 1B 46 DA"
The process citrio.exe:3648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 84 68 4E 31 49 79 26 AA 5A 54 8C 13 78 16 4B"
The process citrio.exe:3572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 95 13 F5 DF 7C 91 52 5B E4 BB DD 43 BE 55 99"
The process citrio.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 3D 21 20 AA C3 28 C0 E0 FD 11 2A B7 87 58 7F"
The process CatalinaCrashHandler.exe:2672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 1F C6 B5 51 CE 94 F6 A2 69 CE 43 8A 3D 4D B4"
The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 6A 93 9C 50 97 4A 3D E2 CD 90 45 61 D1 DE FA"
The process setup.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".avi" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".webp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".AAC" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\magnet\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio,"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --hide-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"NoRepair" = "1"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKCR\.xht\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\delegate_execute.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Citrio"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mov" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".xhtml" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xa" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"nntp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".flv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".torrent" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"Publisher" = "© Catalinagroup Ltd."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"lang" = "en"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"pv" = "50.0.2661.271"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --make-default-browser"
[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"pv" = "50.0.2661.271"
[HKCU\Software\Classes\.xht]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".m4v" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".au" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".xht" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\citrio.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application"
[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}]
"(Default)" = "CommandExecuteImpl Class"
[HKCU\Software\Classes\.html]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"bt" = "1"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\.htm\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerError" = "0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --show-icons"
[HKCR\.webp\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayVersion" = "50.0.2661.271"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastWasDefault" = "Type: REG_QWORD, Length: 8"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mpg" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".nsv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".asf" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Citrio]
"AssociationsRegistry" = "1"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"
[HKCU\Software\Classes\Magnet\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"Version" = "50.0.2661.271"
[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\delegate_execute.exe"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerExtraCode1" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E DB 1E EC 7D F8 71 D2 E8 F5 24 8E 4E 59 6F 83"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".wma" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".FLAC" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap" = "-stage:preconditions-full"
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".MP3" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".MP2" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".pdf" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayName" = "Citrio"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mp4" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\Magnet]
"URL Protocol" = ""
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe --on-os-upgrade --verbose-logging"
[HKCU\Software\Classes\.pdf]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"oopcrashes" = "1"
[HKLM\SOFTWARE\RegisteredApplications]
"Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".TTA" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Citrio is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Citrio."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".3gp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".webm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".tac" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".dts" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".mkv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"NoModify" = "1"
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"ftp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".wmv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".mka" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ram" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ogv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"lang" = "en"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"magnet" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".3g2" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\.htm]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"UninstallArguments" = " --uninstall"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\.xhtml\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Classes\Magnet\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"Name" = "Citrio App Launcher"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe --uninstall"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"mms" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerResult" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Citrio Document"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\.shtml\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCR\.html\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"VersionMajor" = "2661"
"VersionMinor" = "271"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ra" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\.torrent]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".a52" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".rm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".RV" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".htm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\Magnet\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"bt" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\citrio.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".m2v" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"InstallDate" = "20160815"
[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"Name" = "Citrio"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".OGG" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".WAV" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".ogm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Citrio"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application]
"citrio.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe:*:Enabled:Citrio"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap"
"FirstNotDefault"
"InstallerExtraCode1"
Dropped PE files
| MD5 | File path |
|---|---|
| 17a70cbefd0c97da5b5154bcc2c6135a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe |
| 17a70cbefd0c97da5b5154bcc2c6135a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe |
| f1344174407b31ebf73a1b757730e7b9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe |
| d97a494f356a9b87a9de70f94deac0fd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe |
| ddba4ef4336eab079a05d50cae1d78ad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll |
| 9679f1b877f59885a1cb0dc781f6f5a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll |
| e978743b5e83e6d8d56ef8eec9e95895 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll |
| 632bf3bf2c7c43de40e14e180d450aa4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll |
| f9b49228bdb016a10ee484d00d20c56d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll |
| 750e817cff45df02c6219fd7f8629306 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll |
| befa1de1a499caf2dd8c849d307ea022 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll |
| 64a3b9bd31048d1474be89bf8b759a6b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll |
| 124b5b534765959135d7e5e8387e42d4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll |
| 7c9392a39aa7af12ba9516108461396c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll |
| 5a72210a08f840c981a22a30eae6bfd5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll |
| de806ca7439b321cb5b9ed465bfff53c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll |
| ce161f171dede65306ae260f2daed707 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll |
| 6804fe6306170c2e03e67a9a6912e44d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll |
| 1f27b6a0f1239dc5a0ad99ebb9f266b1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll |
| 362caadf56cbb795429cb414d7526249 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll |
| 980c0b9460aebcd0e6c26597ebbbe405 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll |
| 8d0545918a67993b61d41e37ddf0a448 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll |
| 00c69aa9c97e7adecebbabeb9d62c1e5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll |
| 5bf66f20dec62b4fba86cc774e30f42d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll |
| 0e0d1132eff66a2408379b417b95ec23 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll |
| d12036e6329b12ae75e288669b2fc0af | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll |
| d467c0c1a4d788d0905393dfaf485135 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll |
| 63468abea9a361c189a52329f26cc88d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll |
| f88e2998a5136c6015b320e30260ec4e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll |
| bcd98fb11a392837a3a6699335e89a9d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll |
| b798ad9f420015dcff3fe32d9731aef9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll |
| fdeea71e5153722ddce94417c3e80ce5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll |
| 82c275cbb0ba0d37128e7c77b0e540e7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll |
| 6c041119591f741151f508b6b691e03a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll |
| 26fa6e3a970fb0a5c63ae57d45198327 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll |
| ac5751840335dedbf1e8dd1a87d12682 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll |
| 9e325dcb01d553307dd6ef773f3f475e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll |
| 28d3149dc5e5410f66a1935f1dda41d6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll |
| 606a92ebf1a461a2ba5ddd2b15bf2ed4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll |
| 10bf4f168b43efe576660cf340c9cd44 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll |
| 6053f5753647853fc4830829724469d4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll |
| eead3f9d5abb707b01c87121f591c8e9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll |
| 5dfeab4174bf0228faf838a29df7713e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll |
| 64046abd01dccbc734f7b5c1b64678f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll |
| bae8f1473a25a4b3211e66ef365cc7b7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll |
| 839fd225d791d571349676b747e28395 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll |
| d46def9b2394e5f015707534463847a0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll |
| d48a353ecb8e92c8ccdfff936e46ba87 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll |
| 422ba3343eec0f6b27ac2ae49d660e33 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll |
| e73a1377dfa148fab829f0c5c8808a63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll |
| 405d4703ec5f16199eba427de348aca2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll |
| ecd6fab6f8cddc32adb706da61eab103 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll |
| fffa3bef66e32c82e0c73568dff849be | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll |
| 560d84e7c8d683dbff92d57e1a399f51 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll |
| ba00b2fb66629db19348a84b980d18e0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll |
| 2a65fe2d121400d813a82eab20a939e3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll |
| 5583d364750bb7d81f14c94e5c7436d0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll |
| b2ca11171e5a17aa8056c180b24cf666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll |
| 91c54079cc80835aad5556fb920d03fa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll |
| d6d9fb241c73daa86742c054bd5d2a9e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll |
| 1d68f6707885426f86311c25e3ffe412 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll |
| 0338eb214377352a1a4064b4d82caa01 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll |
| 6de2e660635cc112929517ca85f068a2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll |
| 17a70cbefd0c97da5b5154bcc2c6135a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe |
| 17a70cbefd0c97da5b5154bcc2c6135a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe |
| 17a70cbefd0c97da5b5154bcc2c6135a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe |
| f1344174407b31ebf73a1b757730e7b9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe |
| d97a494f356a9b87a9de70f94deac0fd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe |
| ddba4ef4336eab079a05d50cae1d78ad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdate.dll |
| 9679f1b877f59885a1cb0dc781f6f5a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll |
| e978743b5e83e6d8d56ef8eec9e95895 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll |
| 632bf3bf2c7c43de40e14e180d450aa4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll |
| f9b49228bdb016a10ee484d00d20c56d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll |
| 750e817cff45df02c6219fd7f8629306 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll |
| befa1de1a499caf2dd8c849d307ea022 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll |
| 64a3b9bd31048d1474be89bf8b759a6b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll |
| 124b5b534765959135d7e5e8387e42d4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll |
| 7c9392a39aa7af12ba9516108461396c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll |
| 5a72210a08f840c981a22a30eae6bfd5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll |
| de806ca7439b321cb5b9ed465bfff53c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll |
| ce161f171dede65306ae260f2daed707 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll |
| 6804fe6306170c2e03e67a9a6912e44d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll |
| 1f27b6a0f1239dc5a0ad99ebb9f266b1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll |
| 362caadf56cbb795429cb414d7526249 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll |
| 980c0b9460aebcd0e6c26597ebbbe405 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll |
| 8d0545918a67993b61d41e37ddf0a448 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll |
| 00c69aa9c97e7adecebbabeb9d62c1e5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll |
| 5bf66f20dec62b4fba86cc774e30f42d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll |
| 0e0d1132eff66a2408379b417b95ec23 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll |
| d12036e6329b12ae75e288669b2fc0af | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll |
| d467c0c1a4d788d0905393dfaf485135 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll |
| 63468abea9a361c189a52329f26cc88d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll |
| f88e2998a5136c6015b320e30260ec4e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll |
| bcd98fb11a392837a3a6699335e89a9d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll |
| b798ad9f420015dcff3fe32d9731aef9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll |
| fdeea71e5153722ddce94417c3e80ce5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll |
| 82c275cbb0ba0d37128e7c77b0e540e7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll |
| 6c041119591f741151f508b6b691e03a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll |
| 26fa6e3a970fb0a5c63ae57d45198327 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll |
| ac5751840335dedbf1e8dd1a87d12682 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll |
| 9e325dcb01d553307dd6ef773f3f475e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll |
| 28d3149dc5e5410f66a1935f1dda41d6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll |
| 606a92ebf1a461a2ba5ddd2b15bf2ed4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll |
| 10bf4f168b43efe576660cf340c9cd44 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll |
| 6053f5753647853fc4830829724469d4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll |
| eead3f9d5abb707b01c87121f591c8e9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll |
| 5dfeab4174bf0228faf838a29df7713e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll |
| 64046abd01dccbc734f7b5c1b64678f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll |
| bae8f1473a25a4b3211e66ef365cc7b7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll |
| 839fd225d791d571349676b747e28395 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll |
| d46def9b2394e5f015707534463847a0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll |
| d48a353ecb8e92c8ccdfff936e46ba87 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll |
| 422ba3343eec0f6b27ac2ae49d660e33 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll |
| e73a1377dfa148fab829f0c5c8808a63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll |
| 405d4703ec5f16199eba427de348aca2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll |
| ecd6fab6f8cddc32adb706da61eab103 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll |
| fffa3bef66e32c82e0c73568dff849be | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll |
| 560d84e7c8d683dbff92d57e1a399f51 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll |
| ba00b2fb66629db19348a84b980d18e0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll |
| 2a65fe2d121400d813a82eab20a939e3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll |
| 5583d364750bb7d81f14c94e5c7436d0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll |
| b2ca11171e5a17aa8056c180b24cf666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll |
| 91c54079cc80835aad5556fb920d03fa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll |
| d6d9fb241c73daa86742c054bd5d2a9e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll |
| 1d68f6707885426f86311c25e3ffe412 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll |
| 0338eb214377352a1a4064b4d82caa01 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psmachine.dll |
| 6de2e660635cc112929517ca85f068a2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psuser.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
citrio_50.0.2661.271_1.exe:3084
CatalinaUpdate.exe:1284
CatalinaUpdate.exe:1948
CatalinaUpdate.exe:592
CatalinaUpdate.exe:624
CatalinaUpdate.exe:1228
CatalinaUpdate.exe:2724
citrio.exe:3452
citrio.exe:3508
citrio.exe:3560
citrio.exe:4076
citrio.exe:1228
citrio.exe:3376
citrio.exe:3420
citrio.exe:3436
citrio.exe:3468
citrio.exe:3496
citrio.exe:3412
citrio.exe:3520
citrio.exe:3648
citrio.exe:3572
citrio.exe:3528
CatalinaCrashHandler.exe:2672
%original file name%.exe:348
setup.exe:3544 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\setup.exe (20838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\SETUP.EX_ (1731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\CITRIO.PACKED.7Z (443233 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install\{2EE34F43-5047-454D-A00C-8C4791C44D77}\citrio_50.0.2661.271_1.exe (449813 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.271\citrio_50.0.2661.271_1.exe (449813 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll (19 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GPMFO96B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\debug.log (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HHZ07SG0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDUB0TY7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ON4PSBMF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\manifest.json (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\uk\messages.json (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\fil\messages.json (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\video.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\play_track.png (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\audio.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\open_in_folder.png (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.html (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\en\messages.json (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\citrio.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ms\messages.json (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ru\messages.json (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\th\messages.json (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\id\messages.json (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\128.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\pt_BR\messages.json (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ar\messages.json (374 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ms\messages.json (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\id\messages.json (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\popup.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon35.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon48.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.fb.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.tw.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\css\template.css (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\background.js (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16-old.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\manifest.json (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16.png (497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\en\messages.json (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon128.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\locale.js (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\fil\messages.json (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\pt_BR\messages.json (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon64.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.gp.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\LOG (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000003.log (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_3 (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_2 (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_1 (7112 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor (5093 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (162124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data-journal (13750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOG (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_bzErAGqsXYnpIzL (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\citrio_ext.crx (114298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\LOG (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\17.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000001 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (305478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Visited Links (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\15.tmp (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_un2S1bucDLFPyFj (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\media_downloader.crx (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\download_all.crx (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\13.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000003.log (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\share_page.crx (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\19.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor-journal (11985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_a5iDZNqB3HvkBEZ (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1C.tmp (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_y2LoLvnnttwawLo (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_IYtZfL4RjyYddJy (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\7.tmp (1478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\README (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_kSEsv1UeGSodnIo (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\14.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\10.tmp (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_0 (6092 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1A.tmp (999630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\proxy.crx (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Current Session (7167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_qAfo2hnyMisAbxx (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\th\messages.json (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\search.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\fil\messages.json (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.inactive.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.interface.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\uk\messages.json (862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\pt_BR\messages.json (525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\id\messages.json (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ru\messages.json (868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\en\messages.json (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\locale.js (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\css\template.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\manifest.json (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.ui.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ar\messages.json (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon.close.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon128.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.popup.js (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ms\messages.json (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_empty.png (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_19.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_stats.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libcurl.dll (22840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\_bz2.pyd (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\manifest.json (988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_16.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\citrio_ext.dll (34392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pyexpat.pyd (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pywintypes34.dll (7784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtCore4.dll (152471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\ssleay32.dll (18768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\youtube-dl.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\zlib1.dll (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcp100.dll (27336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcr100.dll (49672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_dv.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libeay32.dll (76989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_dv.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\base_library.zip (206432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32wnet.pyd (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libtorrent.dll (129574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\dlnlib.dll (38624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\unicodedata.pyd (48768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtGui4.dll (541377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\background.html (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32api.pyd (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_stats.js (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_notification.js (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\python34.dll (164484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_detail.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\agent.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\th\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\doT.min.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\popup.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\sandbox.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\new.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ru\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\logging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\id\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\manifest.json (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\mochi.js (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\popup.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.js (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\base64.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\sandbox.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\mochi.css (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\model.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\uk\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\en\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_list.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.local.js (619 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\disable.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\sprite.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\style.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-active.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all-disable.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\open-icon.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\en\messages.json (981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-hover.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\theme.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\background.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\id\messages.json (994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\jquery-1.11.0.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\js.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\manifest.json (557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\active.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\locale.js (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bg.pak (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\proxy.crx (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-TW.pak (219 bytes)
%Documents and Settings%\%current user%\Desktop\Facebook.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\he.pak (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\resources.pak (150724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ru.pak (1688 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\am.pak (1647 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\download_all.crx (1766 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ar.pak (1641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\citrio.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sl.pak (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ro.pak (268 bytes)
%Documents and Settings%\%current user%\Desktop\YouTube.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-BR.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-US.pak (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libexif.dll (307 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sk.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\chrome.VisualElementsManifest.xml (342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_32.nexe (20507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\external_extensions.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sw.pak (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_200_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\smalllogo.png (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\metro_driver.dll (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ja.pak (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\de.pak (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libglesv2.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hu.pak (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ms.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\50.0.2661.271.manifest (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\gu.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es-419.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\pepflashplayer.dll (124061 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\logo.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\tr.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\id.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_100_percent.pak (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\el.pak (1752 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fr.pak (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-CN.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fil.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\widevinecdmadapter.dll (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_child.dll (321430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\cs.pak (268 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ml.pak (3743 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lt.pak (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fa.pak (1654 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sv.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_watcher.dll (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\secondarytile.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\version.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_64.nexe (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\natives_blob.bin (1711 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\citrio.7z (1358422 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\uk.pak (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\share_page.crx (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\delegate_execute.exe (3802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hi.pak (1820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-GB.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\mr.pak (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\te.pak (1870 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sr.pak (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\da.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nb.pak (238 bytes)
%Documents and Settings%\%current user%\Desktop\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fi.pak (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\et.pak (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\it.pak (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nl.pak (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio.dll (259439 bytes)
%Documents and Settings%\%current user%\Desktop\Chrome Web Store.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libegl.dll (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_100_percent.pak (6303 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\kn.pak (3680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ca.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_200_percent.pak (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\wow_helper.exe (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\snapshot_blob.bin (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_elf.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ko.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-PT.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\th.pak (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bn.pak (1839 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\media_downloader.crx (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lv.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\citrio_ext.crx (110258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ta.pak (3691 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\vi.pak (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pl.pak (261 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.223
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.223
File Description: CatalinaGroup Update Setup
Comments:
Language: English (United States)
Company Name: Catalina Group Ltd.Product Name: CatalinaGroup UpdateProduct Version: 1.3.25.223Legal Copyright: Copyright 2013 Catalina Group Ltd.Legal Trademarks: Original Filename: CatalinaUpdateSetup.exeInternal Name: CatalinaGroup Update SetupFile Version: 1.3.25.223File Description: CatalinaGroup Update SetupComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 47535 | 47616 | 4.63635 | 2752a1441fa592610b94de20c1f02a58 |
| .rdata | 53248 | 10788 | 11264 | 3.70626 | 137b135f165828e6808d51b0f23fe651 |
| .data | 65536 | 6460 | 3584 | 1.72368 | 8e425fbedc6927dfabb8fdfaaf8e8d97 |
| .rsrc | 73728 | 651348 | 651776 | 5.2981 | 0fb9c02329234fd0800211194980c94c |
| .reloc | 729088 | 5598 | 5632 | 2.64966 | 17957bd86fff892742280f82a0bf537a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 47
3c2f29dbac5842ca1a35747628ac2ed0
393a907be957b681bc0bf1985b8d6420
134eaec889515311684f679683f84d60
12a00f8b1f0990c915c2d00d6b655c40
0e4a0bfb2841c39acf056f1988789336
220472c3a5bc9633ca4e5cb3c19c0384
772b11fd0a23bf8968b8badcf92ac30c
781558c19a0a9b6d8e48087bb2496d66
bc69e041c0f0568a819151a1c5434490
462fd3913739c6f582dd6ca6643fcf06
1f1ab2d88a7e3304dced04d70167e011
aeada3aeea1d6888eed4ca48deb80054
5a1558fc9c7f0768eb3f40a705bd0130
45b7dcac232250efbd8132bb78de9683
da9b3f2f924be7f819808c6bcfee9cfe
24f15bce11565ede31511ce789118ef0
45d0d3ecc276beb74daf646fd5d3af66
96afab9e361d2635759c2c9008a0c72e
44e2dd04e6e763b60fe9419ddb728dc7
77911c759cafed5c84f6d819fbaf2069
fee2556c48f72e91e121554e539b09e9
7c542e0abb7e8700e5a0d4f50c941136
f11489e2c77aaccce5be36cd0f412374
7ea8b386deb153674ae71fbaac54ab76
a2c0406aaba834c74f68561c73936587
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://catalinahub.net/update/ping | 95.211.171.218 |
| hxxp://catalinahub.net/update/check | 95.211.171.218 |
| hxxp://gs1.wpc.v2cdn.net/80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe | |
| hxxp://wpc.A164.taucdn.net/80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe | |
| wpc.a164.taucdn.net | 93.184.221.133 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
HEAD /80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: wpc.A164.taucdn.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0, public
Content-Type: application/octet-stream;charset=UTF-8
Date: Mon, 15 Aug 2016 16:27:50 GMT
Etag: W/"59173264-1464855289000"
Expires: Mon, 15 Aug 2016 16:27:50 GMT
Last-Modified: Thu, 02 Jun 2016 08:14:49 GMT
Server: Apache-Coyote/1.1
X-Cache: HIT
Content-Length: 59173264
HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=0, public..Content-Type: application/octet-stream;charset=UTF-8..Date: Mon, 15 Aug 2016 16:27:50 GMT..Etag: W/"59173264-1464855289000"..Expires: Mon, 15 Aug 2016 16:27:50 GMT..Last-Modified: Thu, 02 Jun 2016 08:14:49 GMT..Server: Apache-Coyote/1.1..X-Cache: HIT..Content-Length: 59173264......
GET /80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: wpc.A164.taucdn.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0, public
Content-Type: application/octet-stream;charset=UTF-8
Date: Mon, 15 Aug 2016 16:27:50 GMT
Etag: W/"59173264-1464855289000"
Expires: Mon, 15 Aug 2016 16:27:52 GMT
Last-Modified: Thu, 02 Jun 2016 08:14:49 GMT
Server: Apache-Coyote/1.1
X-Cache: HIT
Content-Length: 59173264
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6..d.?..6...6...6...O...6...d/..6...6c..6...O*..6..Rich.6..........................PE..L....1GW.................&..........:#.......@....@.......................... ...............................................P..P....`..................................8............................................P...............................text...'%.......&.................. ..`.data........@......................@....idata.......P.......*..............@..@.rsrc........`.......0..............@..@.reloc..............................@..B.....................................................................................................................................................................................................................................................................................................................................................................1GW........m... ... ........1GW....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4.9.D.5.-.B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1.3.C.A.-.4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.D.E.2.8.A.2.E.A.-.7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....{.F.0.B.5.0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.6.0.}.......@.-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.r.o.m.e.-.f.r.a.m.e.....-.-.m.u.l.t.i.-.i.n.s.t.a.l.l...-.-.s.y.s.t.e.m.-.l.
<<< skipped >>>
POST /update/check HTTP/1.1
User-Agent: Google Update/1.3.25.223;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: catalinahub.net
Content-Length: 567
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.223" ismachine="0" sessionid="{BC71EEE7-46D4-45B3-8B4E-9BA6047E823D}" userid="{C10F4F9D-DF6C-4164-824A-840C447357BE}" installsource="taggedmi" testsource="auto" requestid="{D18CD1C3-99E3-4E93-88E6-14F7AA179772}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"><updatecheck/></app></request>
HTTP/1.1 200 OK
Date: Mon, 15 Aug 2016 16:27:49 GMT
Server: Apache-Coyote/1.1
X-Citrio-Timestamp: xCumNF7TpbZ6dfnvI3geqycbAtI=
Content-Type: application/xml;charset=UTF-8
Cache-Control: max-age=0, public
Expires: Mon, 15 Aug 2016 16:27:50 GMT
Connection: close
Transfer-Encoding: chunked
2b6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><response protocol="3.0" server="dist"><dayStart elapsed_seconds="59270"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" status="ok"><updatecheck status="ok"><urls><url codebase="hXXp://wpc.A164.taucdn.net/80A164/ch-cdn/download/"/></urls><manifest version="50.0.2661.271"><packages><package hash="2NR3 VFpCX/GS8RGSnh9guQKMR0=" name="citrio_50.0.2661.271_1.exe" required="true" size="59173264"/></packages><actions><action arguments="--chrome --do-not-launch-chrome" event="install" run="citrio_50.0.2661.271_1.exe"/><action event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/></actions></manifest></updatecheck></app></response>..0..
POST /update/ping HTTP/1.1
User-Agent: Google Update/1.3.25.223;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: catalinahub.net
Content-Length: 613
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.223" ismachine="0" sessionid="{BC71EEE7-46D4-45B3-8B4E-9BA6047E823D}" userid="{C10F4F9D-DF6C-4164-824A-840C447357BE}" installsource="taggedmi" testsource="auto" requestid="{E653B668-A146-47A1-A080-B47A38A6B741}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" version="" nextversion="1.3.25.223" buildtype="" lang="en" brand="" client="" iid="{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0"/></app></request>
HTTP/1.1 200 OK
Date: Mon, 15 Aug 2016 16:27:49 GMT
Server: Apache-Coyote/1.1
X-Citrio-Timestamp: YIiyBsdYYAr4ZQPgOCI0nFg4UoU=
Content-Type: application/xml;charset=UTF-8
Cache-Control: max-age=0, public
Expires: Mon, 15 Aug 2016 16:27:49 GMT
Connection: close
Transfer-Encoding: chunked
e6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><response protocol="3.0" server="dist"><dayStart elapsed_seconds="59269"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" status="ok"><event status="ok"/></app></response>..0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
CatalinaCrashHandler.exe_2672:
.text
.text
`.data
`.data
.text/DE
.text/DE
@.rsrc
@.rsrc
@.reloc
@.reloc
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
CatalinaUpdate_unsigned.pdb
CatalinaUpdate_unsigned.pdb
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
ole32.dll
ole32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
###7777_{
###7777_{
###____777
###____777
###````87{
###````87{
2 2$2(2,20242~2
2 2$2(2,20242~2
4 4$4(4,4
4 4$4(4,4
?$?(?,?4?
?$?(?,?4?
> >@>\>`>
> >@>\>`>
? ?@?\?`?
? ?@?\?`?
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
goopdate.dll
goopdate.dll
CatalinaUpdate.exe
CatalinaUpdate.exe
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
1.3.25.223
1.3.25.223
2007-2010
2007-2010
2007-2010
2007-2010
citrio.exe_3016:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
HtdHtHHHt.HH
HtdHtHHHt.HH
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
font_key_name
font_key_name
url-chunk
url-chunk
subresource_url
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
%s-%x
CHROME_MAIN_TICKS
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
No valid Chrome version found
chrome-sxs
chrome-sxs
googlechrome
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
iexplore.exe
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
widevinecdmadapter.dll
widevinecdmadapter.dll
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
user_experience_metrics.reporting_enabled
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
user32.dll
user32.dll
.thunks
.thunks
.syzygy
.syzygy
Dictionary keys must be quoted.
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
Line: %i, column: %i, %s
full-memory-crash-report
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
citrio_elf.dll
citrio_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
444.44...4
444.44...4
4.4....4.
4.4....4.
..44.44@4
..44.44@4
4@444@4.
4@444@4.
.4@4@@4.
.4@4@@4.
}.GnO
}.GnO
Ôjo
Ôjo
k.SZ[
k.SZ[
j.oii
j.oii
00J0
00J0
4O4
4O4
>">'>,>9>
>">'>,>9>
=&=/=6=>=!>
=&=/=6=>=!>
8!8)8/888
8!8)8/888
8 8$8(8,8
8 8$8(8,8
4 4(40484
4 4(40484
4 4$4(4,40444
4 4$4(4,40444
7 7$7(7,7
7 7$7(7,7
5(545@5`5
5(545@5`5
citrio_watcher.dll
citrio_watcher.dll
citrio.dll
citrio.dll
citrio_child.dll
citrio_child.dll
metro_driver.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeCanary
ChromeSSHTM
ChromeSSHTM
Chrome Canary HTML Document
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
DGoogle Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
ntdll.dll
ntdll.dll
pipe\
pipe\
Ckernel32.dll
Ckernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
ALPC Port
eKey
eKey
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
version.json
version.json
NPSWF32.dll
NPSWF32.dll
${windows}
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
\\.\pipe\CitrioCrashServices
error %u
error %u
chrome.exe
chrome.exe
hunspecified-crash-key
hunspecified-crash-key
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
Ndebug.log
Ndebug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
50.0.2661.271
citrio_exe
citrio_exe
citrio.exe_3364:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
HtdHtHHHt.HH
HtdHtHHHt.HH
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
font_key_name
font_key_name
url-chunk
url-chunk
subresource_url
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
%s-%x
CHROME_MAIN_TICKS
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
No valid Chrome version found
chrome-sxs
chrome-sxs
googlechrome
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
iexplore.exe
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
widevinecdmadapter.dll
widevinecdmadapter.dll
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
user_experience_metrics.reporting_enabled
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
user32.dll
user32.dll
.thunks
.thunks
.syzygy
.syzygy
Dictionary keys must be quoted.
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
Line: %i, column: %i, %s
full-memory-crash-report
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
citrio_elf.dll
citrio_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
444.44...4
444.44...4
4.4....4.
4.4....4.
..44.44@4
..44.44@4
4@444@4.
4@444@4.
.4@4@@4.
.4@4@@4.
}.GnO
}.GnO
Ôjo
Ôjo
k.SZ[
k.SZ[
j.oii
j.oii
00J0
00J0
4O4
4O4
>">'>,>9>
>">'>,>9>
=&=/=6=>=!>
=&=/=6=>=!>
8!8)8/888
8!8)8/888
8 8$8(8,8
8 8$8(8,8
4 4(40484
4 4(40484
4 4$4(4,40444
4 4$4(4,40444
7 7$7(7,7
7 7$7(7,7
5(545@5`5
5(545@5`5
citrio_watcher.dll
citrio_watcher.dll
citrio.dll
citrio.dll
citrio_child.dll
citrio_child.dll
metro_driver.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeCanary
ChromeSSHTM
ChromeSSHTM
Chrome Canary HTML Document
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
DGoogle Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
ntdll.dll
ntdll.dll
pipe\
pipe\
Ckernel32.dll
Ckernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
ALPC Port
eKey
eKey
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
version.json
version.json
NPSWF32.dll
NPSWF32.dll
${windows}
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
\\.\pipe\CitrioCrashServices
error %u
error %u
chrome.exe
chrome.exe
hunspecified-crash-key
hunspecified-crash-key
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
Ndebug.log
Ndebug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
50.0.2661.271
citrio_exe
citrio_exe
citrio.exe_3364_rwx_06B0A000_000F5000:
webk
webk
citrio.exe_1080:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
HtdHtHHHt.HH
HtdHtHHHt.HH
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
font_key_name
font_key_name
url-chunk
url-chunk
subresource_url
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
%s-%x
CHROME_MAIN_TICKS
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
No valid Chrome version found
chrome-sxs
chrome-sxs
googlechrome
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
iexplore.exe
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
widevinecdmadapter.dll
widevinecdmadapter.dll
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
user_experience_metrics.reporting_enabled
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
user32.dll
user32.dll
.thunks
.thunks
.syzygy
.syzygy
Dictionary keys must be quoted.
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
Line: %i, column: %i, %s
full-memory-crash-report
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
citrio_elf.dll
citrio_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
444.44...4
444.44...4
4.4....4.
4.4....4.
..44.44@4
..44.44@4
4@444@4.
4@444@4.
.4@4@@4.
.4@4@@4.
}.GnO
}.GnO
Ôjo
Ôjo
k.SZ[
k.SZ[
j.oii
j.oii
00J0
00J0
4O4
4O4
>">'>,>9>
>">'>,>9>
=&=/=6=>=!>
=&=/=6=>=!>
8!8)8/888
8!8)8/888
8 8$8(8,8
8 8$8(8,8
4 4(40484
4 4(40484
4 4$4(4,40444
4 4$4(4,40444
7 7$7(7,7
7 7$7(7,7
5(545@5`5
5(545@5`5
citrio_watcher.dll
citrio_watcher.dll
citrio.dll
citrio.dll
citrio_child.dll
citrio_child.dll
metro_driver.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeCanary
ChromeSSHTM
ChromeSSHTM
Chrome Canary HTML Document
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
DGoogle Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
ntdll.dll
ntdll.dll
pipe\
pipe\
Ckernel32.dll
Ckernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
ALPC Port
eKey
eKey
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
version.json
version.json
NPSWF32.dll
NPSWF32.dll
${windows}
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
\\.\pipe\CitrioCrashServices
error %u
error %u
chrome.exe
chrome.exe
hunspecified-crash-key
hunspecified-crash-key
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
Ndebug.log
Ndebug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
50.0.2661.271
citrio_exe
citrio_exe
citrio.exe_212:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
HtdHtHHHt.HH
HtdHtHHHt.HH
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
font_key_name
font_key_name
url-chunk
url-chunk
subresource_url
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
%s-%x
CHROME_MAIN_TICKS
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
No valid Chrome version found
chrome-sxs
chrome-sxs
googlechrome
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
iexplore.exe
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
widevinecdmadapter.dll
widevinecdmadapter.dll
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
user_experience_metrics.reporting_enabled
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
user32.dll
user32.dll
.thunks
.thunks
.syzygy
.syzygy
Dictionary keys must be quoted.
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
Line: %i, column: %i, %s
full-memory-crash-report
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
citrio_elf.dll
citrio_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
444.44...4
444.44...4
4.4....4.
4.4....4.
..44.44@4
..44.44@4
4@444@4.
4@444@4.
.4@4@@4.
.4@4@@4.
}.GnO
}.GnO
Ôjo
Ôjo
k.SZ[
k.SZ[
j.oii
j.oii
00J0
00J0
4O4
4O4
>">'>,>9>
>">'>,>9>
=&=/=6=>=!>
=&=/=6=>=!>
8!8)8/888
8!8)8/888
8 8$8(8,8
8 8$8(8,8
4 4(40484
4 4(40484
4 4$4(4,40444
4 4$4(4,40444
7 7$7(7,7
7 7$7(7,7
5(545@5`5
5(545@5`5
citrio_watcher.dll
citrio_watcher.dll
citrio.dll
citrio.dll
citrio_child.dll
citrio_child.dll
metro_driver.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeCanary
ChromeSSHTM
ChromeSSHTM
Chrome Canary HTML Document
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
DGoogle Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
ntdll.dll
ntdll.dll
pipe\
pipe\
Ckernel32.dll
Ckernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
ALPC Port
eKey
eKey
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
version.json
version.json
NPSWF32.dll
NPSWF32.dll
${windows}
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
\\.\pipe\CitrioCrashServices
error %u
error %u
chrome.exe
chrome.exe
hunspecified-crash-key
hunspecified-crash-key
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
Ndebug.log
Ndebug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
50.0.2661.271
citrio_exe
citrio_exe
citrio.exe_1080_rwx_06E0A000_000F5000:
XVWSSShH
XVWSSShH
citrio.exe_2260:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
HtdHtHHHt.HH
HtdHtHHHt.HH
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
font_key_name
font_key_name
url-chunk
url-chunk
subresource_url
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
%s-%x
CHROME_MAIN_TICKS
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
No valid Chrome version found
chrome-sxs
chrome-sxs
googlechrome
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
iexplore.exe
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
widevinecdmadapter.dll
widevinecdmadapter.dll
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
user_experience_metrics.reporting_enabled
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
user32.dll
user32.dll
.thunks
.thunks
.syzygy
.syzygy
Dictionary keys must be quoted.
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
Line: %i, column: %i, %s
full-memory-crash-report
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
citrio_elf.dll
citrio_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
444.44...4
444.44...4
4.4....4.
4.4....4.
..44.44@4
..44.44@4
4@444@4.
4@444@4.
.4@4@@4.
.4@4@@4.
}.GnO
}.GnO
Ôjo
Ôjo
k.SZ[
k.SZ[
j.oii
j.oii
00J0
00J0
4O4
4O4
>">'>,>9>
>">'>,>9>
=&=/=6=>=!>
=&=/=6=>=!>
8!8)8/888
8!8)8/888
8 8$8(8,8
8 8$8(8,8
4 4(40484
4 4(40484
4 4$4(4,40444
4 4$4(4,40444
7 7$7(7,7
7 7$7(7,7
5(545@5`5
5(545@5`5
citrio_watcher.dll
citrio_watcher.dll
citrio.dll
citrio.dll
citrio_child.dll
citrio_child.dll
metro_driver.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeCanary
ChromeSSHTM
ChromeSSHTM
Chrome Canary HTML Document
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
DGoogle Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
ntdll.dll
ntdll.dll
pipe\
pipe\
Ckernel32.dll
Ckernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
ALPC Port
eKey
eKey
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
version.json
version.json
NPSWF32.dll
NPSWF32.dll
${windows}
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
\\.\pipe\CitrioCrashServices
error %u
error %u
chrome.exe
chrome.exe
hunspecified-crash-key
hunspecified-crash-key
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
Ndebug.log
Ndebug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
50.0.2661.271
citrio_exe
citrio_exe
citrio.exe_212_rwx_0800A000_000F5000:
j.hYv
j.hYv
webk
webk
=.DOU
=.DOU
=.DOUu
=.DOUu
=.ha"
=.ha"
=.ha"u
=.ha"u
citrio.exe_212_rwx_08A0A000_000F5000:
=HTTP
=HTTP
.facu
.facu
webv
webv
=.FAC
=.FAC
=.FACu
=.FACu
citrio.exe_2260_rwx_0520A000_00038000:
Ph-%c
Ph-%c
citrio.exe_2260_rwx_0680A000_000F5000:
PhÃ
PhÃ
citrio.exe_2340:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
HtdHtHHHt.HH
HtdHtHHHt.HH
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
font_key_name
font_key_name
url-chunk
url-chunk
subresource_url
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
%s-%x
CHROME_MAIN_TICKS
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
No valid Chrome version found
chrome-sxs
chrome-sxs
googlechrome
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
iexplore.exe
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
widevinecdmadapter.dll
widevinecdmadapter.dll
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
user_experience_metrics.reporting_enabled
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
user32.dll
user32.dll
.thunks
.thunks
.syzygy
.syzygy
Dictionary keys must be quoted.
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
Line: %i, column: %i, %s
full-memory-crash-report
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
citrio_elf.dll
citrio_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
SetProcessShutdownParameters
SetProcessShutdownParameters
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
444.44...4
444.44...4
4.4....4.
4.4....4.
..44.44@4
..44.44@4
4@444@4.
4@444@4.
.4@4@@4.
.4@4@@4.
}.GnO
}.GnO
Ôjo
Ôjo
k.SZ[
k.SZ[
j.oii
j.oii
00J0
00J0
4O4
4O4
>">'>,>9>
>">'>,>9>
=&=/=6=>=!>
=&=/=6=>=!>
8!8)8/888
8!8)8/888
8 8$8(8,8
8 8$8(8,8
4 4(40484
4 4(40484
4 4$4(4,40444
4 4$4(4,40444
7 7$7(7,7
7 7$7(7,7
5(545@5`5
5(545@5`5
citrio_watcher.dll
citrio_watcher.dll
citrio.dll
citrio.dll
citrio_child.dll
citrio_child.dll
metro_driver.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeCanary
ChromeSSHTM
ChromeSSHTM
Chrome Canary HTML Document
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
DGoogle Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
ntdll.dll
ntdll.dll
pipe\
pipe\
Ckernel32.dll
Ckernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
ALPC Port
eKey
eKey
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
version.json
version.json
NPSWF32.dll
NPSWF32.dll
${windows}
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
\\.\pipe\CitrioCrashServices
error %u
error %u
chrome.exe
chrome.exe
hunspecified-crash-key
hunspecified-crash-key
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
Ndebug.log
Ndebug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
50.0.2661.271
citrio_exe
citrio_exe