Gen.Variant.Mikey.51077_4c1f48a6b5

by malwarelabrobot on August 16th, 2016 in Malware Descriptions.

Gen:Variant.Mikey.51077 (B) (Emsisoft), Gen:Variant.Mikey.51077 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4c1f48a6b56af294f983453bdd21e6af
SHA1: 8bf843c8186a864365d8be0b20b2851399957d77
SHA256: 28d50dba18a0a2458692adfcb2f4f28127db7d8911c23a657bcd1ecdd659ef6b
SSDeep: 12288:mlzcNRuu/0zxHGSAsbl/JgisB8SwkbFsVCTKXDtRv2VyGXLL:mU7/GHmOJlCXwkaVzTzvO
Size: 724536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Catalina Group Ltd.
Created at: 2015-10-24 01:28:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

citrio_50.0.2661.271_1.exe:3084
CatalinaUpdate.exe:1284
CatalinaUpdate.exe:1948
CatalinaUpdate.exe:592
CatalinaUpdate.exe:624
CatalinaUpdate.exe:1228
CatalinaUpdate.exe:2724
citrio.exe:3452
citrio.exe:3508
citrio.exe:3560
citrio.exe:4076
citrio.exe:1228
citrio.exe:3376
citrio.exe:3420
citrio.exe:3436
citrio.exe:3468
citrio.exe:3496
citrio.exe:3412
citrio.exe:3520
citrio.exe:3648
citrio.exe:3572
citrio.exe:3528
CatalinaCrashHandler.exe:2672
%original file name%.exe:348
setup.exe:3544

The Trojan injects its code into the following process(es):

citrio.exe:212
citrio.exe:1080
citrio.exe:3364
citrio.exe:3016
citrio.exe:2260

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process citrio_50.0.2661.271_1.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\setup.exe (20838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\SETUP.EX_ (1731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\CITRIO.PACKED.7Z (443233 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\CITRIO.PACKED.7Z (0 bytes)

The process CatalinaUpdate.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install\{2EE34F43-5047-454D-A00C-8C4791C44D77}\citrio_50.0.2661.271_1.exe (449813 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.271\citrio_50.0.2661.271_1.exe (449813 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{4DD1FD9C-4C27-40AD-9A58-CCC3BAA59079}-citrio_50.0.2661.271_1.exe (0 bytes)

The process CatalinaUpdate.exe:592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll (19 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll (28 bytes)

The process citrio.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GPMFO96B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\debug.log (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HHZ07SG0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDUB0TY7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ON4PSBMF\desktop.ini (67 bytes)

The process citrio.exe:1228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\manifest.json (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\uk\messages.json (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\fil\messages.json (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\video.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\play_track.png (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\audio.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\open_in_folder.png (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.html (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\en\messages.json (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\citrio.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ms\messages.json (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ru\messages.json (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\th\messages.json (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\id\messages.json (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\128.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\pt_BR\messages.json (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ar\messages.json (374 bytes)

The process citrio.exe:3376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ms\messages.json (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\id\messages.json (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\popup.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon35.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon48.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.fb.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.tw.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\css\template.css (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\background.js (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16-old.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\manifest.json (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16.png (497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\en\messages.json (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon128.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\locale.js (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\fil\messages.json (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\pt_BR\messages.json (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon64.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.gp.png (1 bytes)

The process citrio.exe:3016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\LOG (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000003.log (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_3 (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_2 (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_1 (7112 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor (5093 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (162124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data-journal (13750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOG (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_bzErAGqsXYnpIzL (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\citrio_ext.crx (114298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\LOG (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\17.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000001 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (305478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Visited Links (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\15.tmp (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_un2S1bucDLFPyFj (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\media_downloader.crx (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\download_all.crx (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\13.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000003.log (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\share_page.crx (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\19.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data (29629 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data (3478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor-journal (11985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_a5iDZNqB3HvkBEZ (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites (5232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1C.tmp (644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_y2LoLvnnttwawLo (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_IYtZfL4RjyYddJy (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\7.tmp (1478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\README (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_kSEsv1UeGSodnIo (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History (21181 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\14.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\10.tmp (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_0 (6092 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1A.tmp (999630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\proxy.crx (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Current Session (7167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_qAfo2hnyMisAbxx (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RF65016.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RF64c7c.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Secure Preferences~RF64d86.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (0 bytes)

The process citrio.exe:3436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\th\messages.json (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\search.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\fil\messages.json (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.inactive.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.interface.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\uk\messages.json (862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\pt_BR\messages.json (525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\id\messages.json (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ru\messages.json (868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\en\messages.json (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\locale.js (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\css\template.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\manifest.json (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.ui.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ar\messages.json (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon.close.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon128.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.popup.js (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ms\messages.json (503 bytes)

The process citrio.exe:3468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_empty.png (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_19.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_stats.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libcurl.dll (22840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\_bz2.pyd (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\manifest.json (988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_16.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\citrio_ext.dll (34392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pyexpat.pyd (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pywintypes34.dll (7784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtCore4.dll (152471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\ssleay32.dll (18768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\youtube-dl.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\zlib1.dll (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcp100.dll (27336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcr100.dll (49672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_dv.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libeay32.dll (76989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_dv.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\base_library.zip (206432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32wnet.pyd (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libtorrent.dll (129574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\dlnlib.dll (38624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\unicodedata.pyd (48768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtGui4.dll (541377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\background.html (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32api.pyd (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_stats.js (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_notification.js (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\python34.dll (164484 bytes)

The process citrio.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_detail.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\agent.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\th\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\doT.min.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\popup.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\sandbox.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\new.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ru\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\logging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\id\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\manifest.json (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\mochi.js (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\popup.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.js (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\base64.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\sandbox.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\mochi.css (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\model.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\uk\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\en\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_list.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.local.js (619 bytes)

The process citrio.exe:3520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\disable.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\sprite.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\style.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-active.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all-disable.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\open-icon.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\en\messages.json (981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-hover.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\theme.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\background.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\id\messages.json (994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\jquery-1.11.0.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\js.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\manifest.json (557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\active.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\locale.js (244 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (0 bytes)

The process setup.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bg.pak (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\proxy.crx (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-TW.pak (219 bytes)
%Documents and Settings%\%current user%\Desktop\Facebook.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\he.pak (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\resources.pak (150724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ru.pak (1688 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\am.pak (1647 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\download_all.crx (1766 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ar.pak (1641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\citrio.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sl.pak (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ro.pak (268 bytes)
%Documents and Settings%\%current user%\Desktop\YouTube.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-BR.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-US.pak (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libexif.dll (307 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sk.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\chrome.VisualElementsManifest.xml (342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_32.nexe (20507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\external_extensions.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sw.pak (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_200_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\smalllogo.png (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\metro_driver.dll (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ja.pak (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\de.pak (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libglesv2.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hu.pak (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ms.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\50.0.2661.271.manifest (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\gu.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es-419.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\pepflashplayer.dll (124061 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\logo.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\tr.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\id.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_100_percent.pak (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\el.pak (1752 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fr.pak (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-CN.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fil.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\widevinecdmadapter.dll (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_child.dll (321430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\cs.pak (268 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ml.pak (3743 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lt.pak (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fa.pak (1654 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sv.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_watcher.dll (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\secondarytile.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\version.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_64.nexe (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\natives_blob.bin (1711 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\citrio.7z (1358422 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\uk.pak (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\share_page.crx (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\delegate_execute.exe (3802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hi.pak (1820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-GB.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\mr.pak (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\te.pak (1870 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sr.pak (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\da.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nb.pak (238 bytes)
%Documents and Settings%\%current user%\Desktop\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fi.pak (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\et.pak (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\it.pak (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nl.pak (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio.dll (259439 bytes)
%Documents and Settings%\%current user%\Desktop\Chrome Web Store.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libegl.dll (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_100_percent.pak (6303 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\kn.pak (3680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ca.pak (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_200_percent.pak (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\wow_helper.exe (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\snapshot_blob.bin (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_elf.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ko.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-PT.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\th.pak (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bn.pak (1839 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\media_downloader.crx (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lv.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\citrio_ext.crx (110258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ta.pak (3691 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\vi.pak (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pl.pak (261 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\citrio.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\wow_helper.exe (0 bytes)

Registry activity

The process citrio_50.0.2661.271_1.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 A8 A0 DA 2F 53 E8 E3 48 53 36 C0 EE 66 84 68"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap" = "-full"

The process CatalinaUpdate.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{3EC095D7-1164-4B7C-B570-92B48F6E82DC}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 45 E9 53 81 1E CD 31 AA 1B 14 A2 74 3E 05 FE"

[HKCU\Software\Classes\CLSID\{3EC095D7-1164-4B7C-B570-92B48F6E82DC}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{3EC095D7-1164-4B7C-B570-92B48F6E82DC}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{3EC095D7-1164-4B7C-B570-92B48F6E82DC}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]
[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{EC8AA9F5-22DB-42D4-9E26-0316CBCE7EAA}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"pv" = "50.0.2661.271"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"brand" = "GGLS"
"LastInstallerError" = "0"
"LastInstallerResult" = "0"
"referral" = "1:citrio_website"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_download_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_total" = "01 00 00 00 00 00 00 00"
"worker_download_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerError" = "0"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
"lang" = "en"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "04 00 00 00 00 00 00 00"
"worker_install_execute_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"bt" = "1"
"LastCheckSuccess" = "1471278600"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "04 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 7C 12 1B 33 57 E3 DC 9C 40 DA D5 5B 66 8D A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallTime" = "1471278585"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerResult" = "0"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"iid" = "{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"browser"
"LastInstallerError"
"LastInstallerResultUIString"
"eulaaccepted"
"UpdateAvailableSince"
"tttoken"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"c"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"experiment_labels"
"InstallerResult"
"LastInstallerExtraCode1"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerError"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerSuccessLaunchCmdLine"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerError"
"LastInstallerResult"
"UpdateAvailableCount"
"InstallerSuccessLaunchCmdLine"
"ap"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerResultUIString"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"iid"

The process CatalinaUpdate.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"opt_in_uid_generated" = "01 00 00 00 00 00 00 00"
"setup_should_install_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_install_google_update_total_ms" = "01 00 00 00 00 00 00 00 59 04 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"

[HKCU\Software\CatalinaGroup\Update]
"UID" = "{C10F4F9D-DF6C-4164-824A-840C447357BE}"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_phase2_ms" = "01 00 00 00 00 00 00 00 C0 02 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.223"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1471278479"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_do_self_install_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_lock_acquire_ms" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_files_total" = "01 00 00 00 00 00 00 00"
"goopdate_main" = "06 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Version" = "9"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.223"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"

[HKCU\Software\CatalinaGroup\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "06 00 00 00 00 00 00 00"
"setup_do_self_install_succeeded" = "01 00 00 00 00 00 00 00"
"setup_install_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Version" = "3"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B5 0B 14 68 5C 21 DD 1C 7C EA FD D0 6B 24 8B"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.223"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_should_install_true_fresh_install" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_files_ms" = "01 00 00 00 00 00 00 00 86 01 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_install_total" = "01 00 00 00 00 00 00 00"
"setup_files_verification_succeeded" = "01 00 00 00 00 00 00 00"
"setup_install_task_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"brand" = "GGLS"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_install_task_ms" = "01 00 00 00 00 00 00 00 B7 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"ui"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"c"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableCount"

[HKCU\Software\CatalinaGroup\Update]
"LastChecked"

The process CatalinaUpdate.exe:624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 46 3C A3 32 32 3F 01 FF A3 99 E7 DD 64 09 36"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 0C 4F C8 36 38 0B F1 99 92 E2 5B 10 FE 13 CE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:2724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 BB C2 D0 90 A6 F0 2C 39 6C 8D 22 C6 4D 4D 18"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "03 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process citrio.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C0 49 52 45 F3 D0 31 AC 88 5B 8C 21 BB D7 F0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process citrio.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 11 C7 0C 4A FD 1A 1D F1 A1 C1 AE A9 D9 53 68"

The process citrio.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB E3 7D 0C 41 D9 88 40 4C F5 D7 0F 62 DF 66 71"

The process citrio.exe:4076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 44 5F 15 2F 02 4C F7 2B B8 1A 5D E6 2D F5 44"

The process citrio.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 F7 47 7A 3E 68 94 9E 1E F1 06 4B 8D C4 BA 17"

The process citrio.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 4F 49 63 D6 F9 05 A0 7A E3 C9 BA 71 1F 85 55"

The process citrio.exe:3364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 C8 43 AF 44 5C 89 AA 11 1B 19 38 2C 2A 6F 77"

The process citrio.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 0A 92 6B FF EA 22 89 75 FF D1 C1 B8 88 BC 34"

The process citrio.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F DB 95 1D C6 5D 12 F9 1F 57 79 9A 68 0C 91 A1"

The process citrio.exe:3016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"dr" = "1"
"usagestats" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"Version" = "50.0.2661.271"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKCU\Software\CatalinaGroup\Citrio\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"

[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"State" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"lastrun" = "13115752212794125"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastWasDefault" = "Type: REG_QWORD, Length: 8"
"_NumSignedIn" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"failed_count" = "0"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 6D 00 C0 25"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 21 1B C0 12 B8 48 E7 F2 07 BA A8 DC 8D CD 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"_NumAccounts" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

The Trojan deletes the following registry key(s):

[HKCU\Software\CatalinaGroup\Citrio\BLFinchList]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"FirstNotDefault"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F"

The process citrio.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 20 E3 A3 00 28 FA 97 F3 65 7F 03 92 9A F9 ED"

The process citrio.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 15 AC 64 0B C8 38 F0 48 FA 07 79 49 B0 4A B9"

The process citrio.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 6D 5F 11 6A C6 08 95 D1 9E FE 85 CC BC 5D F2"

The process citrio.exe:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 6B EF 70 16 F5 13 F2 05 7F 13 64 0A 72 41 1C"

The process citrio.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 4C 20 27 97 61 39 71 7C B3 DB B0 A8 1B 46 DA"

The process citrio.exe:3648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 84 68 4E 31 49 79 26 AA 5A 54 8C 13 78 16 4B"

The process citrio.exe:3572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 95 13 F5 DF 7C 91 52 5B E4 BB DD 43 BE 55 99"

The process citrio.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 3D 21 20 AA C3 28 C0 E0 FD 11 2A B7 87 58 7F"

The process CatalinaCrashHandler.exe:2672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 1F C6 B5 51 CE 94 F6 A2 69 CE 43 8A 3D 4D B4"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 6A 93 9C 50 97 4A 3D E2 CD 90 45 61 D1 DE FA"

The process setup.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".avi" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".webp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".AAC" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\magnet\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio,"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --hide-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"NoRepair" = "1"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCR\.xht\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Citrio"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mov" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".xhtml" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xa" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"nntp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".flv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".torrent" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"Publisher" = "© Catalinagroup Ltd."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"lang" = "en"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"pv" = "50.0.2661.271"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --make-default-browser"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"pv" = "50.0.2661.271"

[HKCU\Software\Classes\.xht]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".m4v" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".au" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".xht" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\citrio.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application"

[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}]
"(Default)" = "CommandExecuteImpl Class"

[HKCU\Software\Classes\.html]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"bt" = "1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\.htm\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerError" = "0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --show-icons"

[HKCR\.webp\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayVersion" = "50.0.2661.271"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastWasDefault" = "Type: REG_QWORD, Length: 8"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mpg" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".nsv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".asf" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Citrio]
"AssociationsRegistry" = "1"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKCU\Software\Classes\Magnet\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"Version" = "50.0.2661.271"

[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\delegate_execute.exe"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerExtraCode1" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E DB 1E EC 7D F8 71 D2 E8 F5 24 8E 4E 59 6F 83"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".wma" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".FLAC" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap" = "-stage:preconditions-full"
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".MP3" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".MP2" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"oopcrashes" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".pdf" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayName" = "Citrio"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mp4" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\Magnet]
"URL Protocol" = ""

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe --on-os-upgrade --verbose-logging"

[HKCU\Software\Classes\.pdf]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"oopcrashes" = "1"

[HKLM\SOFTWARE\RegisteredApplications]
"Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".TTA" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Citrio is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Citrio."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".3gp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".webm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".tac" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".dts" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".mkv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"NoModify" = "1"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"ftp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".wmv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".mka" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ram" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKCU\Software\Classes\.shtml]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ogv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"lang" = "en"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"magnet" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".3g2" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\.htm]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"UninstallArguments" = " --uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\.xhtml\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Classes\Magnet\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"Name" = "Citrio App Launcher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe --uninstall"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"mms" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerResult" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Citrio Document"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\.shtml\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\.html\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"VersionMajor" = "2661"
"VersionMinor" = "271"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ra" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.torrent]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".a52" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".rm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".RV" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".htm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\Magnet\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"bt" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\citrio.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".m2v" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"InstallDate" = "20160815"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"Name" = "Citrio"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".OGG" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".WAV" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".ogm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Citrio"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application]
"citrio.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe:*:Enabled:Citrio"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap"
"FirstNotDefault"
"InstallerExtraCode1"

Dropped PE files

MD5 File path
17a70cbefd0c97da5b5154bcc2c6135a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe
17a70cbefd0c97da5b5154bcc2c6135a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe
f1344174407b31ebf73a1b757730e7b9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe
d97a494f356a9b87a9de70f94deac0fd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe
ddba4ef4336eab079a05d50cae1d78ad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll
9679f1b877f59885a1cb0dc781f6f5a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll
e978743b5e83e6d8d56ef8eec9e95895 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll
632bf3bf2c7c43de40e14e180d450aa4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll
f9b49228bdb016a10ee484d00d20c56d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll
750e817cff45df02c6219fd7f8629306 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll
befa1de1a499caf2dd8c849d307ea022 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll
64a3b9bd31048d1474be89bf8b759a6b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll
124b5b534765959135d7e5e8387e42d4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll
7c9392a39aa7af12ba9516108461396c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll
5a72210a08f840c981a22a30eae6bfd5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll
de806ca7439b321cb5b9ed465bfff53c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll
ce161f171dede65306ae260f2daed707 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll
6804fe6306170c2e03e67a9a6912e44d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll
1f27b6a0f1239dc5a0ad99ebb9f266b1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll
362caadf56cbb795429cb414d7526249 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll
980c0b9460aebcd0e6c26597ebbbe405 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll
8d0545918a67993b61d41e37ddf0a448 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll
00c69aa9c97e7adecebbabeb9d62c1e5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll
5bf66f20dec62b4fba86cc774e30f42d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll
0e0d1132eff66a2408379b417b95ec23 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll
d12036e6329b12ae75e288669b2fc0af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll
d467c0c1a4d788d0905393dfaf485135 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll
63468abea9a361c189a52329f26cc88d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll
f88e2998a5136c6015b320e30260ec4e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll
bcd98fb11a392837a3a6699335e89a9d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll
b798ad9f420015dcff3fe32d9731aef9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll
fdeea71e5153722ddce94417c3e80ce5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll
82c275cbb0ba0d37128e7c77b0e540e7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll
6c041119591f741151f508b6b691e03a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll
26fa6e3a970fb0a5c63ae57d45198327 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll
ac5751840335dedbf1e8dd1a87d12682 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll
9e325dcb01d553307dd6ef773f3f475e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll
28d3149dc5e5410f66a1935f1dda41d6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll
606a92ebf1a461a2ba5ddd2b15bf2ed4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll
10bf4f168b43efe576660cf340c9cd44 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll
6053f5753647853fc4830829724469d4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll
eead3f9d5abb707b01c87121f591c8e9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll
5dfeab4174bf0228faf838a29df7713e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll
64046abd01dccbc734f7b5c1b64678f6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll
bae8f1473a25a4b3211e66ef365cc7b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll
839fd225d791d571349676b747e28395 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll
d46def9b2394e5f015707534463847a0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll
d48a353ecb8e92c8ccdfff936e46ba87 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll
422ba3343eec0f6b27ac2ae49d660e33 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll
e73a1377dfa148fab829f0c5c8808a63 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll
405d4703ec5f16199eba427de348aca2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll
ecd6fab6f8cddc32adb706da61eab103 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll
fffa3bef66e32c82e0c73568dff849be c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll
560d84e7c8d683dbff92d57e1a399f51 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll
ba00b2fb66629db19348a84b980d18e0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll
2a65fe2d121400d813a82eab20a939e3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll
5583d364750bb7d81f14c94e5c7436d0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll
b2ca11171e5a17aa8056c180b24cf666 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll
91c54079cc80835aad5556fb920d03fa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll
d6d9fb241c73daa86742c054bd5d2a9e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll
1d68f6707885426f86311c25e3ffe412 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll
0338eb214377352a1a4064b4d82caa01 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll
6de2e660635cc112929517ca85f068a2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll
17a70cbefd0c97da5b5154bcc2c6135a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe
17a70cbefd0c97da5b5154bcc2c6135a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe
17a70cbefd0c97da5b5154bcc2c6135a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe
f1344174407b31ebf73a1b757730e7b9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe
d97a494f356a9b87a9de70f94deac0fd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe
ddba4ef4336eab079a05d50cae1d78ad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdate.dll
9679f1b877f59885a1cb0dc781f6f5a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll
e978743b5e83e6d8d56ef8eec9e95895 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll
632bf3bf2c7c43de40e14e180d450aa4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll
f9b49228bdb016a10ee484d00d20c56d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll
750e817cff45df02c6219fd7f8629306 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll
befa1de1a499caf2dd8c849d307ea022 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll
64a3b9bd31048d1474be89bf8b759a6b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll
124b5b534765959135d7e5e8387e42d4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll
7c9392a39aa7af12ba9516108461396c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll
5a72210a08f840c981a22a30eae6bfd5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll
de806ca7439b321cb5b9ed465bfff53c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll
ce161f171dede65306ae260f2daed707 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll
6804fe6306170c2e03e67a9a6912e44d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll
1f27b6a0f1239dc5a0ad99ebb9f266b1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll
362caadf56cbb795429cb414d7526249 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll
980c0b9460aebcd0e6c26597ebbbe405 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll
8d0545918a67993b61d41e37ddf0a448 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll
00c69aa9c97e7adecebbabeb9d62c1e5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll
5bf66f20dec62b4fba86cc774e30f42d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll
0e0d1132eff66a2408379b417b95ec23 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll
d12036e6329b12ae75e288669b2fc0af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll
d467c0c1a4d788d0905393dfaf485135 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll
63468abea9a361c189a52329f26cc88d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll
f88e2998a5136c6015b320e30260ec4e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll
bcd98fb11a392837a3a6699335e89a9d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll
b798ad9f420015dcff3fe32d9731aef9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll
fdeea71e5153722ddce94417c3e80ce5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll
82c275cbb0ba0d37128e7c77b0e540e7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll
6c041119591f741151f508b6b691e03a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll
26fa6e3a970fb0a5c63ae57d45198327 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll
ac5751840335dedbf1e8dd1a87d12682 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll
9e325dcb01d553307dd6ef773f3f475e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll
28d3149dc5e5410f66a1935f1dda41d6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll
606a92ebf1a461a2ba5ddd2b15bf2ed4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll
10bf4f168b43efe576660cf340c9cd44 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll
6053f5753647853fc4830829724469d4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll
eead3f9d5abb707b01c87121f591c8e9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll
5dfeab4174bf0228faf838a29df7713e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll
64046abd01dccbc734f7b5c1b64678f6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll
bae8f1473a25a4b3211e66ef365cc7b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll
839fd225d791d571349676b747e28395 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll
d46def9b2394e5f015707534463847a0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll
d48a353ecb8e92c8ccdfff936e46ba87 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll
422ba3343eec0f6b27ac2ae49d660e33 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll
e73a1377dfa148fab829f0c5c8808a63 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll
405d4703ec5f16199eba427de348aca2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll
ecd6fab6f8cddc32adb706da61eab103 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll
fffa3bef66e32c82e0c73568dff849be c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll
560d84e7c8d683dbff92d57e1a399f51 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll
ba00b2fb66629db19348a84b980d18e0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll
2a65fe2d121400d813a82eab20a939e3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll
5583d364750bb7d81f14c94e5c7436d0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll
b2ca11171e5a17aa8056c180b24cf666 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll
91c54079cc80835aad5556fb920d03fa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll
d6d9fb241c73daa86742c054bd5d2a9e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll
1d68f6707885426f86311c25e3ffe412 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll
0338eb214377352a1a4064b4d82caa01 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psmachine.dll
6de2e660635cc112929517ca85f068a2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psuser.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.223
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.223
File Description: CatalinaGroup Update Setup
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 47535 47616 4.63635 2752a1441fa592610b94de20c1f02a58
.rdata 53248 10788 11264 3.70626 137b135f165828e6808d51b0f23fe651
.data 65536 6460 3584 1.72368 8e425fbedc6927dfabb8fdfaaf8e8d97
.rsrc 73728 651348 651776 5.2981 0fb9c02329234fd0800211194980c94c
.reloc 729088 5598 5632 2.64966 17957bd86fff892742280f82a0bf537a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 47
3c2f29dbac5842ca1a35747628ac2ed0
393a907be957b681bc0bf1985b8d6420
134eaec889515311684f679683f84d60
12a00f8b1f0990c915c2d00d6b655c40
0e4a0bfb2841c39acf056f1988789336
220472c3a5bc9633ca4e5cb3c19c0384
772b11fd0a23bf8968b8badcf92ac30c
781558c19a0a9b6d8e48087bb2496d66
bc69e041c0f0568a819151a1c5434490
462fd3913739c6f582dd6ca6643fcf06
1f1ab2d88a7e3304dced04d70167e011
aeada3aeea1d6888eed4ca48deb80054
5a1558fc9c7f0768eb3f40a705bd0130
45b7dcac232250efbd8132bb78de9683
da9b3f2f924be7f819808c6bcfee9cfe
24f15bce11565ede31511ce789118ef0
45d0d3ecc276beb74daf646fd5d3af66
96afab9e361d2635759c2c9008a0c72e
44e2dd04e6e763b60fe9419ddb728dc7
77911c759cafed5c84f6d819fbaf2069
fee2556c48f72e91e121554e539b09e9
7c542e0abb7e8700e5a0d4f50c941136
f11489e2c77aaccce5be36cd0f412374
7ea8b386deb153674ae71fbaac54ab76
a2c0406aaba834c74f68561c73936587

URLs

URL IP
hxxp://catalinahub.net/update/ping 95.211.171.218
hxxp://catalinahub.net/update/check 95.211.171.218
hxxp://gs1.wpc.v2cdn.net/80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe
hxxp://wpc.A164.taucdn.net/80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe
wpc.a164.taucdn.net 93.184.221.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: wpc.A164.taucdn.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0, public
Content-Type: application/octet-stream;charset=UTF-8
Date: Mon, 15 Aug 2016 16:27:50 GMT
Etag: W/"59173264-1464855289000"
Expires: Mon, 15 Aug 2016 16:27:50 GMT
Last-Modified: Thu, 02 Jun 2016 08:14:49 GMT
Server: Apache-Coyote/1.1
X-Cache: HIT
Content-Length: 59173264
HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=0, publi
c..Content-Type: application/octet-stream;charset=UTF-8..Date: Mon, 15
 Aug 2016 16:27:50 GMT..Etag: W/"59173264-1464855289000"..Expires: Mon
, 15 Aug 2016 16:27:50 GMT..Last-Modified: Thu, 02 Jun 2016 08:14:49 G
MT..Server: Apache-Coyote/1.1..X-Cache: HIT..Content-Length: 59173264.
.....


GET /80A164/ch-cdn/download/citrio_50.0.2661.271_1.exe HTTP/1.1


Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: wpc.A164.taucdn.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0, public
Content-Type: application/octet-stream;charset=UTF-8
Date: Mon, 15 Aug 2016 16:27:50 GMT
Etag: W/"59173264-1464855289000"
Expires: Mon, 15 Aug 2016 16:27:52 GMT
Last-Modified: Thu, 02 Jun 2016 08:14:49 GMT
Server: Apache-Coyote/1.1
X-Cache: HIT
Content-Length: 59173264
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........W...6...6..
.6..d.?..6...6...6...O...6...d/..6...6c..6...O*..6..Rich.6............
..............PE..L....1GW.................&..........:#.......@....@.
......................... ............................................
...P..P....`..................................8.......................
.....................P...............................text...'%.......&
.................. ..`.data........@[email protected]..
.....P.......*..............@[email protected]........`.......0..............@.
[email protected][email protected]............................
......................................................................
......................................................................
......................................................................
......................................................................
.................................................1GW........m... ... .
.......1GW....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4.9.D.5.-.
B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1.3.C.A.-.
4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.D.E.2.8.A.2.E.A.-.
7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....{.F.0.B.5.
0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.6.0.}.....
..@.-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.r.o.m.e.-.
f.r.a.m.e.....-.-.m.u.l.t.i.-.i.n.s.t.a.l.l...-.-.s.y.s.t.e.m.-.l.
<<< skipped >>>


POST /update/check HTTP/1.1
User-Agent: Google Update/1.3.25.223;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: catalinahub.net
Content-Length: 567
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.223" ismachine="0" sessionid="{BC71EEE7-46D4-45B3-8B4E-9BA6047E823D}" userid="{C10F4F9D-DF6C-4164-824A-840C447357BE}" installsource="taggedmi" testsource="auto" requestid="{D18CD1C3-99E3-4E93-88E6-14F7AA179772}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"><updatecheck/></app></request>
HTTP/1.1 200 OK
Date: Mon, 15 Aug 2016 16:27:49 GMT
Server: Apache-Coyote/1.1
X-Citrio-Timestamp: xCumNF7TpbZ6dfnvI3geqycbAtI=
Content-Type: application/xml;charset=UTF-8
Cache-Control: max-age=0, public
Expires: Mon, 15 Aug 2016 16:27:50 GMT
Connection: close
Transfer-Encoding: chunked
2b6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><
response protocol="3.0" server="dist"><dayStart elapsed_seconds=
"59270"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" sta
tus="ok"><updatecheck status="ok"><urls><url codebas
e="hXXp://wpc.A164.taucdn.net/80A164/ch-cdn/download/"/></urls&g
t;<manifest version="50.0.2661.271"><packages><package 
hash="2NR3 VFpCX/GS8RGSnh9guQKMR0=" name="citrio_50.0.2661.271_1.exe" 
required="true" size="59173264"/></packages><actions>&l
t;action arguments="--chrome --do-not-launch-chrome" event="install" r
un="citrio_50.0.2661.271_1.exe"/><action event="postinstall" ons
uccess="exitsilentlyonlaunchcmd"/></actions></manifest>
</updatecheck></app></response>..0..



POST /update/ping HTTP/1.1
User-Agent: Google Update/1.3.25.223;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: catalinahub.net
Content-Length: 613
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.223" ismachine="0" sessionid="{BC71EEE7-46D4-45B3-8B4E-9BA6047E823D}" userid="{C10F4F9D-DF6C-4164-824A-840C447357BE}" installsource="taggedmi" testsource="auto" requestid="{E653B668-A146-47A1-A080-B47A38A6B741}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" version="" nextversion="1.3.25.223" buildtype="" lang="en" brand="" client="" iid="{76A1FAB9-8AA2-497A-9B8D-AE4539815DE8}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0"/></app></request>
HTTP/1.1 200 OK
Date: Mon, 15 Aug 2016 16:27:49 GMT
Server: Apache-Coyote/1.1
X-Citrio-Timestamp: YIiyBsdYYAr4ZQPgOCI0nFg4UoU=
Content-Type: application/xml;charset=UTF-8
Cache-Control: max-age=0, public
Expires: Mon, 15 Aug 2016 16:27:49 GMT
Connection: close
Transfer-Encoding: chunked
e6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><r
esponse protocol="3.0" server="dist"><dayStart elapsed_seconds="
59269"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" stat
us="ok"><event status="ok"/></app></response>..0.
.

The Trojan connects to the servers at the folowing location(s):

CatalinaCrashHandler.exe_2672:

.text
`.data
.text/DE
@.rsrc
@.reloc
SHELL32.dll
USER32.dll
SHLWAPI.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
CatalinaUpdate_unsigned.pdb
RegOpenKeyExW
ADVAPI32.dll
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8 functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--This Id value indicates the application supports Windows 8.1 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--This Id value indicates the application supports Windows 10.0 functionality-->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
###7777_{
###____777
###````87{
2 2$2(2,20242~2
4 4$4(4,4
?$?(?,?4?
> >@>\>`>
? ?@?\?`?
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe
KERNEL32.DLL
mscoree.dll
goopdate.dll
CatalinaUpdate.exe
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
1.3.25.223
2007-2010
2007-2010

citrio.exe_3016:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="50.0.2661.271" version="50.0.2661.271" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
citrio_exe

citrio.exe_3364:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="50.0.2661.271" version="50.0.2661.271" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
citrio_exe

citrio.exe_3364_rwx_06B0A000_000F5000:

webk

citrio.exe_1080:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="50.0.2661.271" version="50.0.2661.271" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
citrio_exe

citrio.exe_212:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="50.0.2661.271" version="50.0.2661.271" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
citrio_exe

citrio.exe_1080_rwx_06E0A000_000F5000:

XVWSSShH

citrio.exe_2260:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="50.0.2661.271" version="50.0.2661.271" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
citrio_exe

citrio.exe_212_rwx_0800A000_000F5000:

j.hYv
webk
=.DOU
=.DOUu
=.ha"
=.ha"u

citrio.exe_212_rwx_08A0A000_000F5000:

=HTTP
.facu
webv
=.FAC
=.FACu

citrio.exe_2260_rwx_0520A000_00038000:

Ph-%c

citrio.exe_2260_rwx_0680A000_000F5000:

PhÍ

citrio.exe_2340:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="50.0.2661.271" version="50.0.2661.271" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
50.0.2661.271
citrio_exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    citrio_50.0.2661.271_1.exe:3084
    CatalinaUpdate.exe:1284
    CatalinaUpdate.exe:1948
    CatalinaUpdate.exe:592
    CatalinaUpdate.exe:624
    CatalinaUpdate.exe:1228
    CatalinaUpdate.exe:2724
    citrio.exe:3452
    citrio.exe:3508
    citrio.exe:3560
    citrio.exe:4076
    citrio.exe:1228
    citrio.exe:3376
    citrio.exe:3420
    citrio.exe:3436
    citrio.exe:3468
    citrio.exe:3496
    citrio.exe:3412
    citrio.exe:3520
    citrio.exe:3648
    citrio.exe:3572
    citrio.exe:3528
    CatalinaCrashHandler.exe:2672
    %original file name%.exe:348
    setup.exe:3544

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\setup.exe (20838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\SETUP.EX_ (1731 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_FFDB0.tmp\CITRIO.PACKED.7Z (443233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install\{2EE34F43-5047-454D-A00C-8C4791C44D77}\citrio_50.0.2661.271_1.exe (449813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\50.0.2661.271\citrio_50.0.2661.271_1.exe (449813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll (26 bytes)
    %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateHelper.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll (19 bytes)
    %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GPMFO96B\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\debug.log (129 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HHZ07SG0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDUB0TY7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ON4PSBMF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\manifest.json (760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\uk\messages.json (415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\fil\messages.json (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\video.png (64797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\play_track.png (241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\audio.png (64797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\open_in_folder.png (204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\background.html (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\en\messages.json (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\citrio.png (64797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ms\messages.json (218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ru\messages.json (391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\th\messages.json (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\id\messages.json (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\images\128.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\pt_BR\messages.json (229 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\CRX_INSTALL\_locales\ar\messages.json (374 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\logo.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ms\messages.json (548 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\id\messages.json (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\popup.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon35.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon48.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.fb.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.tw.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\css\template.css (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\background.js (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\th\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16-old.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\manifest.json (595 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\16.png (497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\en\messages.json (514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon128.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\js\locale.js (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\fil\messages.json (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon16.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\popup.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\_locales\pt_BR\messages.json (593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon64.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\CRX_INSTALL\images\icon.gp.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies (1043 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\LOG (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000003.log (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_3 (584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_2 (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_1 (7112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons (4342 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor (5093 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies-journal (5308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (162124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data-journal (13750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOG (221 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_bzErAGqsXYnpIzL (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\citrio_ext.crx (114298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\LOG (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\17.tmp (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000001 (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\18.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (305478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\First Run (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Visited Links (284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\15.tmp (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_un2S1bucDLFPyFj (292 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\media_downloader.crx (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\download_all.crx (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\13.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000003.log (1447 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites-journal (12948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_2703\share_page.crx (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies (1043 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\19.tmp (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor-journal (11985 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_a5iDZNqB3HvkBEZ (286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies-journal (5308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1C.tmp (644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_y2LoLvnnttwawLo (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_IYtZfL4RjyYddJy (286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\6.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\7.tmp (1478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\index (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\16.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\README (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_kSEsv1UeGSodnIo (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\14.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_19237\10.tmp (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_0 (6092 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1A.tmp (999630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\proxy.crx (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Current Session (7167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_qAfo2hnyMisAbxx (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\th\messages.json (823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\search.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\fil\messages.json (520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\background.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon16.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.inactive.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.interface.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\logo.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\uk\messages.json (862 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\pt_BR\messages.json (525 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\id\messages.json (481 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ru\messages.json (868 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\en\messages.json (489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\locale.js (684 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\css\template.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\button.logo.png (60000 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\manifest.json (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.ui.js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ar\messages.json (821 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon.close.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\images\icon128.png (60000 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\js\DTA.popup.js (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_16901\CRX_INSTALL\_locales\ms\messages.json (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_empty.png (158 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_19.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_stats.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libcurl.dll (22840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\_bz2.pyd (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\manifest.json (988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\icon_16.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\citrio_ext.dll (34392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pyexpat.pyd (9496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\pywintypes34.dll (7784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtCore4.dll (152471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\ssleay32.dll (18768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\youtube-dl.exe (195990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\zlib1.dll (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcp100.dll (27336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\msvcr100.dll (49672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\select.pyd (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_dv.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libeay32.dll (76989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_dv.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\base_library.zip (206432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32wnet.pyd (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\libtorrent.dll (129574 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\dlnlib.dll (38624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\unicodedata.pyd (48768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\QtGui4.dll (541377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\background.html (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\win32api.pyd (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\content_stats.js (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\scripts\background_notification.js (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_31957\CRX_INSTALL\binaries\win\python34.dll (164484 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_detail.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\background.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\agent.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\th\messages.json (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\doT.min.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\popup.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\sandbox.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\new.js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ru\messages.json (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\logging.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\id\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\manifest.json (511 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\mochi.js (363 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\popup.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.js (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\base64.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\style.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\sandbox.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\styles\mochi.css (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\jquery.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\model.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\uk\messages.json (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\_locales\en\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\profile_list.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_5268\CRX_INSTALL\scripts\spine.local.js (619 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\disable.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\sprite.png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\style.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-active.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\download-all-disable.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\open-icon.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\en\messages.json (981 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\popup.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\th\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\icon.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all-hover.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\theme.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\background.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\id\messages.json (994 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\select-all.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\jquery-1.11.0.min.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\js.js (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\manifest.json (557 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\icons\active.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_3016_18933\CRX_INSTALL\skin\locale.js (244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bg.pak (1714 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\proxy.crx (1676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\d3dcompiler_47.dll (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-TW.pak (219 bytes)
    %Documents and Settings%\%current user%\Desktop\Facebook.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\he.pak (306 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\resources.pak (150724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ru.pak (1688 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\am.pak (1647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\download_all.crx (1766 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ar.pak (1641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\citrio.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sl.pak (250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ro.pak (268 bytes)
    %Documents and Settings%\%current user%\Desktop\YouTube.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-BR.pak (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-US.pak (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libexif.dll (307 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sk.pak (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\chrome.VisualElementsManifest.xml (342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_32.nexe (20507 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Citrio.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\external_extensions.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sw.pak (241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_200_percent.pak (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\smalllogo.png (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\metro_driver.dll (1796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ja.pak (318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\de.pak (262 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libglesv2.dll (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hu.pak (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ms.pak (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\50.0.2661.271.manifest (252 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\gu.pak (1805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es-419.pak (264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\pepflashplayer.dll (124061 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\50.0.2661.271\Installer\setup.exe (9098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\VisualElements\logo.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\tr.pak (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\id.pak (234 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_100_percent.pak (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\el.pak (1752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fr.pak (284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\zh-CN.pak (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fil.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\widevinecdmadapter.dll (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_child.dll (321430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\icudtl.dat (75554 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\cs.pak (268 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ml.pak (3743 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lt.pak (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fa.pak (1654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl64.exe (12289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\es.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sv.pak (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_watcher.dll (1661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\secondarytile.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\PepperFlash\version.json (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\nacl_irt_x86_64.nexe (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\natives_blob.bin (1711 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\citrio.7z (1358422 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\uk.pak (1698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\share_page.crx (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\delegate_execute.exe (3802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hi.pak (1820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\en-GB.pak (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\mr.pak (1812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\te.pak (1870 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\sr.pak (1681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\da.pak (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nb.pak (238 bytes)
    %Documents and Settings%\%current user%\Desktop\Citrio.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\fi.pak (247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\et.pak (233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\it.pak (257 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\nl.pak (252 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio.dll (259439 bytes)
    %Documents and Settings%\%current user%\Desktop\Chrome Web Store.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\libegl.dll (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_100_percent.pak (6303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\kn.pak (3680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ca.pak (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_material_200_percent.pak (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\wow_helper.exe (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\snapshot_blob.bin (1802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\hr.pak (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\citrio_elf.dll (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ko.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pt-PT.pak (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\th.pak (1798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\bn.pak (1839 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\media_downloader.crx (1670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\lv.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Extensions\citrio_ext.crx (110258 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\ta.pak (3691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\vi.pak (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source3544_25143\Citrio-bin\50.0.2661.271\Locales\pl.pak (261 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now