MD5: 22d04cfa9a631c79c1fe46d48b0ca133
SHA1: be3bcf7f2fb93ef53b600c45ca21f75e6890862c
SHA256: caaa93a53046f11216776c89145a7607582f2f433067cda6d6be7b4779211fa4
SSDeep: 768:k9MgJ84ffIvetr62rwf5RkjrF20Guv2noaa0H6gKH6sTnab84YCqzG:k9ML6Ivetr62rwfzkjrF20HMxmhTn/4d
Size: 44488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2010-10-29 18:42:26
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

sch.exe:3600
OberonParts.exe:2432
GameInstaller.exe:1768
Setup.exe:2368
SearchEngineProtection.exe:1920
ToolbarInstaller.exe:2224
occci.exe:2052
OberonDetectionApplication.exe:900
shp.exe:1472
GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe:656

The Trojan injects its code into the following process(es):

GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe:3288
%original file name%.exe:3788

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process sch.exe:3600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (776 bytes)
C:\ProgramData\Oberon Media\Services\Search\search_{4F921428-6CC4-4EBB-85F9-C14BD59028BF}.ico (61 bytes)

The process GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe:3288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\plugins\0\lng\Enu.lng (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\GameInstaller.exe (7404 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\main.pdb (1332 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\sch.exe (6147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\plugins\0\StdUI.dll (2406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\lng\Enu.lng (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Search.ini (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\websearch.gif (609 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\plugins\1\CustomInstallationPlugIn.dll (10428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\unpack.dll (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\Resume.exe (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\websearch.ico (1956 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Localization.ini (5312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup.bmp (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\ToolbarInstaller.exe (6023 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\OberonDetectionApplication.exe (6587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\db.pdb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup.rgn (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\shp.exe (6663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Setup.exe (25068 bytes)

The process %original file name%.exe:3788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9E77.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar82FA.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8150.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9E76.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (3440 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab814F.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8190.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar81A0.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe.download (143673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9FDF.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9FE0.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab82F9.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9E77.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar82FA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8150.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9E76.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab814F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8190.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar81A0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9FDF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9FE0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab82F9.tmp (0 bytes)

The process GameInstaller.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab83A.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\application-84bd369d085a36bbce43d6012579bc7a[1].css (20444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar83B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\yahoo-boss-searchbox-min[1].js (4133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\error[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (1278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\iplay_logo-e371eaa8fd7cabbd48a0638aa3f03bce[1].png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\104[1] (377 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A8X63UZW.txt (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\application-ac31c55371b093e7460c6d3d86a6a344[1].js (105439 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\start_iplay_com[1].htm (46 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\prum.min[1].js (5895 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\error[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\logo-yahoo-94304d0053cbaea6ecff80bba88bf922[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017091420170915\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\yui-min[1].js (56847 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab83A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar83B.tmp (0 bytes)

The process Setup.exe:2368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GamesBar\GBUninstPopup.dll (10189 bytes)
C:\ProgramData\GamesBar\onload\close_over.gif (241 bytes)
C:\ProgramData\GamesBar\onload\noInternet.gif (420 bytes)
C:\ProgramData\GamesBar\onload\bottom.gif (51 bytes)
%Program Files%\GamesBar\Localization.ini (6 bytes)
C:\ProgramData\GamesBar\onload\right.gif (51 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamesBar\Uninstall.lnk (1 bytes)
%Program Files%\GamesBar\Reg.lnk (712 bytes)
%Program Files%\GamesBar\Search.ini (2 bytes)
C:\ProgramData\GamesBar\onload\bottom-left.gif (63 bytes)
C:\ProgramData\GamesBar\onload\top-right.gif (225 bytes)
C:\ProgramData\GamesBar\onload\top-left.gif (226 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamesBar\About GamesBar.lnk (1 bytes)
C:\ProgramData\GamesBar\onload\close.gif (241 bytes)
C:\ProgramData\GamesBar\onload\top.gif (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\occci.exe (21464 bytes)
C:\ProgramData\GamesBar\onload\no-internet.png (5 bytes)
%Program Files%\GamesBar\SearchEngineProtection.exe (15424 bytes)
C:\ProgramData\GamesBar\onload\bottom-right.gif (62 bytes)
C:\ProgramData\GamesBar\onload\no-internet.html (519 bytes)
%Program Files%\GamesBar\uninst.exe (1663 bytes)
C:\ProgramData\GamesBar\onload\loading.gif (1 bytes)
C:\ProgramData\GamesBar\onload\left.gif (51 bytes)
%Program Files%\GamesBar\GameInstaller.exe (7679 bytes)
%Program Files%\GamesBar\2.0.1.55\oberontb.dll (21081 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD73B.tmp (0 bytes)

The process SearchEngineProtection.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Oberon Media\Search\SearchEngineProtection\Search.ini (2 bytes)

The process ToolbarInstaller.exe:2224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Setup.exe (49 bytes)

The process occci.exe:2052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Oberon Media\OberonBroker\1.0.0.76\OberonBroker.exe (4324 bytes)
%Program Files%\Common Files\Oberon Media\Odyssey\2.0.0.49\Odyssey.dll (3568 bytes)
%Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\OberonParts.exe (9482 bytes)
%Program Files%\Common Files\Oberon Media\occcu.exe (4262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\NSISpcre.dll (6549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\Math.dll (2567 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\NSISpcre.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA95.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\Math.dll (0 bytes)

The process shp.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (388 bytes)

The process GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GamesBar\SearchEngineProtection.exe (569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe (340 bytes)

Registry activity

The process sch.exe:3600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}]
"DisplayName" = "Web Search"
"FaviconPath" = "C:\ProgramData\Oberon Media\Services\Search\search_{4F921428-6CC4-4EBB-85F9-C14BD59028BF}.ico"
"URL" = "http://sendspace.start.iplay.com/searchresults.aspx?o=chrome&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{36377DD7-B3EB-42f5-986F-680BAF59BA9D}"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\User Preferences]

The process GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe:3288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Oberon Media\Client\Components\TB_IE]
"Age" = "1505377046000"

[HKCU\Software\Oberon Media]
"fingerprint" = ""

[HKCU\Software\Oberon Media\Client\Components\CHROME_IE]
"Age" = "1505377046000"

[HKCU\Software\Oberon Media\Client\Components\SHP_FF]
"Age" = "1505377047000"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Oberon Media\Search]
"tb_ie"
"tb_ff"
"chrome_ie"
"chrome_ff"
"shp_ie"
"shp_ff"

The process OberonParts.exe:2432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{5B10DB17-D969-4065-9308-2FFCE2D5CA01}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}\ProgID]
"(Default)" = "OberonParts.Component.1"

[HKCR\Interface\{CC9D9CB5-2AB9-4B49-86FE-DDE8176D687B}\TypeLib]
"(Default)" = "{514236F1-B1D3-47FF-BE00-8A1D658440F4}"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}]
"AppID" = "{44BF361D-F12B-479A-9A5D-1D4504849A8F}"

[HKCR\CLSID\{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}\LocalServer32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\OberonParts.exe"

[HKCR\OberonParts.Parts]
"(Default)" = "Parts Class"

[HKCR\CLSID\{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}\VersionIndependentProgID]
"(Default)" = "OberonParts.Component"

[HKCR\Interface\{5B10DB17-D969-4065-9308-2FFCE2D5CA01}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\OberonParts.Component.1\CLSID]
"(Default)" = "{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}"

[HKCR\Interface\{5B10DB17-D969-4065-9308-2FFCE2D5CA01}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CC9D9CB5-2AB9-4B49-86FE-DDE8176D687B}]
"(Default)" = "IParts"

[HKCR\Interface\{CC9D9CB5-2AB9-4B49-86FE-DDE8176D687B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\OberonParts.BrowserComponents.1]
"(Default)" = "BrowserComponents Class"

[HKCR\OberonParts.Component.1]
"(Default)" = "Component Class"

[HKCR\CLSID\{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}]
"(Default)" = "Component Class"

[HKCR\Interface\{CC9D9CB5-2AB9-4B49-86FE-DDE8176D687B}\TypeLib]
"Version" = "1.0"

[HKCR\OberonParts.Parts\CLSID]
"(Default)" = "{441732CC-63F1-4839-81D8-B8D05E01F745}"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\OberonParts.Component]
"(Default)" = "Component Class"

[HKCR\TypeLib\{514236F1-B1D3-47FF-BE00-8A1D658440F4}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{514236F1-B1D3-47FF-BE00-8A1D658440F4}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}]
"(Default)" = "Parts Class"

[HKCR\OberonParts.Component\CurVer]
"(Default)" = "OberonParts.Component.1"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}\LocalServer32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\OberonParts.exe"

[HKCR\Interface\{9C721D40-265D-4B1C-B453-C1D65FA64657}\TypeLib]
"(Default)" = "{514236F1-B1D3-47FF-BE00-8A1D658440F4}"

[HKCR\OberonParts.Component\CLSID]
"(Default)" = "{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}\ProgID]
"(Default)" = "OberonParts.Parts.1"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}\TypeLib]
"(Default)" = "{514236F1-B1D3-47FF-BE00-8A1D658440F4}"

[HKCR\CLSID\{5440D14A-272C-42BD-9D42-ED5FDEB96947}\ProgID]
"(Default)" = "OberonParts.BrowserComponents.1"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}\VersionIndependentProgID]
"(Default)" = "OberonParts.Parts"

[HKCR\Interface\{9C721D40-265D-4B1C-B453-C1D65FA64657}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E14B4246-DAB3-4A18-BCEE-7560BF545FA9}\TypeLib]
"(Default)" = "{514236F1-B1D3-47FF-BE00-8A1D658440F4}"

[HKCR\Interface\{9C721D40-265D-4B1C-B453-C1D65FA64657}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{5440D14A-272C-42BD-9D42-ED5FDEB96947}\VersionIndependentProgID]
"(Default)" = "OberonParts.BrowserComponents"

[HKCR\AppID\OberonParts.EXE]
"AppID" = "{44BF361D-F12B-479A-9A5D-1D4504849A8F}"

[HKCR\OberonParts.Parts.1\CLSID]
"(Default)" = "{441732CC-63F1-4839-81D8-B8D05E01F745}"

[HKCR\OberonParts.BrowserComponents\CLSID]
"(Default)" = "{5440D14A-272C-42BD-9D42-ED5FDEB96947}"

[HKCR\Interface\{9C721D40-265D-4B1C-B453-C1D65FA64657}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9C721D40-265D-4B1C-B453-C1D65FA64657}]
"(Default)" = "IBrowserComponents"

[HKCR\OberonParts.Parts\CurVer]
"(Default)" = "OberonParts.Parts.1"

[HKCR\CLSID\{441732CC-63F1-4839-81D8-B8D05E01F745}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{5440D14A-272C-42BD-9D42-ED5FDEB96947}\LocalServer32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\OberonParts.exe"

[HKCR\OberonParts.Parts.1]
"(Default)" = "Parts Class"

[HKCR\OberonParts.BrowserComponents\CurVer]
"(Default)" = "OberonParts.BrowserComponents.1"

[HKCR\Interface\{CC9D9CB5-2AB9-4B49-86FE-DDE8176D687B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5B10DB17-D969-4065-9308-2FFCE2D5CA01}\TypeLib]
"(Default)" = "{514236F1-B1D3-47FF-BE00-8A1D658440F4}"

[HKCR\TypeLib\{514236F1-B1D3-47FF-BE00-8A1D658440F4}\1.0]
"(Default)" = "OberonParts 1.0 Type Library"

[HKCR\CLSID\{5440D14A-272C-42BD-9D42-ED5FDEB96947}]
"(Default)" = "BrowserComponents Class"

[HKCR\OberonParts.BrowserComponents.1\CLSID]
"(Default)" = "{5440D14A-272C-42BD-9D42-ED5FDEB96947}"

[HKCR\Interface\{5B10DB17-D969-4065-9308-2FFCE2D5CA01}]
"(Default)" = "IComponent"

[HKCR\CLSID\{5440D14A-272C-42BD-9D42-ED5FDEB96947}\TypeLib]
"(Default)" = "{514236F1-B1D3-47FF-BE00-8A1D658440F4}"

[HKCR\OberonParts.BrowserComponents]
"(Default)" = "BrowserComponents Class"

[HKCR\AppID\{44BF361D-F12B-479A-9A5D-1D4504849A8F}]
"(Default)" = "OberonParts"

[HKCR\TypeLib\{514236F1-B1D3-47FF-BE00-8A1D658440F4}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\OberonParts.exe"

The process %original file name%.exe:3788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 91 DE 06 25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process GameInstaller.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017091420170915]
"CacheRepair" = "0"
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017091420170915]
"CacheLimit" = "8192"
"CachePrefix" = ":2017091420170915:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\GameInstaller_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017091420170915]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017091420170915"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process Setup.exe:2368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\oberontb.BrowserApi\CLSID]
"(Default)" = "{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}"

[HKCR\oberontb.BrowserApi]
"(Default)" = "BrowserApi Class"

[HKCR\Oberontb.Band.1\CLSID]
"(Default)" = "{6F282B65-56BF-4BD1-A8B2-A4449A05863D}"

[HKCR\Interface\{DAA37AAD-F156-4C2C-AC48-3C22EF92AE2F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\GamesBar]
"Version" = "2.0.1.55"

[HKCR\Interface\{DAA37AAD-F156-4C2C-AC48-3C22EF92AE2F}]
"(Default)" = "IGamesBarBHO"

[HKCR\Interface\{DAA37AAD-F156-4C2C-AC48-3C22EF92AE2F}\TypeLib]
"(Default)" = "{AD76633E-E50D-4844-9E7F-4DFBC7C18467}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A93C934-025B-4c3a-B38E-9654A7003239}]
"Default Visible" = "Yes"

[HKCR\oberontb.GamesBarBHO.1\CLSID]
"(Default)" = "{CB0D163C-E9F4-4236-9496-0597E24B23A5}"

[HKCR\oberontb.BrowserApi.1]
"(Default)" = "BrowserApi Class"

[HKCR\TypeLib\{AD76633E-E50D-4844-9E7F-4DFBC7C18467}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\oberontb.BrowserApi.1\CLSID]
"(Default)" = "{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}"

[HKCU\Software\GamesBar]
"search_choices_check" = "0"

[HKCR\Oberontb.Band]
"(Default)" = "GamesBar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamesBar]
"URLInfoAbout" = "http://www.oberon-media.com"

[HKCU\Software\GamesBar]
"TheHandler" = "1"

[HKCR\CLSID\{CB0D163C-E9F4-4236-9496-0597E24B23A5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\oberontb.GamesBarBHO]
"(Default)" = "GamesBarBHO Class"

[HKCR\Interface\{73129582-1D7A-4C50-A0D5-587ED7755199}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamesBar]
"DisplayIcon" = "%Program Files%\GamesBar\uninst.exe"

[HKCR\CLSID\{CB0D163C-E9F4-4236-9496-0597E24B23A5}\ProgID]
"(Default)" = "oberontb.GamesBarBHO.1"

[HKCU\Software\GamesBar]
"ConfigUpdateTimeStamp" = "0"

[HKCR\CLSID\{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}\TypeLib]
"(Default)" = "{AD76633E-E50D-4844-9E7F-4DFBC7C18467}"

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}]
"(Default)" = "GamesBar"

[HKCR\CLSID\{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}\InprocServer32]
"(Default)" = "%Program Files%\GamesBar\2.0.1.55\oberontb.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamesBar]
"DisplayVersion" = "2.0.1.55"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A93C934-025B-4c3a-B38E-9654A7003239}]
"CLSID" = "{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"

[HKCR\CLSID\{CB0D163C-E9F4-4236-9496-0597E24B23A5}]
"(Default)" = "GamesBarBHO Class"

[HKCR\CLSID\{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}\ProgID]
"(Default)" = "oberontb.BrowserApi.1"

[HKCR\CLSID\{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}\VersionIndependentProgID]
"(Default)" = "oberontb.BrowserApi"

[HKCR\CLSID\{CB0D163C-E9F4-4236-9496-0597E24B23A5}\TypeLib]
"(Default)" = "{AD76633E-E50D-4844-9E7F-4DFBC7C18467}"

[HKCR\oberontb.BrowserApi\CurVer]
"(Default)" = "oberontb.BrowserApi.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A93C934-025B-4c3a-B38E-9654A7003239}]
"BandClsid" = "{6F282B65-56BF-4BD1-A8B2-A4449A05863D}"
"MenuStatusBar" = "GamesBar"
"MenuText" = "GamesBar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamesBar]
"UninstallString" = "%Program Files%\GamesBar\uninst.exe"

[HKCR\Interface\{DAA37AAD-F156-4C2C-AC48-3C22EF92AE2F}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamesBar]
"Publisher" = "Oberon Media, Inc."

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6F282B65-56BF-4BD1-A8B2-A4449A05863D}" = "GamesBar"

[HKCR\oberontb.GamesBarBHO.1]
"(Default)" = "GamesBarBHO Class"

[HKCR\Oberontb.Band.1]
"(Default)" = "GamesBar"

[HKCR\CLSID\{CB0D163C-E9F4-4236-9496-0597E24B23A5}\InprocServer32]
"(Default)" = "%Program Files%\GamesBar\2.0.1.55\oberontb.dll"

[HKCR\Interface\{73129582-1D7A-4C50-A0D5-587ED7755199}]
"(Default)" = "IBrowserApi"

[HKCR\TypeLib\{AD76633E-E50D-4844-9E7F-4DFBC7C18467}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamesBar]
"DisplayName" = "GamesBar 2.0.1.55"

[HKCR\TypeLib\{AD76633E-E50D-4844-9E7F-4DFBC7C18467}\1.0\0\win32]
"(Default)" = "%Program Files%\GamesBar\2.0.1.55\oberontb.dll"

[HKCR\Oberontb.Band\CurVer]
"(Default)" = "Oberontb.Band.1"

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\TypeLib]
"(Default)" = "{AD76633E-E50D-4844-9E7F-4DFBC7C18467}"

[HKCR\CLSID\{85790A84-D74D-49B3-B3F5-0B1FF7B11F9C}]
"(Default)" = "BrowserApi Class"

[HKCR\TypeLib\{AD76633E-E50D-4844-9E7F-4DFBC7C18467}\1.0]
"(Default)" = "oberontb 1.0 Type Library"

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\InprocServer32]
"(Default)" = "%Program Files%\GamesBar\2.0.1.55\oberontb.dll"

[HKCR\Interface\{DAA37AAD-F156-4C2C-AC48-3C22EF92AE2F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{73129582-1D7A-4C50-A0D5-587ED7755199}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{73129582-1D7A-4C50-A0D5-587ED7755199}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A93C934-025B-4c3a-B38E-9654A7003239}]
"(Default)" = "GamesBar"

[HKCR\CLSID\{CB0D163C-E9F4-4236-9496-0597E24B23A5}\VersionIndependentProgID]
"(Default)" = "oberontb.GamesBarBHO"

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\oberontb.GamesBarBHO\CurVer]
"(Default)" = "oberontb.GamesBarBHO.1"

[HKLM\SOFTWARE\GamesBar]
"ConfigFile" = "http://www.mygamesbar.com/config/iplay/sendspace/config.xm_"

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\ProgID]
"(Default)" = "Oberontb.Band.1"

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\VersionIndependentProgID]
"(Default)" = "Oberontb.Band"

[HKCR\Oberontb.Band\CLSID]
"(Default)" = "{6F282B65-56BF-4BD1-A8B2-A4449A05863D}"

[HKCR\oberontb.GamesBarBHO\CLSID]
"(Default)" = "{CB0D163C-E9F4-4236-9496-0597E24B23A5}"

[HKCR\Interface\{73129582-1D7A-4C50-A0D5-587ED7755199}\TypeLib]
"(Default)" = "{AD76633E-E50D-4844-9E7F-4DFBC7C18467}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\ProgID]
[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\TypeLib]
[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A93C934-025B-4c3a-B38E-9654A7003239}]
[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}\Programmable]

The process SearchEngineProtection.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchEngineProtection" = "%Program Files%\Gamesbar\SearchEngineProtection.exe"

The process ToolbarInstaller.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\GamesBar]
"ParentChannelName" = "iplay"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\GamesBar]
"AffiliateName" = "sendspace"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process occci.exe:2052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\NSISpcre.dll,"

[HKCR\Interface\{3F4FB6A5-E12D-4540-88A1-94D8D1F843DC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A6E2003F-95C5-4591-BA9A-0093080FDB5C}]
"AppName" = "OberonBroker.exe"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}]
"AppID" = "{5F8FD45A-D58C-4AAD-8EDE-B9B78F02B959}"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\ToolboxBitmap32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Odyssey\2.0.0.49\Odyssey.dll, 102"

[HKCR\Interface\{FD08847E-4478-4AD7-B757-1B0F001C936B}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Odyssey\2.0.0.49\"

[HKCR\Odyssey.OdysseyActiveX.1]
"(Default)" = "OdysseyActiveX Class"

[HKCR\TypeLib\{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\ProgID]
"(Default)" = "Odyssey.OdysseyActiveX.2"

[HKCR\Interface\{3F4FB6A5-E12D-4540-88A1-94D8D1F843DC}\TypeLib]
"(Default)" = "{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}"

[HKCU\Software\Oberon Media\InstalledComponents\GamesBar]
"(Default)" = ""

[HKCR\Odyssey.OdysseyActiveX]
"(Default)" = "OdysseyActiveX Class"

[HKCR\AppID\{5F8FD45A-D58C-4AAD-8EDE-B9B78F02B959}]
"(Default)" = "Odyssey"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\TypeLib\{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Odyssey\2.0.0.49\Odyssey.dll"

[HKCR\Odyssey.OdysseyActiveX.2\CLSID]
"(Default)" = "{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}"

[HKCR\Interface\{FD08847E-4478-4AD7-B757-1B0F001C936B}\TypeLib]
"(Default)" = "{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}"

[HKCR\Interface\{3F4FB6A5-E12D-4540-88A1-94D8D1F843DC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A6E2003F-95C5-4591-BA9A-0093080FDB5C}]
"Policy" = "3"

[HKLM\SOFTWARE\Oberon Media\InstalledComponents\GamesBar]
"(Default)" = ""

[HKCR\Interface\{3F4FB6A5-E12D-4540-88A1-94D8D1F843DC}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}\1.0]
"(Default)" = "Odyssey 1.0 Type Library"

[HKCR\Odyssey.OdysseyActiveX.1\CLSID]
"(Default)" = "{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}]
"(Default)" = "OdysseyActiveX Class"

[HKCR\Odyssey.OdysseyActiveX.2]
"(Default)" = "OdysseyActiveX Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A6E2003F-95C5-4591-BA9A-0093080FDB5C}]
"AppPath" = "%Program Files%\Common Files\Oberon Media\OberonBroker\1.0.0.76\"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\VersionIndependentProgID]
"(Default)" = "Odyssey.OdysseyActiveX"

[HKCR\Interface\{FD08847E-4478-4AD7-B757-1B0F001C936B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Odyssey.OdysseyActiveX\CurVer]
"(Default)" = "Odyssey.OdysseyActiveX.2"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{FD08847E-4478-4AD7-B757-1B0F001C936B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\Oberon Media\Odyssey\2.0.0.49\Odyssey.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{803E07A7-F4C1-4b55-81C0-21D9F6D75F49}]
"Policy" = "3"

[HKCR\CLSID\{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}\TypeLib]
"(Default)" = "{D45A9CD2-22CB-419F-87CF-94DCB7CA583F}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{803E07A7-F4C1-4b55-81C0-21D9F6D75F49}]
"AppName" = "OberonParts.exe"

[HKCR\Odyssey.OdysseyActiveX\CLSID]
"(Default)" = "{3E8FD258-0359-4476-AAF4-7C5F65E9B46E}"

[HKCR\Interface\{FD08847E-4478-4AD7-B757-1B0F001C936B}]
"(Default)" = "_IOdysseyActiveXEvents"

[HKCR\AppID\Odyssey.DLL]
"AppID" = "{5F8FD45A-D58C-4AAD-8EDE-B9B78F02B959}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{803E07A7-F4C1-4b55-81C0-21D9F6D75F49}]
"AppPath" = "%Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\"

[HKCR\Interface\{3F4FB6A5-E12D-4540-88A1-94D8D1F843DC}]
"(Default)" = "IOdysseyActiveX"

The process OberonDetectionApplication.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Oberon Media\Search]
"shp_ff" = "new install"
"tb_ff" = "not in suite"
"chrome_ie" = "new install"
"chrome_ff" = "selected in black list"
"shp_ie" = "new install"
"hp" = "1"
"tb" = "1"
"CH" = "1"
"tb_ie" = " new install"

The process shp.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://sendspace.start.iplay.com/?o=shp"

The process GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\nqz\NccQngn\Ybpny\Grzc]
"TnzrfOne-Fvyrag.efraqfcnpr-qyz.nfraqfcnpr.qy Frghc.rkr" = "00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count]
"HRZR_PGYFRFFVBA" = "00 00 00 00 99 00 00 00 03 02 00 00 4F 1B 7E 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.sendspace.com/pro/dl/eza4sc	69.31.136.5
hxxp://fs05n4.sendspace.com/dllp/4e746bbd9b184e373b1e79f79c0e174e/4d21f412/000000/cifodc/10-1719-A2.1.zip	69.31.136.25
hxxp://fg.download.windowsupdate.com.c.footprint.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://searchhomepage-ecs-elb-700903852.us-east-1.elb.amazonaws.com/gamesbar/installationReports.aspx?version=2.0.0.84&events=initialization,progress,complete&sku=119016780&sg=5&installmode=Custom&components=chrome_ff,new install,selected;chrome_ie,new install,selected;shp_ff,new install,selected;shp_ie,new install,selected;tb_ff,not in suite,no;tb_ie, new install,selected;&a=sendspace&r=sendspace-dlm&u=
hxxp://gs1.wpc.v1cdn.net/
hxxp://gs1.wpc.v1cdn.net/assets/application-84bd369d085a36bbce43d6012579bc7a.css
hxxp://gs1.wpc.v1cdn.net/assets/application-ac31c55371b093e7460c6d3d86a6a344.js
hxxp://gs1.wpc.v1cdn.net/assets/iplay_en/static/iplay_logo-e371eaa8fd7cabbd48a0638aa3f03bce.png
hxxp://gs1.wpc.v1cdn.net/assets/iplay_en/static/logo-yahoo-94304d0053cbaea6ecff80bba88bf922.png
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://rum-static.pingdom.net/prum.min.js	104.20.21.239
hxxp://s.gycs.b.yahoodns.net/3.10.0/build/yui/yui-min.js
hxxp://sendspace.start.iplay.com/gamesbar/installationReports.aspx?version=2.0.0.84&events=initialization,progress,complete&sku=119016780&sg=5&installmode=Custom&components=chrome_ff,new install,selected;chrome_ie,new install,selected;shp_ff,new install,selected;shp_ie,new install,selected;tb_ff,not in suite,no;tb_ie, new install,selected;&a=sendspace&r=sendspace-dlm&u=	34.206.150.40
hxxp://yui.yahooapis.com/3.10.0/build/yui/yui-min.js	87.248.118.23
hxxp://start.iplay.com/assets/application-84bd369d085a36bbce43d6012579bc7a.css	93.184.221.131
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=	93.184.220.29
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	8.253.208.120
hxxp://start.iplay.com/assets/iplay_en/static/iplay_logo-e371eaa8fd7cabbd48a0638aa3f03bce.png	93.184.221.131
hxxp://start.iplay.com/	93.184.221.131
hxxp://start.iplay.com/assets/iplay_en/static/logo-yahoo-94304d0053cbaea6ecff80bba88bf922.png	93.184.221.131
hxxp://start.iplay.com/assets/application-ac31c55371b093e7460c6d3d86a6a344.js	93.184.221.131
fs09n1.sendspace.com	69.31.136.41
s.yimg.com	87.248.118.23
fs09n3.sendspace.com	69.31.136.41
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /3.10.0/build/yui/yui-min.js HTTP/1.1

Accept: */*

Referer: hXXp://start.iplay.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: yui.yahooapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public,max-age=567648000

Content-Encoding: gzip

Content-Type: application/javascript; charset=utf-8

Date: Mon, 11 Sep 2017 00:45:09 GMT

Etag: "YM:1:9f8f9094-28f7-48b4-a5d3-6eb1586243ed0004db0cac9d93d9-gzip"

Expires: Sat, 05 Sep 2026 00:00:00 GMT

Last-Modified: Tue, 23 Apr 2013 20:03:08 GMT

Server: ATS

Vary: Accept-Encoding

Via: HTTP/1.1 web22.use45.mobstor.bf1.yahoo.com UserFiberFramework/1.0, http/1.1 e2.ycpi.deb.yahoo.com (ApacheTrafficServer [cHs f ])

x-ysws-request-id: 8ef1d550-f623-412f-a102-a4b92987009d

x-ysws-visited-replicas: gops.use45.mobstor.vip.bf1.yahoo.com

Age: 286350

Content-Length: 25601

Connection: keep-alive
...........}{s.F.....$...D $.....0.v..g.8.9...8*.l..I...$qD~..;..h.T..
..{..u..~?N.>....g_>..O.z/.........j.K._L.....-6.2[,............
......z..q...B..N..g.eS.K1...L..j)zo.........6.....d.eZn.i.>[...g_.
={Vm7...0.~.Q3.,.3...GRt.?.......B....UV.~.HI"9...Zf2...\.k.W2,.<Z.
|Q-...".*x,EU.yO...h......e..e.EJ/.e..S.R..e...fZ..l..e.1..*....*.....
..G....t.....TQ....*.w..Pv.. ,w;4)1....q.....4..~.<.......P......XL
.aSy.g_Ef...I.V....lX...B...."....%.....&......!......<.].@a...R...
z......0M^.e..6eQ...H.........aV.(..../B......IW?...;,...|..%......}..
......d5R.q^.V...i4 ..;*m.,ON.6.r%.......&..R).O.".K0.u...|.V"........
~.B.0..T.u.lvI#.....E9:L.U.X...t...N....;E.`.n.t....J...D...*..Gst..iZ
M.~.5. ).....P..;.[w.../..H..."..Y.?.M......S...d.....BQ/.E{..-L..'...
P1Q.A....nS.......bf.......|..Q...R.(.4...t..Q._...q .fi..p).QgTl<A
.z..... .s.."......z;......e...q......~iA../..2.A`.../f....Xo..TwKa..0
.......`....*..6....c..|.T..._%...N..q.|?...@9f.....)I...0........_.:;
$.a ...G/x.u..|....%......c.$b....3R2.........JH.p.-...HP.2JW.p@..p.g.
........_M.J..avr.'..;.F.>.d..*Yw@..%K...@..R)......aJ......~f$.].K
.2.....6!B. ^7 ...U3A0LON.H3..j..p.z<w..pA.L..b...H.]S...M.et'J..IN
,._..RV.H...=.=/.."...T@..j..aH...*.&.*Yzak..XY.V......Nv.C<.....cP
e=d.S/q.Ngy.......=`Y7..!>.oj.1T.F.W.Yg....o..........Mp.....W.7?^.
g.(......'./O./}........z......Qfp}...........Y....zA..O.,....o0...j..
..k.....0.t.).H.......zK..P.v.... Pfs.....F.....q...U...y..C...<[a.
......#q.b.it1.6....8.(.."_.S.f.1]...=9-.M.....(w.a.Bl.0...g..z...
<<< skipped >>>

GET /gamesbar/installationReports.aspx?version=2.0.0.84&events=initialization,progress,complete&sku=119016780&sg=5&installmode=Custom&components=chrome_ff,new install,selected;chrome_ie,new install,selected;shp_ff,new install,selected;shp_ie,new install,selected;tb_ff,not in suite,no;tb_ie, new install,selected;&a=sendspace&r=sendspace-dlm&u= HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: sendspace.start.iplay.com

Connection: Keep-Alive

HTTP/1.1 301 hXXp://start.iplay.com/

Accept-Ranges: bytes

Age: 0

Date: Thu, 14 Sep 2017 08:17:30 GMT

Location: hXXp://start.iplay.com/

Via: 1.1 varnish

Content-Length: 0

Connection: keep-alive
HTTP/1.1 301 hXXp://start.iplay.com/..Accept-Ranges: bytes..Age: 0..Da
te: Thu, 14 Sep 2017 08:17:30 GMT..Location: hXXp://start.iplay.com/..
Via: 1.1 varnish..Content-Length: 0..Connection: keep-alive..

HEAD /pro/dl/eza4sc HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: Duckling/1.0

Host: VVV.sendspace.com

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Thu, 14 Sep 2017 08:17:03 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Keep-Alive: timeout=20

Set-Cookie: SID=m59ehbs6074ohs2f304ktg1eg0; path=/; domain=.sendspace.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXps://fs09n3.sendspace.com/dlpro/ea4048830c689a22c2f7309a374ee582/59ba3aff/eza4sc/GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe
HTTP/1.1 301 Moved Permanently..Server: nginx..Date: Thu, 14 Sep 2017 
08:17:03 GMT..Content-Type: text/html; charset=UTF-8..Connection: keep
-alive..Keep-Alive: timeout=20..Set-Cookie: SID=m59ehbs6074ohs2f304ktg
1eg0; path=/; domain=.sendspace.com..Expires: Thu, 19 Nov 1981 08:52:0
0 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=
0, pre-check=0..Pragma: no-cache..Location: hXXps://fs09n3.sendspace.c
om/dlpro/ea4048830c689a22c2f7309a374ee582/59ba3aff/eza4sc/GamesBar-Sil
ent.rsendspace-dlm.asendspace.dl.exe......


GET /pro/dl/eza4sc HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: Duckling/1.0

Host: VVV.sendspace.com

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Thu, 14 Sep 2017 08:17:12 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=20

Set-Cookie: SID=esj5hmonm6djsd9rcnvon01k47; path=/; domain=.sendspace.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXps://fs09n1.sendspace.com/dlpro/b76e8a1b66a123863a27be584b8688f4/59ba3b08/eza4sc/GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe
0..HTTP/1.1 301 Moved Permanently..Server: nginx..Date: Thu, 14 Sep 20
17 08:17:12 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Enco
ding: chunked..Connection: keep-alive..Keep-Alive: timeout=20..Set-Coo
kie: SID=esj5hmonm6djsd9rcnvon01k47; path=/; domain=.sendspace.com..Ex
pires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cach
e, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Locat
ion: hXXps://fs09n1.sendspace.com/dlpro/b76e8a1b66a123863a27be584b8688
f4/59ba3b08/eza4sc/GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe..0
..

GET /assets/application-ac31c55371b093e7460c6d3d86a6a344.js HTTP/1.1

Accept: */*

Referer: hXXp://start.iplay.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: start.iplay.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Cache-Control: public, max-age=86400

Content-Type: application/javascript

Date: Thu, 14 Sep 2017 08:17:31 GMT

Expires: Mon, 11 Sep 2017 18:11:07 GMT

Last-Modified: Mon, 04 Sep 2017 07:24:19 GMT

Server: ECAcc (vie/443D)

Status: 304 Not Modified

Vary: Accept-Encoding

Via: 1.1 varnish

X-Cache: HIT

Content-Length: 54014
.......Y....}w.F.'..~.....f...d..h...e..'...I2...................n4@..
...y.lN,.......^'.{...../..$..._.....H..........h8..Q......./...p._..S
..:..6..<z....*..R:.K~.K.~.,_....Uu.....E.G..>..7."..<S.xx.g.
...J..y.UEz....[..Y%q.,...zMe......*.'Y..w9/.O..x.<......~18.......
G..W'..D...<.....G7....GG.wG.k.W...u.....=>zw.VUR......jz..u{{;.
...*q.V......o...<...~&ez...h.b...#j..(^.x...&9J3......{I..^Rw.<
.t./7....W*......d^yQT...|yt./6......a.a..U9i.F.p..7.IVM...w..uC.=....
..U...e.........k_$.n...)..e.*#.<2_z..H.M..Q ......Y].4?^.tW...OX].
.j....q.o..(.Q.....RY.WC.D.t.....$..[*...s.Th...#zQ..|.../...I.4......
7...l.^...H.znQ.....F..;....U.. ...."..=....H.T..a....^/...N.LUA.:...T
]b....L5G..^....H.Kg... ......[..&....F2N...`.{Z.....J^...T.R.T..J _E.
4..o............ g....>T.j....u...P..^...^T.v;..SM..L.Y.;..*.k-..~]
............,)&>=,.k........7....Y./..U.z.@.(..B.H...ERQW....Y.....
".7........V)]K.LeL..;zN.....x.;...f_..*...........>....C.me...M...
.;2Z..6.uI#...x....i......R......U.*.M.gt.....Up.TO 9..?....R.Uqw.E^Ul
...o.e.*..(...Z....~....../4.g......2......}..../yp..w.........H.l.?.'
fc.q.$.(.=.a.<....Dz..^\......}@}@S.U9z......4<...v..!.....|....
..@...B......(.U...ZE1.>...VjC......s|\b)6.......t...O..!.~...Y.^.L
..l.[.T..y...~...r.......*.R......^....i..Mi....pk|^?.j..W.#&._p..XB..
.;~F..UD\......^.>.k..T=t..b.3x...~.`.e...L.<*h...0.r......*..*.
...h.!...*Zgwa..p.6..jZC.,.....4.q.........##...X..'.$..L.3.!..u......
...>..4...3....*...'.r.J...y..9...8..q>...E..u.N.i>.1...6
<<< skipped >>>

GET /assets/iplay_en/static/logo-yahoo-94304d0053cbaea6ecff80bba88bf922.png HTTP/1.1

Accept: */*

Referer: hXXp://start.iplay.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: start.iplay.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=86400

Content-Type: image/png

Date: Thu, 14 Sep 2017 08:17:31 GMT

Expires: Wed, 13 Sep 2017 11:07:59 GMT

Last-Modified: Mon, 04 Sep 2017 07:24:19 GMT

Server: ECAcc (vie/F28D)

Status: 304 Not Modified

Via: 1.1 varnish

X-Cache: HIT

Content-Length: 1670
.PNG........IHDR...}.........f.pP....sRGB.........gAMA......a.....PLTE
\\\h..~(..M..o........................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
B.....pHYs..........o.d....tEXtSoftware.Paint.NET v3.5.6...Z....IDATHK
.T.Nc1..};.....'.. .EEHk.K.k.;1...\.........=F..G..{:......g.(........
uX....Gt..v.........C..z.ziWK^......)...]._n...o.3k.u......o-....-d...
....a>)s....g.......E.R..............9.|.8....u.:......."..B.!..`].
.....r.....)kb?..-5~5..~......f.ric..B<....|92k.8.c....*.<....7.
./..sf4.Y...y1..:.^c.g.EO&.. .'fw.,2....z=u0....e.`X0..E7.]...1.8.1)..
.X......D428..W.C..U.S......{..,0.=..VH.>.X/...r.Y.h...`..\.A.....v
..#.G.....>...i6...P......qw............h..v....0P9........}....`..
.........m.(2.2.y.....X"w.)r.B.....Z......Q^.V......EFq...NGj......@%.
..q........C.....r....7.5?%#-.../..V.......(}v.g..m...mj}....N..1.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= HTTP/1.1

Cache-Control: max-age = 511667

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 04:57:34 GMT

If-None-Match: "57ff143e-1d7"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=172800

Content-Type: application/ocsp-response

Date: Thu, 14 Sep 2017 08:17:39 GMT

Etag: "59ba0aa2-1d7"

Expires: Wed, 20 Sep 2017 20:17:39 GMT

Last-Modified: Thu, 14 Sep 2017 04:50:42 GMT

Server: ECS (vie/F2D5)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0.......>.i...G...&....cd ...2017
0913220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&...
.cd ........\..m. B.]......20170913220000Z....20170920220000Z0...*.H..
..................(Y>.q..Q.w....w.3..{..];.... Z..X....,..yv...C..Y
.wx.a...70.Z..A...O>x..O...... ....v.v`[.P.b..{^......G...u...=J.;.
.n..U.......j.....:J...o.T.... ..h..y....X3.T..qw...~........ .n..K...
9..Ze4.T..e..pwqS.:..B..kX.jHm:D...1#.....?...h..,.{.S...ii3...HTTP/1.
1 200 OK..Accept-Ranges: bytes..Cache-Control: public, max-age=172800.
.Content-Type: application/ocsp-response..Date: Thu, 14 Sep 2017 08:17
:39 GMT..Etag: "59ba0aa2-1d7"..Expires: Wed, 20 Sep 2017 20:17:39 GMT.
.Last-Modified: Thu, 14 Sep 2017 04:50:42 GMT..Server: ECS (vie/F2D5).
.X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...
0.......>.i...G...&....cd ...20170913220000Z0s0q0I0... ............
(..A...B..G@B.X....>.i...G...&....cd ........\..m. B.]......2017091
3220000Z....20170920220000Z0...*.H....................(Y>.q..Q.w...
.w.3..{..];.... Z..X....,..yv...C..Y.wx.a...70.Z..A...O>x..O...... 
....v.v`[.P.b..{^......G...u...=J.;..n..U.......j.....:J...o.T.... ..h
..y....X3.T..qw...~........ .n..K...9..Ze4.T..e..pwqS.:..B..kX.jHm:D..
.1#.....?...h..,.{.S...ii3.....
<<< skipped >>>

HEAD /dllp/4e746bbd9b184e373b1e79f79c0e174e/4d21f412/000000/cifodc/10-1719-A2.1.zip HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: Duckling/1.0

Host: fs05n4.sendspace.com

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Thu, 14 Sep 2017 08:17:03 GMT

Content-Type: text/html; charset=UTF-8

Connection: close

Set-Cookie: SID=npqie1qfn1vtoee39d02gnu7h6; path=/; domain=.sendspace.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXps://VVV.sendspace.com/file/cifodc?e=2

GET / HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: start.iplay.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Cache-Control: public, max-age=86400

Content-Type: text/html; charset=utf-8

Date: Thu, 14 Sep 2017 08:17:31 GMT

Expires: Fri, 15 Sep 2017 08:17:31 GMT

Last-Modified: Thu, 14 Sep 2017 05:27:02 GMT

Server: ECAcc (vie/44AA)

Status: 200 OK

Vary: Accept-Encoding

Via: 1.1 varnish

X-Cache: HIT

X-UA-Compatible: IE=Edge,chrome=1

Content-Length: 1211
....&..Y...Vmo.6..._..E...(G._.....C.. ..E?..I..$R#i.B....$ .K.m.bI..;
....8{t....O.^.. ...l{../N.\3'].....V.7Z..0.(.t'.a..i..l!.E.@.`-......
i..r.`#.[..XK&p...I%..9...b>...5.K.'Z....B....Z..d.I..d..x4......$a
b..Q4...O.6.!.6@........2"...U..K!`].*a.N|q.....eF..Y....,....x<H.i
,..Q.F<.....x8.?......66...4O..Rz..."..;FR.t...t.'1./...h.NX4.S.[..
h...P. ..;[9.?..E.4.d.xXHf......cq/. ..BlX."...H...)....Rk.hk...!._p!.
.....4.4K4.....q.(6.......{.jSam.v...R..|-...r.|;.EyUG.%..I.\'......2a
k.:..!M..'.D!..I.. ..>.X...d..c......s.8.0n#a9.6.|.S..u.d.nI.....id
..E4.....k.l6a.._....G4..So...l.[.0...R  ."........X@..J').3.$|8..(.P.
.Q..(,U.SbFh.L..~`..{a.|5..].l....C.P.[..#.>.4.....O.'.<[..w.u..
.C7C.7$.E...t\{.p..?!5..x:..!....%T..`i:...N&I:........q.R.....{.W....
a...o...=........6.0(.].7U..j. .......Ofbe..T.......^).eX..?6|`.w...!.
..(...Vl......B.*}......u....5s;...u4..=PdW..AntY..-.[...&.. .a.......
....H......2.\..h.c..D..T?2......d.@..U..$....0.4rMY.K.=....%X.k..j...
...*.UF.Pw..SX.S...=......Gv....!..t..I....u..B._;.g..@.....:{..|g..0)
..{.|....5....v.Sh...........!....=.Qm.....;.v..}};}9....z.W....M...d~
J(...........g^"..[J...f..!xN..p.TP.s.C^PP..D..L..C[....GT..>.!..3R
.zr.<....y.K.4L5[.sX..9....=..........Z.......
<<< skipped >>>

GET /assets/application-84bd369d085a36bbce43d6012579bc7a.css HTTP/1.1

Accept: */*

Referer: hXXp://start.iplay.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: start.iplay.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Accept-Ranges: bytes

Cache-Control: public, max-age=86400

Content-Type: text/css

Date: Thu, 14 Sep 2017 08:17:31 GMT

Expires: Fri, 08 Sep 2017 11:10:38 GMT

Last-Modified: Mon, 04 Sep 2017 07:24:19 GMT

Server: ECAcc (vie/F299)

Status: 304 Not Modified

Vary: Accept-Encoding

Via: 1.1 varnish

X-Cache: HIT

Content-Length: 7985
...........]...8.._O..`0IG..~E.3..v....d..,.eMd.#.UI....;..#R.....N.&l
t;...B~.D.!i."-.8i.,...K.....S.\.....k......&>.IF.<5.........9n.
.1...9i...................u.&.s.....Z..UYT....Uu..cZW]S...w....|....S.
....."...S..g...&....;..#Q4:&....k....yS...s;../..-~.GI..k............
.z....:.z#.}**...vH...&U...R.%i......N....v....TTQVw].1jB..L..;..y....
....6`7..{Y.x......ph>vEW..n..!........^..j.qK,Y=q}/.~.....X.j..e. 
..,RZ{s....../..E....!..E..b.......o...>......L(GZ...|.....69_.O...
&vL.8......c.>........c.....&....o...xmw...M..=F.......w.HX.sR.....
..Jlv.....O{......-h.........x.dSR......!is*..]n]}..&.%k<..&\E.f..8
?.72...O,.v.I.w7. ..~...'.<7a$.......jh..uYd..tB.U.E....%.2...x..!5
^...5oP.?.U....iP]I.........%..b.0$....Eu"....h..VCU7h..n.{4.........0
.\.<4.#..c........?.......2..sA.o2...%OH5$...}zmZ.... 1..J?.a'9.y..
V..oB,........6=..g.<v..2.>..V..R............5..../...}...b...x.
(..)G..!.,O.&......=...c#...*2S.*.r<.U..TK.]m.5.c.K] .]2.....w..^..
.$....gE.]..;._x...$#..^D.Q./u.%d...$,.'...:.W..%d.y....g.rm....7|....
.&?~.%G..7...c..1J..yK....w..WO@..........._...iS\............y...6.#c
.v.%.}"p.x.3q5E5.....T.u..(...8..f...e!.C..~..zN..^..;...4._.h$..Yz...
.....4.O.[.\N.u...h._.....@....N1..s...wL`.!i,...Y/.......3.q.j;t..qJ.
...YS_....L.=.....DE........E.z....}....t"v.2..,..E......9.4r....2..a.
.(../....u..x..er....V..M..y:$o'q$.{'.&.C..'/.s:.E....c....m..........
.p>.....r=]..r....=...G...1....e.l.,..YTE.uH..=(....8.HZ....b.rd.@.
.....^..$d.H.I7.....O...sT...7.F.<q.fM.g..JZ...G.e\j2.<.....
<<< skipped >>>

GET /assets/iplay_en/static/iplay_logo-e371eaa8fd7cabbd48a0638aa3f03bce.png HTTP/1.1

Accept: */*

Referer: hXXp://start.iplay.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: start.iplay.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=86400

Content-Type: image/png

Date: Thu, 14 Sep 2017 08:17:31 GMT

Expires: Wed, 13 Sep 2017 11:07:59 GMT

Last-Modified: Mon, 04 Sep 2017 07:24:19 GMT

Server: ECAcc (vie/4430)

Status: 304 Not Modified

Via: 1.1 varnish

X-Cache: HIT

Content-Length: 4400
GIF89a,.K........ $l.J....X[........2...^."..........tv..........o<
....<?.JM.fi.........W.....?Tz.o/.....w............u.U-............
........s.......................~.a...I............-0...;............U
S........"r1>..#.{...$.......t=.)#...y."e................#.,0.qE...
.....lO...xa...g.".........`.H...=.C..{.EH..v........$%.@...... ......
.........QT............h#0....c`....b].....#....]d....HG......q.^.....
..........s.U[..........k....o0.81....zk..............sZ.G.a>x.....
.c^........[....... #|@KB.D.......Rp..?...............................
......................................................................
......................................................................
......................................................................
.......................!..XMP DataXMP<?xpacket begin="..." id="W5M0
MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xm
ptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "&g
t; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"
> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com
/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceR
ef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID
="xmp.did:D87001F351BAE111B04589088CB38384" xmpMM:DocumentID="xmp.did:
4DA582A4BECB11E1BE8D8C32C2F0B909" xmpMM:InstanceID="xmp.iid:4DA582A3BE
CB11E1BE8D8C32C2F0B909" xmp:CreatorTool="Adobe Photoshop CS5 Windows"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BF7C9D3CB3BCE1
<<< skipped >>>

GET /prum.min.js HTTP/1.1

Accept: */*

Referer: hXXp://start.iplay.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: rum-static.pingdom.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 14 Sep 2017 08:17:39 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d10fb13c95e6b433e7d4f88adf15567531505377059; expires=Fri, 14-Sep-18 08:17:39 GMT; path=/; domain=.pingdom.net; HttpOnly

Last-Modified: Mon, 31 Jul 2017 13:39:22 GMT

ETag: W/"597f330a-260f"

Expires: Fri, 15 Sep 2017 08:17:39 GMT

Cache-Control: public, max-age=86400

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 39e1e93e57548243-KBP

Content-Encoding: gzip
b3c.............Z.s.(..W<|p..FI.y /.u..].*..[..}p...@6..<.......
.....}..mu7M.t.hZ.c9....._..7.....:y:......|C...q.....TLp...W...X....l
.8"".... ...L.`'....f.......P..-.h.?..?P.....g.'@q".g............p.`..
..8.B.|p.\.k!.....3...'f..<...-$^S.v-.Y..5}.....A...{.z...X...p..R.
.S....>.m.<LH..\.2.)...1M......]w.....V?.o..t... t........Vu..vl
w.N..*.o..#.vH....nv...k...BzF F....<.g37.tG,...0.D...9K=`B. ..n...
G.W .,_.`A3E.v....A......u{0.|x.a.a.0.......qo.N2.=...N....?....%..c.#
)..'f./xK'LMrNh.8%..'}...sIu.y1.aK.B;,......GN.&?cM=..i.2..q......x.v.
.......2.....TX.-H.T:~.v......'........m).[.[.."..:...#6)5......d\...g
...x8.In|.L..........J..r_..V.D`..S........^..l...........!.n..6......
d....&..m.FC.Z4..........]...;....9.mG.M....q..4...4t@P....%.......3~.
/..j.f..........gz..<1t./...a8R0.H.......F.j5......ub.....f........
...VR.z]m.r....=...n.v....\[ ^......5..l...*....kjhtU.>......pe.S.\
...5.*.j......2....8"..OBd1.gD......,............._A.?sW.UQBe*......%m
 ..q.....4.g.......w..Az...O....lm.bv...G.....}....-.!S....!<..j{.y
..^.-.....l:...S.|2k.......5........-.s'..i.H.H..bK.I.c.(...F...2.b(..
.....d.l....TX#.....u..........u....n.......c..........9.a]........D..
.d.0N.owi....*Z...c.....\..V.O..@B..{E.l.[6.e..A.y..6s.j..?F..&.q..yT%
xG..Y..TJ*.....K.S.;...I7...fB....:.G7.....k.Xn...w.....rLQ.,..Q&.n4.z
`'.-pw.3.F.n^....z.E.`.l......<...h.....FN..YT-5Fv._4U.......x..|x.
.\w...W.].t.C.Y..>.KJ..{Z.?.O.JX./...b..`..^w..L:.....T.*..#.S.....
.Q...n.....@.F..A.>.......^|Yw.Y..?....C.LR..Z.=.Si)U...|..z...
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86404

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com

HTTP/1.1 200 OK

Date: Wed, 13 Sep 2017 11:34:26 GMT

Content-Type: application/vnd.ms-cab-compressed

Content-Length: 52967

Connection: keep-alive

Cache-Control: max-age=604800

ETag: "80f83df077e4d21:0"

Expires: Wed, 05 Jul 2017 11:33:10 GMT

Last-Modified: Tue, 13 Jun 2017 19:04:53 GMT

Server: Microsoft-IIS/8.5

MSRegion: EMEA

x-ccc: NL

x-cid: 3

X-Powered-By: ASP.NET

Age: 74565

Accept-Ranges: bytes
MSCF............,...................I..................J.` .authroot.s
tl.^R.Y.6..CK...8...........].y.Q..!Jv..%k.....!..DH...B.KBWE.(.f.RQ*.
..f...}'.....x.:.{f...|.s.q..CF.......0....{%i......P.F.yNz:A..L..1..3
...........IG.....4=....~."|..s.|.xuT..._.*.....e.h,....ozs..*.!TmS..A
q... |,.....V..xV....^....FE(.x...N..h...b....y...j.!....7..h. ..@.(V.
.....8..`-..#=.jq'.e...|..X...@...{..rj.d.....?n3.L.......S.......:.O.
.."k.!o......`.l.B 1.....#].....k6.........B.......!P$.A..<..?zk...
.~..P)A0tu....x..-X..E..,a.7,xN..eed.3..L..XT......IG.w_.Y....E....~k.
.X...T.V.g7d.....#.&~.f.O....Dh...x0..J...0..u.dF..P.!..d...%x<!...
....@,...0..3..-.....q.....X.e....A...z.'..2.<.m.f...I.9.z..a.6vo..
 ...P..U7...-.0.Q..<zd!V....=.'.....2H;..5.7.%5PsD.#.....ht%......f
..s.Dp..Lklx%[.!c...I.<...f.<..e.k`......^.......X..?Z...?......
?..I}..5V.v .q.c.9j..Y..J..0U.t./%..Jd @.W.u......U.".)C(........T.4.y
..J.57*^HlY....O|..~\.J]..]e...?..x2c..6.....i.=?x.....N..-X..f"^@'...
.-v..v...7j.Y1.5._v.....*S9.."........%E<E...;p.}........0..P....g.
.@.]E.3........K....K.4V..Q.-,.../.........:.A....Ng,.........BFef.[..
. ..."*...^...L._#:,7..6:.z..!a............E.r>......A....#..c.....
rS.......7.D..JdR.`6.|...>.0....Wf..n..^..8x.4..........-.3y,3.C.(.
...9f...iNK....q....sUq....c...c.....*K.8"..D...<..0............*x,
$x....a....]..p..t.M....6F..u.....p.r.kf...Z......h~.B3...[.....Hc...K
.....I.....%F..:.....N....U..eU........ e. k....3(S..h....1..r..Z.Y...
.....A.i..Z....[%J.....=2"v].....L.P..!........PC*.........j 8.~.)
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86404

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com

HTTP/1.1 200 OK

Date: Wed, 13 Sep 2017 11:34:26 GMT

Content-Type: application/vnd.ms-cab-compressed

Content-Length: 52967

Connection: keep-alive

Cache-Control: max-age=604800

ETag: "80f83df077e4d21:0"

Expires: Wed, 05 Jul 2017 11:33:10 GMT

Last-Modified: Tue, 13 Jun 2017 19:04:53 GMT

Server: Microsoft-IIS/8.5

MSRegion: EMEA

x-ccc: NL

x-cid: 3

X-Powered-By: ASP.NET

Age: 74566

Accept-Ranges: bytes
MSCF............,...................I..................J.` .authroot.s
tl.^R.Y.6..CK...8...........].y.Q..!Jv..%k.....!..DH...B.KBWE.(.f.RQ*.
..f...}'.....x.:.{f...|.s.q..CF.......0....{%i......P.F.yNz:A..L..1..3
...........IG.....4=....~."|..s.|.xuT..._.*.....e.h,....ozs..*.!TmS..A
q... |,.....V..xV....^....FE(.x...N..h...b....y...j.!....7..h. ..@.(V.
.....8..`-..#=.jq'.e...|..X...@...{..rj.d.....?n3.L.......S.......:.O.
.."k.!o......`.l.B 1.....#].....k6.........B.......!P$.A..<..?zk...
.~..P)A0tu....x..-X..E..,a.7,xN..eed.3..L..XT......IG.w_.Y....E....~k.
.X...T.V.g7d.....#.&~.f.O....Dh...x0..J...0..u.dF..P.!..d...%x<!...
....@,...0..3..-.....q.....X.e....A...z.'..2.<.m.f...I.9.z..a.6vo..
 ...P..U7...-.0.Q..<zd!V....=.'.....2H;..5.7.%5PsD.#.....ht%......f
..s.Dp..Lklx%[.!c...I.<...f.<..e.k`......^.......X..?Z...?......
?..I}..5V.v .q.c.9j..Y..J..0U.t./%..Jd @.W.u......U.".)C(........T.4.y
..J.57*^HlY....O|..~\.J]..]e...?..x2c..6.....i.=?x.....N..-X..f"^@'...
.-v..v...7j.Y1.5._v.....*S9.."........%E<E...;p.}........0..P....g.
.@.]E.3........K....K.4V..Q.-,.../.........:.A....Ng,.........BFef.[..
. ..."*...^...L._#:,7..6:.z..!a............E.r>......A....#..c.....
rS.......7.D..JdR.`6.|...>.0....Wf..n..^..8x.4..........-.3y,3.C.(.
...9f...iNK....q....sUq....c...c.....*K.8"..D...<..0............*x,
$x....a....]..p..t.M....6F..u.....p.r.kf...Z......h~.B3...[.....Hc...K
.....I.....%F..:.....N....U..eU........ e. k....3(S..h....1..r..Z.Y...
.....A.i..Z....[%J.....=2"v].....L.P..!........PC*.........j 8.~.)
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

`.rsrc

SSSSh

GetProcessWindowStation

operator

Content-Disposition: form-data; name="userfile"; filename="memory_dump.dmp"

CreateMutex error: %d

C:\Development\FM\SendSpace\Apps\Duckling\Duckling SVN\trunk\Platform Solutions\MSVC\Release\SendSpace Downloader.pdb

GetCPInfo

RegOpenKeyExW

ShellExecuteExW

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSendRequest

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpCloseHandle

WinHttpCrackUrl

WinHttpAddRequestHeaders

WinHttpQueryOption

WinHttpQueryDataAvailable

WinHttpReadData

.text

`.rdata

@.data

.rsrc

@.reloc

#* ,-./0123456789:;'

*gOp$Key

`.rdH

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PA

KERNEL32.DLL

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

/bugreport_downloader.php?version=1.0&os=%i.%i

bugreport.sendspace.com

HTTP/1.0

The application has encountered a problem and will now close. Please retry the operation or contact SendSpace if it happens again

DBGHELP.DLL

memory_dump.dmp

GamesBar-Silent.rsendspace.asendspace.dl.exe

hXXp://VVV.sendspace.com/pro/dl/eza4sc

.download

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace

hXXp://fs05n4.sendspace.com/dllp/4e746bbd9b184e373b1e79f79c0e174e/4d21f412/000000/cifodc/10-1719-A2.1.zip

10-1719-A2.1.zip

C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe

C:\Users\"%CurrentUserName%"\Documents\

C:\Users\"%CurrentUserName%"\Documents

%original file name%.exe_3788_rwx_008F1000_00021000:

SSSSh

GetProcessWindowStation

operator

Content-Disposition: form-data; name="userfile"; filename="memory_dump.dmp"

CreateMutex error: %d

C:\Development\FM\SendSpace\Apps\Duckling\Duckling SVN\trunk\Platform Solutions\MSVC\Release\SendSpace Downloader.pdb

GetCPInfo

RegOpenKeyExW

ShellExecuteExW

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSendRequest

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpCloseHandle

WinHttpCrackUrl

WinHttpAddRequestHeaders

WinHttpQueryOption

WinHttpQueryDataAvailable

WinHttpReadData

.text

`.rdata

@.data

.rsrc

@.reloc

#* ,-./0123456789:;'

*gOp$Key

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

/bugreport_downloader.php?version=1.0&os=%i.%i

bugreport.sendspace.com

HTTP/1.0

The application has encountered a problem and will now close. Please retry the operation or contact SendSpace if it happens again

DBGHELP.DLL

memory_dump.dmp

GamesBar-Silent.rsendspace.asendspace.dl.exe

hXXp://VVV.sendspace.com/pro/dl/eza4sc

.download

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace

hXXp://fs05n4.sendspace.com/dllp/4e746bbd9b184e373b1e79f79c0e174e/4d21f412/000000/cifodc/10-1719-A2.1.zip

10-1719-A2.1.zip

C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe

C:\Users\"%CurrentUserName%"\Documents\

C:\Users\"%CurrentUserName%"\Documents

GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe_656:

.text

`.rdata

@.data

.rsrc

SSSSh

aSSSh

FTPjK

FtPj;

C.PjRV

Hw2.Hw

Setup.exe

\\.\mailslot\

kernel32.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

c:\WS\Client\Builds\Runner\1.0.0.0\Release\Runner.pdb

KERNEL32.dll

SHLWAPI.dll

ShellExecuteA

ShellExecuteExA

SHELL32.dll

USER32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

ADVAPI32.dll

.?AVCExecuteThread@@

.PAVexception@std@@

.?AVCWaitForMailslotMsgThread@@

C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe

<assemblyIdentity processorArchitecture="*" version="5.1.0.0" type="win32" name="Microsoft.Windows.Shell.shell32"/>

<description>Windows Shell</description>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="*"/>

<requestedExecutionLevel

info@oberon-media.com

1, 0, 0, 8

Runner.exe

GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe_3288:

.rsrc

?.gEP

Portions Copyright (c) 1983,97 Borland

%s[%d]

&#x%s;

Cannot open file %s

TRootKey

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

"%s" %s

OLEAUT32.DLL

%d.%d.%d.%d

kernel32.dll

command.com /c ren %s "%s"

Rename %s

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

wininit.ini

%d.%d

%d.%.2d

Windows %s %s.%.4d %s

autoexec.bat

SET %s=%s

C:\Temp\

Line %d, position %d.

<%s %s

</%s>

%s=%s%s%s

KeyL

TgiShowCmd

CmdLineL

ShowCmdL

HotkeyL

PasswordL

KeyItemIDL

RegKeyL

showcmd

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

Windows

%CommonFiles%\Borland Shared\BDE

%%%s%%

TagOperator

TagOperatorList

Expression: %s

Position: %d

CreateKeys

TInstallRegKey

regkey

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fonts\

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\

Cannot copy "%s" to "%s"

%s'%s'

'%s','%s','%s'

%d,%s

chk%schk

%s,%d

'%s','%s','%s',%d,'%s',%d,%d

Resume.exe

"%s" /resume:"%s" /exename:"%s"

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

user32.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\

%%SourcePath%%\%s\

/ir "%s"%s

gacutil.exe

%s%s\%s

Error creating shortcut "%s".

Error changing ini-file "%s".

Cannot register "%s".

Cannot register font "%s".

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

AppHomeURL

AppSupportContact

AppSupportURL

AppSupportPhone

AppUpdateURL

SupportedOS

Cannot copy system file "%s".

Uhy%C

Incorrect password has been specified!

%Windows%

install.log

Uninstall.exe

HKLM%s%s

HKCU%s%s

"%s" "%s"

URLInfoAbout

URLUpdateInfo

advapi32.dll

RegKeyExists

SetPassword

MutexExists

HKLM\SOFTWARE\Microsoft\.NETFramework\policy\v

Function "%s" is not available in this version of Ghost Installer.

TMsgStore

TMsgStoreldC

*.dll

%s\%d\

Cannot load "%s" plug-in.

TMsg

CM_SETPASSWORD

CM_ISPASSWORDVALID

Uh%uC

3333333

Preparing "%s" package...

splash.bmp

Package "%s" has been corrupted, installation impossible.

db.pdb

unpack.dll

Can't extract UNPACK.DLL

sfc.dll

Probably incorrect TMP/TEMP variables or there is no execute permission for temporary folder.

main.pdb

DontUseWindowsLanguageNames

%s=%s

Component ID="%s" not found.

Can't find package "%s" in main database.

m[7HwB]Hw2.Hw

.GIEngine

KWindows

.text

`.bss

.rdata

@.data

.idata

.reloc

.edata

KERNEL32.DLL

CRTDLL.DLL

d:\work\cvs\sources\gi\base\common\unpack\lcc\unpack.dll

GetWindowsDirectoryA

GetCPInfo

RegOpenKeyExA

RegCloseKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

ShellExecuteExA

ShellExecuteA

UnhookWindowsHookEx

SetWindowsHookExA

ExitWindowsEx

EnumWindows

GetKeyboardType

P.reloc

P.rsrc

13579;=?

?!?&?,?1?

c``- .0.0213324323213213/.0- .ihh

yww- ./.02132132133242130/1- .ebb

313979979979

979979979324

><>757/.11/2;:;

;:;102/.1757><>

}}><=646

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"><assemblyIdentity processorArchitecture="*" version="5.1.0.0" type="win32" name="Microsoft.Windows.Shell.shell32"/><description>Windows Shell</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="*"/></dependentAssembly></dependency></assembly>PA

comctl32.dll

gdi32.dll

ole32.dll

oleaut32.dll

shell32.dll

version.dll

Unknown operator.

Operator expected.

Function parameters expected.kYou may not use the quotation mark symbols in an expression that is not enclosed by quotation marks itself.#Closing quotation mark is expected.

AdvApi32.dll not loaded

.Method '%s' not supported by automation object/Variant does not reference an automation object"Invalid character in the tag name.#Right angle bracket (">") expected./End tag "%s" does not match the start tag "%s".

Wrong class has been specified.1***** Infinite reference in the string "%s" *****DWrong operator arity (for example binary operator is used as unary).

Cannot assign a %s to a %s

Cannot create file %s

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe_3288_rwx_00401000_00058000:

Portions Copyright (c) 1983,97 Borland

%s[%d]

&#x%s;

Cannot open file %s

TRootKey

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

"%s" %s

OLEAUT32.DLL

%d.%d.%d.%d

kernel32.dll

command.com /c ren %s "%s"

Rename %s

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

wininit.ini

%d.%d

%d.%.2d

Windows %s %s.%.4d %s

autoexec.bat

SET %s=%s

C:\Temp\

Line %d, position %d.

<%s %s

</%s>

%s=%s%s%s

KeyL

TgiShowCmd

CmdLineL

ShowCmdL

HotkeyL

PasswordL

KeyItemIDL

RegKeyL

showcmd

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

Windows

%CommonFiles%\Borland Shared\BDE

%%%s%%

TagOperator

TagOperatorList

Expression: %s

Position: %d

CreateKeys

TInstallRegKey

regkey

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fonts\

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\

Cannot copy "%s" to "%s"

%s'%s'

'%s','%s','%s'

%d,%s

chk%schk

%s,%d

'%s','%s','%s',%d,'%s',%d,%d

Resume.exe

"%s" /resume:"%s" /exename:"%s"

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

user32.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\

%%SourcePath%%\%s\

/ir "%s"%s

gacutil.exe

%s%s\%s

Error creating shortcut "%s".

Error changing ini-file "%s".

Cannot register "%s".

Cannot register font "%s".

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

AppHomeURL

AppSupportContact

AppSupportURL

AppSupportPhone

AppUpdateURL

SupportedOS

Cannot copy system file "%s".

Uhy%C

Incorrect password has been specified!

%Windows%

install.log

Uninstall.exe

HKLM%s%s

HKCU%s%s

"%s" "%s"

URLInfoAbout

URLUpdateInfo

advapi32.dll

RegKeyExists

SetPassword

MutexExists

HKLM\SOFTWARE\Microsoft\.NETFramework\policy\v

Function "%s" is not available in this version of Ghost Installer.

TMsgStore

TMsgStoreldC

*.dll

%s\%d\

Cannot load "%s" plug-in.

TMsg

CM_SETPASSWORD

CM_ISPASSWORDVALID

Uh%uC

3333333

Preparing "%s" package...

splash.bmp

Package "%s" has been corrupted, installation impossible.

db.pdb

unpack.dll

Can't extract UNPACK.DLL

sfc.dll

Probably incorrect TMP/TEMP variables or there is no execute permission for temporary folder.

main.pdb

DontUseWindowsLanguageNames

%s=%s

Component ID="%s" not found.

Can't find package "%s" in main database.

m[7HwB]Hw2.Hw

.GIEngine

KWindows

.text

`.bss

.rdata

@.data

.idata

.reloc

.edata

KERNEL32.DLL

CRTDLL.DLL

d:\work\cvs\sources\gi\base\common\unpack\lcc\unpack.dll

GetWindowsDirectoryA

GetCPInfo

RegOpenKeyExA

RegCloseKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

ShellExecuteExA

ShellExecuteA

UnhookWindowsHookEx

SetWindowsHookExA

ExitWindowsEx

EnumWindows

GetKeyboardType

P.reloc

P.rsrc

Unknown operator.

Operator expected.

Function parameters expected.kYou may not use the quotation mark symbols in an expression that is not enclosed by quotation marks itself.#Closing quotation mark is expected.

AdvApi32.dll not loaded

.Method '%s' not supported by automation object/Variant does not reference an automation object"Invalid character in the tag name.#Right angle bracket (">") expected./End tag "%s" does not match the start tag "%s".

Wrong class has been specified.1***** Infinite reference in the string "%s" *****DWrong operator arity (for example binary operator is used as unary).

Cannot assign a %s to a %s

Cannot create file %s

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

GameInstaller.exe_1768:

.text

`.rdata

@.data

.rsrc

.VVVVVSRSSj

hJw:3Hw2.Hw

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Explorer

CNotSupportedException

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

kernel32.dll

%s.dll

hhctrl.ocx

%s (%s:%d)

f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

res://%s/%s

res://%s/%d

CCmdTarget

comctl32.dll

comdlg32.dll

mfcm80.dll

f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

MSWHEEL_ROLLMSG

user32.dll

ole32.dll

mscoree.dll

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

operator

GetProcessWindowStation

USER32.DLL

n%D,3

OLEACC.dll

c:\ws\client\builds\custominstallationplugin\oberoninstaller\release\GameInstaller.pdb

COMCTL32.dll

GetCPInfo

GetProcessHeap

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExA

CreateDialogIndirectParamA

USER32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyA

RegOpenKeyExA

RegEnumKeyA

RegDeleteKeyA

RegCreateKeyExA

ADVAPI32.dll

oledlg.dll

OLEAUT32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

SHLWAPI.dll

.PAVCOleException@@

.PAVCException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

x0C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\GameInstaller.exe

accKeyboardShortcut

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

1.0.0.2

GameInstaller.exe

SearchEngineProtection.exe_2832:

.text

`.rdata

@.data

.rsrc

t'SShl

FtpUF

aSSSh

.VVVVVSRSSj

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

7Hw2.Hw

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

0.0.0.0

{36377DD7-B3EB-42f5-986F-680BAF59BA9D}

{6F282B65-56BF-4BD1-A8B2-A4449A05863D}

{CB0D163C-E9F4-4236-9496-0597E24B23A5}

\Toolbar\WebBrowser

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

ieframe.dll

SHFOLDER.DLL

Current user is a member of the %s\%s group

CNotSupportedException

CCmdTarget

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

kernel32.dll

%s%s.dll

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

comctl32.dll

comdlg32.dll

hhctrl.ocx

f:\sp\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

MSWHEEL_ROLLMSG

res://%s/%s

res://%s/%d

mfcm80.dll

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

user32.dll

ole32.dll

mscoree.dll

.mixcrt

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

portuguese-brazilian

F%D,3

OLEACC.dll

_Hyperlink_Object_Pointer_\{AFEED740-CC6D-47c5-831D-9848FD916EEF}

RegistryMonitor::StopEvent:%d

Key is absent on %s

Can't create event for the %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Command wan't handled %d

Search.ini

\Search.ini

Try remove %s

Hide popup %d CH

Hide popup %d HP

%Program Files%\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

hXXp://localhost

Timer %d hide popup %d issued

Started timer %d for %d

Start timer called for %d

Stopped timer %d for %d

Stop timer called for %d

CReportDlg

OnTimer %d

OnBeforeNavigate %s

OnDocumentComplete %s

OnNavigateComplete %s

CReporter

%s %s

c:\WS\Client\Builds\SearchEngineProtection\1.0.0.0\Release\SearchEngineProtection.pdb

VERSION.dll

InternetCrackUrlA

WININET.dll

GetCPInfo

GetProcessHeap

GetConsoleOutputCP

KERNEL32.dll

MsgWaitForMultipleObjects

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

RegOpenKeyExA

RegNotifyChangeKeyValue

RegCloseKey

RegCreateKeyA

RegOpenKeyA

RegEnumKeyA

RegQueryInfoKeyA

RegDeleteKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteExA

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

OLEAUT32.dll

SensApi.dll

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCCmdUI@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

.?AV?$CLocal@PAUHKEY__@@@@

.PAVCException@@

.?AVCPostMsgLink@@

.?AVCReportDlg@@

.?AVCReporter@@

c%Program Files%\GamesBar\SearchEngineProtection.exe

C:\ProgramData

9.0.8112.16421

<BODY ID=CReportDlg BGCOLOR=LIGHTGREY>

accKeyboardShortcut

SearchProtectionUsageReportUrl

FFSearchEngineURL

IESearchEngineURL

GameInstaller.exe

CHROME_IE

localization.ini

SearchEngineProtection.exe

1.0.0.27

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

#Unable to load mail system support.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   sch.exe:3600
   OberonParts.exe:2432
   GameInstaller.exe:1768
   Setup.exe:2368
   SearchEngineProtection.exe:1920
   ToolbarInstaller.exe:2224
   occci.exe:2052
   OberonDetectionApplication.exe:900
   shp.exe:1472
   GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe:656
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (776 bytes)
   C:\ProgramData\Oberon Media\Services\Search\search_{4F921428-6CC4-4EBB-85F9-C14BD59028BF}.ico (61 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\plugins\0\lng\Enu.lng (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\GameInstaller.exe (7404 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\main.pdb (1332 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\sch.exe (6147 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\plugins\0\StdUI.dll (2406 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\lng\Enu.lng (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Search.ini (1640 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\websearch.gif (609 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\plugins\1\CustomInstallationPlugIn.dll (10428 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\unpack.dll (71 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\Resume.exe (139 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\websearch.ico (1956 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Localization.ini (5312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup.bmp (13 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\ToolbarInstaller.exe (6023 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\OberonDetectionApplication.exe (6587 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\db.pdb (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup.rgn (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\shp.exe (6663 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2NQ3S0S3\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup\presetup\Setup.exe (25068 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9E77.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar82FA.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8150.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9E76.tmp (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (104 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (3440 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe (145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab814F.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8190.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar81A0.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\SendSpace\GamesBar-Silent.rsendspace-dlm.asendspace.dl.exe.download (143673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9FDF.tmp (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9FE0.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab82F9.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab83A.tmp (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\application-84bd369d085a36bbce43d6012579bc7a[1].css (20444 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar83B.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\yahoo-boss-searchbox-min[1].js (4133 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\error[1] (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\warning[1] (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (1278 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\iplay_logo-e371eaa8fd7cabbd48a0638aa3f03bce[1].png (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (471 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\104[1] (377 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A8X63UZW.txt (119 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\application-ac31c55371b093e7460c6d3d86a6a344[1].js (105439 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\start_iplay_com[1].htm (46 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\prum.min[1].js (5895 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\error[1] (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\logo-yahoo-94304d0053cbaea6ecff80bba88bf922[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017091420170915\index.dat (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\yui-min[1].js (56847 bytes)
   %Program Files%\GamesBar\GBUninstPopup.dll (10189 bytes)
   C:\ProgramData\GamesBar\onload\close_over.gif (241 bytes)
   C:\ProgramData\GamesBar\onload\noInternet.gif (420 bytes)
   C:\ProgramData\GamesBar\onload\bottom.gif (51 bytes)
   %Program Files%\GamesBar\Localization.ini (6 bytes)
   C:\ProgramData\GamesBar\onload\right.gif (51 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamesBar\Uninstall.lnk (1 bytes)
   %Program Files%\GamesBar\Reg.lnk (712 bytes)
   %Program Files%\GamesBar\Search.ini (2 bytes)
   C:\ProgramData\GamesBar\onload\bottom-left.gif (63 bytes)
   C:\ProgramData\GamesBar\onload\top-right.gif (225 bytes)
   C:\ProgramData\GamesBar\onload\top-left.gif (226 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamesBar\About GamesBar.lnk (1 bytes)
   C:\ProgramData\GamesBar\onload\close.gif (241 bytes)
   C:\ProgramData\GamesBar\onload\top.gif (96 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\occci.exe (21464 bytes)
   C:\ProgramData\GamesBar\onload\no-internet.png (5 bytes)
   %Program Files%\GamesBar\SearchEngineProtection.exe (15424 bytes)
   C:\ProgramData\GamesBar\onload\bottom-right.gif (62 bytes)
   C:\ProgramData\GamesBar\onload\no-internet.html (519 bytes)
   %Program Files%\GamesBar\uninst.exe (1663 bytes)
   C:\ProgramData\GamesBar\onload\loading.gif (1 bytes)
   C:\ProgramData\GamesBar\onload\left.gif (51 bytes)
   %Program Files%\GamesBar\GameInstaller.exe (7679 bytes)
   %Program Files%\GamesBar\2.0.1.55\oberontb.dll (21081 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Oberon Media\Search\SearchEngineProtection\Search.ini (2 bytes)
   %Program Files%\Common Files\Oberon Media\OberonBroker\1.0.0.76\OberonBroker.exe (4324 bytes)
   %Program Files%\Common Files\Oberon Media\Odyssey\2.0.0.49\Odyssey.dll (3568 bytes)
   %Program Files%\Common Files\Oberon Media\Parts\1.0.0.11\OberonParts.exe (9482 bytes)
   %Program Files%\Common Files\Oberon Media\occcu.exe (4262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\NSISpcre.dll (6549 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstDA96.tmp\Math.dll (2567 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GamesBar-Silent.rsendspace-dlm.asendspace.dl Setup.exe (340 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "SearchEngineProtection" = "%Program Files%\Gamesbar\SearchEngineProtection.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.