Trojan.Win32.Swrort.3_9e54f1a2ec

by malwarelabrobot on April 23rd, 2016 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9e54f1a2ec3e0d62121c418ff7424a0a
SHA1: f2ea6f13e74b6ea6c035155de6e389e13127c6cb
SHA256: 60b2a17ba7caee2b028c89fef7c5e6f257c387a39c00744345db92d538fe9166
SSDeep: 12288:Plp30ATAnFK8Ur97/KfeXyVqQC8WoNJCQaZi9ULAtcSXdaGXLL:PH3h0rGB/Kk85CL8eBSX9
Size: 724536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Catalina Group Ltd.
Created at: 2016-03-31 18:06:05
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

CatalinaUpdate.exe:1176
CatalinaUpdate.exe:1076
CatalinaUpdate.exe:1824
CatalinaUpdate.exe:2000
CatalinaUpdate.exe:1388
CatalinaUpdate.exe:1484
citrio.exe:1436
citrio.exe:900
citrio.exe:2980
citrio.exe:1836
citrio.exe:1716
citrio.exe:2092
citrio.exe:304
citrio.exe:1152
citrio.exe:1032
citrio.exe:1452
citrio.exe:1484
citrio.exe:436
citrio.exe:364
citrio.exe:2064
citrio.exe:252
CatalinaCrashHandler.exe:788
setup.exe:132
%original file name%.exe:1108
citrio_48.0.2564.270_1.exe:916

The Trojan injects its code into the following process(es):

citrio.exe:2624
citrio.exe:2876
citrio.exe:2736
citrio.exe:1520
citrio.exe:2764
citrio.exe:516
citrio.exe:4016

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process CatalinaUpdate.exe:1824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process CatalinaUpdate.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll (19 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll (28 bytes)

The process CatalinaUpdate.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install\{6314A6BB-F8EF-431B-8E6C-E0F22F781FA8}\citrio_48.0.2564.270_1.exe (449813 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\48.0.2564.270\citrio_48.0.2564.270_1.exe (449813 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{E03D1AAF-D0C9-4509-B59A-C2EA9CC865D3}-citrio_48.0.2564.270_1.exe (0 bytes)

The process citrio.exe:1436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\style.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\jquery-1.11.0.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\active.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\download-all-disable.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\theme.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\id\messages.json (994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\select-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\DECODED_MESSAGE_CATALOGS (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\static.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\disable.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\select-all-active.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\download-all.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\sprite.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\locale.js (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\en\messages.json (981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\background.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\select-all-hover.png (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\manifest.json (557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\DECODED_IMAGES (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\js.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\open-icon.png (15904 bytes)

The process citrio.exe:900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ms\messages.json (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\DECODED_IMAGES (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\16-old.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\manifest.json (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\16.png (497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\DECODED_MESSAGE_CATALOGS (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\en\messages.json (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\fil\messages.json (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon128.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\js\locale.js (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon.tw.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\css\template.css (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon.fb.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\id\messages.json (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon35.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\background.js (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\pt_BR\messages.json (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon48.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon64.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\js\popup.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon.gp.png (1 bytes)

The process citrio.exe:2980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\uk\messages.json (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\reg-logo.png (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\man.png (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osble700.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossce600.woff2 (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\pt_BR\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\login\login.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\dollar-green.png (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ms\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossc600.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\angular-animate.min.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osce400.woff2 (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\recover\recoverOk.html (635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osl400.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\id\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossl600.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\manifest.json (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\fil\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\oslle300.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\header-dollar-icon.png (64683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\animation.css (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\registration\registrationOk.html (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osbce700.woff2 (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\oslce300.woff2 (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\login\loginCtrl.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ar\messages.json (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon128.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon32.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\background.js (339 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\DECODED_IMAGES (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\popup.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\recover\recover.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\registration\registrationCtrl.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\statistic\statisticCtrl.js (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\style.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\angular.js (64174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossle600.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\statistic.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osbc700.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\registration\registration.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osc400.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\angular-route.min.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\oslc300.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osbl700.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\globalService.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\fonts.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\DECODED_MESSAGE_CATALOGS (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osll300.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\jquery-2.1.4.min.js (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\recover\recoverCtrl.js (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\en\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\app.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\statistic\statistic.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ru\messages.json (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\th\messages.json (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osle400.woff2 (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\close.png (64683 bytes)

The process citrio.exe:1032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\debug.log (129 bytes)

The process citrio.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\icon.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000003.log (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ms\messages.json (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (287042 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\uk\messages.json (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_7YjEcZG5LWFE2yA (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\fil\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon128.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\pt_BR\messages.json (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\static.png (546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\download_all.crx (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\id\messages.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ru\messages.json (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data (3478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1C.tmp (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\13.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\index (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\11.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ru\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon128.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\pt_BR\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\th\messages.json (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\19.tmp (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_3 (2808 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_2 (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_1 (18792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_0 (53600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_hhft7kb30WbZELS (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\id\messages.json (932 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\citrio_ext.crx (114298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\en\messages.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_0L6kzSrLIHtUDZV (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOG (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\media_downloader.crx (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\18.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000001 (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\proxy.crx (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon16.png (705 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\First Run (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\th\messages.json (589 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data (29629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\id\messages.json (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\manifest.json (983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\pt_BR\messages.json (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\th\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\uk\messages.json (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\pt_BR\messages.json (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\uk\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\000003.log (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\LOG (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies (1043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ms\messages.json (473 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000002 (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\en\messages.json (492 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal (5545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_xmqsjnT2msxoNHR (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_QpsafpCJEzphWcA (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\fil\messages.json (566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ar\messages.json (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\LOG (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\id\messages.json (451 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1A.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon16.png (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Visited Links (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\15.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ms\messages.json (526 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon128.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_QccOEVX8Z1CTdLn (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\fil\messages.json (992 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor (5093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ru\messages.json (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites-journal (12948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\10.tmp (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\en\messages.json (919 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_vg9F8HkO8Hkm7Sp (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites (5232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\fil\messages.json (490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_19.png (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History (21181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\16.png (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\README (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\th\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\share_page.crx (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Current Session (4849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\etilqs_X39xQmJOdX9TZjg (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_16.png (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ms\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons (4342 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (4998877 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data-journal (13750 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History-journal (12512 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\LOG (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\en\messages.json (459 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1D.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000003.log (9746 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ar\messages.json (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\17.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor-journal (11985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies-journal (5308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\C.tmp (1478 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\MANIFEST-000001 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts-journal (532 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\icon.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\DECODED_MESSAGE_CATALOGS (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Local State~RFf06ec.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\DECODED_IMAGES (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RFefe9f.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_16.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\16.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\DECODED_MESSAGE_CATALOGS (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon16.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\citrio_ext.crx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\DECODED_IMAGES (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Secure Preferences~RFf1ed9.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extensions\Temp\scoped_dir_1520_18659 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RFed369.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\media_downloader.crx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon128.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\DECODED_IMAGES (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\static.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extensions\Temp\scoped_dir_1520_9175 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon16.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon128.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon32.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\DECODED_IMAGES (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\DECODED_IMAGES (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extensions\Temp\scoped_dir_1520_30470 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extensions\Temp\scoped_dir_1520_17873 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\DECODED_MESSAGE_CATALOGS (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extensions\Temp\scoped_dir_1520_15353 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_19.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\download_all.crx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\DECODED_MESSAGE_CATALOGS (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Preferences~RFf2532.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\DECODED_MESSAGE_CATALOGS (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\share_page.crx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon128.png (0 bytes)

The process citrio.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ao.png (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ml.png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mm.png (451 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ad.png (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ag.png (622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\doT.min.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ck.png (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cx.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bt.png (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\icon_128.png (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pf.png (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kn.png (662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\am.png (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\io.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ee.png (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ht.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\om.png (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ch.png (434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bj.png (422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bw.png (425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bv.png (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dk.png (416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nu.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kr.png (658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\aq.png (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pe.png (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lc.png (631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dz.png (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ng.png (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kg.png (525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\speed.png (885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\tmpl.js (667 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bh.png (529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gt.png (549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gu.png (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mx.png (526 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\th\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mf.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ir.png (471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pl.png (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mp.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ms.png (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cz.png (492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hn.png (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\jm.png (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fi.png (405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gy.png (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ki.png (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\co.png (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ke.png (631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dm.png (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lu.png (367 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\er.png (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\es.png (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kz.png (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gl.png (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\at.png (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mq.png (604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ly.png (383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gq.png (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mn.png (546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cl.png (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\ru\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cy.png (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gw.png (465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fj.png (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\et.png (566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hk.png (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\au.png (614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gg.png (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\it.png (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cc.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\settings.png (871 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\je.png (632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bl.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\model.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mu.png (416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ie.png (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fo.png (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pg.png (629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bo.png (461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gd.png (683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ge.png (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cd.png (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bf.png (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\la.png (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bb.png (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bm.png (606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lb.png (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mg.png (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pa.png (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\close.png (552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\no.png (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gm.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mr.png (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\icon_mono_off.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ai.png (609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bd.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\jo.png (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mk.png (690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\spine.js (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\id\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\is.png (494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\logging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ae.png (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gp.png (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\me.png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ci.png (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cu.png (513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dj.png (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kw.png (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bg.png (352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ec.png (564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\iq.png (475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kh.png (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\eg.png (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\eh.png (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\af.png (534 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nf.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hr.png (553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\manifest.json (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\uk\messages.json (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\ic16_gear.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lt.png (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cr.png (364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\az.png (472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\de.png (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nz.png (623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\settings-act.png (883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\in.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bz.png (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\base64.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\profile_detail.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\br.png (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ls.png (639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gf.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\sandbox.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mw.png (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cf.png (514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\spine.route.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\an.png (477 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\mochi.js (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gs.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\list-img.png (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\id.png (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gh.png (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gi.png (516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\icon_128.png (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\il.png (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ba.png (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\ic16_gear.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ar.png (439 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\as.png (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\na.png (717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\km.png (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ph.png (516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gr.png (433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\spine.local.js (619 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\new.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cv.png (492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\np.png (634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nr.png (465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gn.png (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mv.png (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mo.png (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\ui.js (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\im.png (543 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\aw.png (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hm.png (614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\be.png (452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\sandbox.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ca.png (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cn.png (469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cm.png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\md.png (548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\popup.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\list-img-ac.png (620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\do.png (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fk.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ax.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\by.png (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\icon_mono_off.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mh.png (698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cg.png (674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\styles\mochi.css (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ni.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fr.png (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nl.png (367 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\my.png (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lr.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fm.png (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mt.png (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kp.png (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\al.png (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\agent.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ne.png (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hu.png (369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ma.png (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\styles\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bn.png (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lk.png (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mz.png (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\li.png (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bs.png (494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ky.png (600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gb.png (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\icon_mono_on.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\icon_mono_on.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ga.png (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\jp.png (471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pk.png (600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nc.png (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\sl_arrow.png (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\popup.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mc.png (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bi.png (740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lv.png (367 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pm.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\profile_list.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\en\messages.json (1 bytes)

The process citrio.exe:436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\search.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\button.logo.inactive.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\DECODED_MESSAGE_CATALOGS (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\logo.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\DTA.ui.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\pt_BR\messages.json (525 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\DTA.popup.js (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\manifest.json (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\uk\messages.json (862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon.close.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\en\messages.json (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ar\messages.json (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\id\messages.json (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon16.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\th\messages.json (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ms\messages.json (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ru\messages.json (868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\DECODED_IMAGES (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\DTA.interface.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\background.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\fil\messages.json (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\locale.js (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\css\template.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon128.png (60000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\button.logo.png (60000 bytes)

The process citrio.exe:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\QtCore4.dll (152471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\background_notification.js (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_16.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\python34.dll (164484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_lzma.pyd (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\background.html (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\msvcp100.dll (27336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\DECODED_IMAGES (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\QtGui4.dll (541377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\youtube-dl.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\unicodedata.pyd (48768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\content_dv.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\dlnlib.dll (38624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\msvcr100.dll (49672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\pywintypes34.dll (7784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_socket.pyd (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\libeay32.dll (76989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\select.pyd (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_bz2.pyd (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\libtorrent.dll (129574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_empty.png (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\Include\pyconfig.h (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\ssleay32.dll (18768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\imageformats\qico4.dll (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_elementtree.pyd (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_ssl.pyd (66767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\DECODED_MESSAGE_CATALOGS (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\zlib1.dll (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_hashlib.pyd (49912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\background_dv.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\win32wnet.pyd (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\citrio_ext.dll (34392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\pyexpat.pyd (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\base_library.zip (206432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_19.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_ctypes.pyd (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\libcurl.dll (22840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\manifest.json (988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\background_stats.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\content_stats.js (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\win32api.pyd (6984 bytes)

The process setup.exe:132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_watcher.dll (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\48.0.2564.270.manifest (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\el.pak (1752 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sr.pak (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\wow_helper.exe (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\et.pak (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ca.pak (265 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\th.pak (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\hu.pak (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sk.pak (274 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_elf.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\mr.pak (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\delegate_execute.exe (3802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\pt-BR.pak (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\Installer\setup.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\secondarytile.png (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\chrome.VisualElementsManifest.xml (342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\PepperFlash\pepflashplayer.dll (124061 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\share_page.crx (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\nacl_irt_x86_64.nexe (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\libexif.dll (307 bytes)
%Documents and Settings%\%current user%\Desktop\Facebook.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\media_downloader.crx (1670 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\he.pak (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\es.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\hi.pak (1820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\citrio.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\kn.pak (3680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_child.dll (321430 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\zh-TW.pak (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\libglesv2.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\nb.pak (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\icudtl.dat (75554 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\lt.pak (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\gu.pak (1805 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\nl.pak (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fa.pak (1654 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\nacl64.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\natives_blob.bin (1711 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\en-GB.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\vi.pak (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\te.pak (1870 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\id.pak (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\am.pak (1647 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\hr.pak (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\pl.pak (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\bg.pak (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fr.pak (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\resources.pak (150724 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio.dll (259439 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\en-US.pak (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\cs.pak (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\bn.pak (1839 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\d3dcompiler_47.dll (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\de.pak (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\it.pak (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ms.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\nacl_irt_x86_32.nexe (20507 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\da.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\zh-CN.pak (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\tr.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\download_all.crx (1766 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sw.pak (241 bytes)
%Documents and Settings%\%current user%\Desktop\YouTube.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fi.pak (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\widevinecdmadapter.dll (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ml.pak (3743 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ar.pak (1641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\VisualElements\smalllogo.png (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\citrio_ext.crx (110258 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\uk.pak (1698 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\PepperFlash\version.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fil.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\metro_driver.dll (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\VisualElements\logo.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\proxy.crx (1676 bytes)
%Documents and Settings%\%current user%\Desktop\Citrio.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\libegl.dll (78 bytes)
%Documents and Settings%\%current user%\Desktop\Chrome Web Store.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sv.pak (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\citrio.7z (1358422 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\lv.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ko.pak (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ja.pak (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ta.pak (3691 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\snapshot_blob.bin (1802 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_100_percent.pak (6303 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ru.pak (1688 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_material_200_percent.pak (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_material_100_percent.pak (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\pt-PT.pak (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\es-419.pak (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\external_extensions.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_200_percent.pak (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sl.pak (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ro.pak (268 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\citrio.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\wow_helper.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533 (0 bytes)

The process %original file name%.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (0 bytes)

The process citrio_48.0.2564.270_1.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\setup.exe (20838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\SETUP.EX_ (1731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\CITRIO.PACKED.7Z (443233 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\SETUP.EX_ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\CITRIO.PACKED.7Z (0 bytes)

Registry activity

The process CatalinaUpdate.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 DF 53 B3 AC 7D C1 93 BA AC FA 03 D5 1B CB F4"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "auto"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "03 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 90 FB 62 93 54 D0 67 01 43 64 8C A6 83 6A DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E8 B0 72 71 0E 5F 59 0C CB 03 F9 96 CD E0 D4"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update]
"LastServerAddress" = "1"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "auto"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 8A 28 B6 A4 16 26 30 46 64 AA A1 D2 EC 11 5B"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\CLSID\{E9DD6CE9-5DC9-4484-80FC-EBCAFEDD6775}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{E9DD6CE9-5DC9-4484-80FC-EBCAFEDD6775}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CLSID\{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{A9DEC561-8DB2-4613-BD7A-544A9CCD0EC5}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{E9DD6CE9-5DC9-4484-80FC-EBCAFEDD6775}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]
[HKCU\Software\Classes\CLSID\{E9DD6CE9-5DC9-4484-80FC-EBCAFEDD6775}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"opt_in_uid_generated" = "01 00 00 00 00 00 00 00"
"setup_should_install_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_install_google_update_total_ms" = "01 00 00 00 00 00 00 00 88 04 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{170A3ADB-EE3F-4AFB-9E9E-D677FD645106}"

[HKCU\Software\CatalinaGroup\Update]
"UID" = "{0F5B39A2-90B2-4507-BFD6-4790D2300363}"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_phase2_ms" = "01 00 00 00 00 00 00 00 C1 01 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.223"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1461316489"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_do_self_install_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_lock_acquire_ms" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_files_total" = "01 00 00 00 00 00 00 00"
"goopdate_main" = "06 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Version" = "9"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.223"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"

[HKCU\Software\CatalinaGroup\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "06 00 00 00 00 00 00 00"
"setup_do_self_install_succeeded" = "01 00 00 00 00 00 00 00"
"setup_install_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Version" = "3"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA C0 71 61 29 06 FC 78 82 8E 60 F3 F6 07 D9 03"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.223"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_should_install_true_fresh_install" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_files_ms" = "01 00 00 00 00 00 00 00 BA 02 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"setup_install_total" = "01 00 00 00 00 00 00 00"
"setup_files_verification_succeeded" = "01 00 00 00 00 00 00 00"
"setup_install_task_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"brand" = "GGLS"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Timings]
"setup_install_task_ms" = "01 00 00 00 00 00 00 00 84 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"ui"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"c"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableCount"

[HKCU\Software\CatalinaGroup\Update]
"LastChecked"

The process CatalinaUpdate.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"pv" = "48.0.2564.270"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"brand" = "GGLS"
"LastInstallerError" = "0"
"LastInstallerResult" = "0"
"referral" = "1:citrio_website"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_download_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update]
"LastServerAddress" = "1"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "auto"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_total" = "01 00 00 00 00 00 00 00"
"worker_download_succeeded" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerError" = "0"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"
"lang" = "en"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "04 00 00 00 00 00 00 00"
"worker_install_execute_total" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"bt" = "1"
"LastCheckSuccess" = "1461316609"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "04 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 22 4D 8F 8A"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 71 D3 4A 8A 53 D7 8C AB DA 7C F0 D9 D9 B6 F7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallTime" = "1461316595"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerResult" = "0"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"iid" = "{170A3ADB-EE3F-4AFB-9E9E-D677FD645106}"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"browser"
"LastInstallerError"
"LastInstallerResultUIString"
"eulaaccepted"
"UpdateAvailableSince"
"tttoken"

[HKCU\Software\CatalinaGroup\Update\network\secure]
"c"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"experiment_labels"
"InstallerResult"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerExtraCode1"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerError"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastInstallerSuccessLaunchCmdLine"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerError"
"LastInstallerResult"
"UpdateAvailableCount"
"InstallerSuccessLaunchCmdLine"
"ap"

[HKCU\Software\CatalinaGroup\Update]
"LastInstallerResultUIString"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"iid"

The process citrio.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 BB 5E 13 02 E0 3D 27 4A 70 50 FD 6D B8 AE F5"

The process citrio.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 D2 9A DF 06 3B 18 41 52 EF 1A E2 05 8B B0 15"

The process citrio.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 72 17 01 97 AD 99 FE 58 28 80 C4 53 0A 05 0C"

The process citrio.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 48 A0 7F 14 1F CE 9F FE 0B A8 8E 30 4A E0 6E"

The process citrio.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B DD E1 20 08 E0 37 BA A6 FA 4A 15 7A 3A D6 85"

The process citrio.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 F8 A9 62 94 48 76 C4 3B DC 2C BA 57 DD B7 0A"

The process citrio.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 25 BD 0C EC B1 69 BD 67 69 7F 8C 8A 9D 45 4C"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.39_0\binaries\win\imageformats]
"qico4.dll" = "40806, 0, Windows msvc release full-config, 2016-03-31T12:19:48"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

The process citrio.exe:2092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 40 BA 2F 89 60 6C 12 73 02 24 44 94 4A D8 34"

The process citrio.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 03 21 D6 97 5C 26 A6 DC 56 A1 46 41 67 75 1B"

The process citrio.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 02 29 4A 30 4C 5E 70 E6 59 8D 00 EC 3C 1A D1"

The process citrio.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 C9 97 22 CA 49 86 12 1B D1 54 69 F3 DA 72 A7"

The process citrio.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 74 B6 D8 10 7D F0 5F 9B 8C A3 1E 1B B0 27 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process citrio.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"dr" = "1"
"usagestats" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"Version" = "48.0.2564.270"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKCU\Software\CatalinaGroup\Citrio\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"

[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"State" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"lastrun" = "13105790222553375"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastWasDefault" = "Type: REG_QWORD, Length: 8"
"_NumSignedIn" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKCU\Software\CatalinaGroup\Citrio\BLBeacon]
"failed_count" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 0D 33 22 E3 6B 44 30 9C 92 4F BE 2C 7E 4F 5C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"_NumAccounts" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

The Trojan deletes the following registry key(s):

[HKCU\Software\CatalinaGroup\Citrio\BLFinchList]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"FirstNotDefault"

The process citrio.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 2C EC D0 70 28 2B 91 4D 96 42 40 57 62 07 C1"

The process citrio.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A F3 1B 67 93 F7 79 B9 A7 9A 13 EF 7E 79 07 58"

The process citrio.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 18 6D 5A E7 0F DF 16 5C F9 D8 3D 21 11 A0 AE"

The process citrio.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 92 2F 9D B9 C8 EA 71 0B B9 B0 68 70 68 EB 0F"

The process citrio.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 0A 2D 72 22 F1 36 1C 52 C6 B3 89 FE F0 BF A1"

The process citrio.exe:2064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 CF FE EA 14 74 CD 2F 78 62 78 AA 21 43 79 50"

The process citrio.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 1A F5 FC 38 96 0F 21 E0 51 23 09 88 48 D0 15"

The process citrio.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 8F 24 7B 02 A0 8D 1A 5F 56 13 3E 04 F2 6D 25"

The process CatalinaCrashHandler.exe:788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF B3 19 BF 83 C5 27 8A 8E 88 6A F7 F6 C1 4C D9"

The process setup.exe:132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".avi" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".webp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".AAC" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\magnet\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio,"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"HideIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --hide-icons"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"NoRepair" = "1"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCR\.xht\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\delegate_execute.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationName" = "Citrio"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mov" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".xhtml" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".xa" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"nntp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".flv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".torrent" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"https" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"Publisher" = "© Catalinagroup Ltd."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"lang" = "en"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".shtml" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"pv" = "48.0.2564.270"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"IconsVisible" = "1"
"ReinstallCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --make-default-browser"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"pv" = "48.0.2564.270"

[HKCU\Software\Classes\.xht]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".m4v" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".au" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".xht" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\citrio.exe]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application"

[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}]
"(Default)" = "CommandExecuteImpl Class"

[HKCU\Software\Classes\.html]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"bt" = "1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\.htm\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerError" = "0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\InstallInfo]
"ShowIconsCommand" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe --show-icons"

[HKCR\.webp\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayVersion" = "48.0.2564.270"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"LastWasDefault" = "Type: REG_QWORD, Length: 8"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\Installer\setup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mpg" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".nsv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"news" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".asf" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Citrio]
"AssociationsRegistry" = "1"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKCU\Software\Classes\Magnet\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"Version" = "48.0.2564.270"

[HKCU\Software\Classes\CLSID\{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}\LocalServer32]
"ServerExecutable" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\delegate_execute.exe"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"tel" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerExtraCode1" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C3 D1 85 E6 32 5B D2 6A E3 96 72 41 E3 83 25"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".wma" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".FLAC" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap" = "-stage:preconditions-full"
"InstallerSuccessLaunchCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".MP3" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".MP2" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"oopcrashes" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".pdf" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayName" = "Citrio"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".mp4" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\Magnet]
"URL Protocol" = ""

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}\Commands\on-os-upgrade]
"CommandLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\Installer\setup.exe --on-os-upgrade --verbose-logging"

[HKCU\Software\Classes\.pdf]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"oopcrashes" = "1"

[HKLM\SOFTWARE\RegisteredApplications]
"Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = "Software\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".TTA" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities]
"ApplicationDescription" = "Citrio is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Citrio."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".3gp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".webm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".tac" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".dts" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".mkv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"NoModify" = "1"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"ftp" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\Startmenu]
"StartMenuInternet" = "Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".wmv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".mka" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"smsto" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ram" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKCU\Software\Classes\.shtml]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"mailto" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ogv" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"webcal" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"lang" = "en"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"magnet" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".3g2" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\.htm]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"UninstallArguments" = " --uninstall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\.xhtml\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Classes\Magnet\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\CatalinaGroup\Update\Clients\{0105EA02-802D-4B37-8161-4ED25C493266}]
"Name" = "Citrio App Launcher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\Installer\setup.exe --uninstall"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"sms" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
"mms" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe,0"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"InstallerResult" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".html" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Citrio Document"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\.shtml\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"urn" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCR\.html\OpenWithProgids]
"CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"VersionMajor" = "2564"
"VersionMinor" = "270"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".ra" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\.torrent]
"(Default)" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".a52" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".rm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".RV" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".htm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\Magnet\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"irc" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"bt" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\citrio.exe]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\URLAssociations]
"http" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".m2v" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio]
"InstallDate" = "20160422"

[HKCU\Software\CatalinaGroup\Update\Clients\{92F8A219-E740-49D5-B785-B962AD819724}]
"Name" = "Citrio"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".OGG" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ\Capabilities\FileAssociations]
".WAV" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"
".ogm" = "CitrioDOC.QQL2B5ZRL54V5ERAM5WD2OE6LQ"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Citrio.QQL2B5ZRL54V5ERAM5WD2OE6LQ]
"(Default)" = "Citrio"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application]
"citrio.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe:*:Enabled:Citrio"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap"
"FirstNotDefault"
"InstallerExtraCode1"

The process %original file name%.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 37 F1 92 69 1D 93 5E 32 71 7F BB 8F 1B FD 6F"

The process citrio_48.0.2564.270_1.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 41 FA DB 33 67 ED 13 0C A2 32 77 B7 A1 2B 86"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"ap" = "-full"

Dropped PE files

MD5 File path
7d0b6bb354a3f6b6691502c5bd503dc9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe
7d0b6bb354a3f6b6691502c5bd503dc9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe
1c6a131e0323a3d713b3f0f1a5f10d44 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe
6cc3b08da9fa41d390632639052fe1a8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe
b87ddf1ac52d90617514312ac5d00d84 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll
f0c84a277c8592b525a873a8ab4c01dc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll
656a00e97bae809b0eaddf58bcee7e18 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll
c5ea0de503e4ed1f152a3ff5e5fc9dbc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll
7864b7fc5bd7cc3f3fc66ad7ca590531 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll
6d5c333a5c1ec30a4ba7e746ba573d8e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll
665942ea4cce982dc8b6ae565b7ed9c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll
a757dc0ae5b5785e0fb621c5dab4384c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll
32a09f1479b908c047d02a63a04a976b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll
fb296504678c1621ff23ffdcedfd8cac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll
9e69f21ab21d6f6b08b6fdf2edebdd11 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll
8bc4b42d2f5d9a43a2231238f68f68df c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll
175e9d591d1fe35ba99057c928bbcdfe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll
bd4070f2a82d186b0ce640cac32cef4b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll
0b7c562451dde20bbbcc525717a34c66 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll
5e3a22452b0e4dd95508905b61ae7ced c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll
d9b69a0efd534c155208bcb015809c06 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll
342e67d723afc84a4e1d9502dcfc2bf5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll
25696887c9607fd39d150298b8273c7a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll
d0ec1b6035a5ef0036c552a36a42603a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll
ab38adc0e4b51d4c21431668e8d91981 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll
c9eae0fc9f7bf6d3bcd993b79cc6c991 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll
7694f8d6f5283f5dc9cdfc6d0d183b04 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll
9de5b3a597581b10bf2460b8dd1df903 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll
a8615f74d25d020e9c7f3d1de648c0d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll
9d72401205110ff71170c7e9ca4c8790 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll
a175800550d164070134f430848bd257 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll
1bd96b5449e7f4e49599eecdfc4c0c6b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll
f009bc876b0d5c2896104c5497ca9747 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll
983708ab4bc45225d61c37ed110f25fc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll
be9feb87d36efe8fc7832fa2c2b29d11 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll
498a3247a2d4113117ac68dbeb626a73 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll
b2208bd9296e3ff89100743b64d65ec9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll
c9c73019d8a628e9058580975069878f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll
0db87ba47c50eefb5a19d8b637901839 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll
18d4678bca5f87e4e7bda4e78fd7520e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll
97ace99fe631f6c38e843c0218ccba22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll
0913df5e9c19a049944455216d6c90af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll
462c0d5d7cd340418a8dfbc1187f5946 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll
a3678075d56943c14d5bbc48d3758287 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll
ca4865cf13eb7258d13a45ea1f7ab5d8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll
8315343ac4fa8b98aa546906c5eb3c6a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll
8a594c5410f37e6beae7a3cbfb54479c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll
e24a2defa5c3cf20ae1da44755a44777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll
db52f5401a058170c8d41d4aba550ab2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll
4c3942d1ce30fb9d483b6bd534f764fe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll
679de67d4897f15b9273b2eccbfeac88 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll
b25247beeb2ab330af23bdf557057b5d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll
19a6eeaff2b6cea27949ecc5a59c5b03 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll
b516ee24868e6d6ced3c52025e524740 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll
8906d7cad6007e9eaa5718fb14fb4fd0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll
9900d06b8027222609d6f53e160dfe79 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll
28ce05e08253d40ca84ff3c156e8f151 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll
7d4383d6a1d8a63d9878184ebdc097b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll
bd7575143d50b9b40fa56b90e4d26f7d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll
283ffa3ea779b4ecd75d525a14921daf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll
e412837bc5148eeddbc06ae0c9464bbb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll
156f6226a3c2fa34198aafc978c8f53f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll
ed9ae12a56cce0d9f905153d74971958 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll
7d0b6bb354a3f6b6691502c5bd503dc9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe
7d0b6bb354a3f6b6691502c5bd503dc9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe
7d0b6bb354a3f6b6691502c5bd503dc9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe
1c6a131e0323a3d713b3f0f1a5f10d44 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe
6cc3b08da9fa41d390632639052fe1a8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe
b87ddf1ac52d90617514312ac5d00d84 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdate.dll
f0c84a277c8592b525a873a8ab4c01dc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll
656a00e97bae809b0eaddf58bcee7e18 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll
c5ea0de503e4ed1f152a3ff5e5fc9dbc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll
7864b7fc5bd7cc3f3fc66ad7ca590531 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll
6d5c333a5c1ec30a4ba7e746ba573d8e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll
665942ea4cce982dc8b6ae565b7ed9c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll
a757dc0ae5b5785e0fb621c5dab4384c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll
32a09f1479b908c047d02a63a04a976b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll
fb296504678c1621ff23ffdcedfd8cac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll
9e69f21ab21d6f6b08b6fdf2edebdd11 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll
8bc4b42d2f5d9a43a2231238f68f68df c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll
175e9d591d1fe35ba99057c928bbcdfe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll
bd4070f2a82d186b0ce640cac32cef4b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll
0b7c562451dde20bbbcc525717a34c66 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll
5e3a22452b0e4dd95508905b61ae7ced c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll
d9b69a0efd534c155208bcb015809c06 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll
342e67d723afc84a4e1d9502dcfc2bf5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll
25696887c9607fd39d150298b8273c7a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll
d0ec1b6035a5ef0036c552a36a42603a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll
ab38adc0e4b51d4c21431668e8d91981 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll
c9eae0fc9f7bf6d3bcd993b79cc6c991 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll
7694f8d6f5283f5dc9cdfc6d0d183b04 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll
9de5b3a597581b10bf2460b8dd1df903 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll
a8615f74d25d020e9c7f3d1de648c0d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll
9d72401205110ff71170c7e9ca4c8790 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll
a175800550d164070134f430848bd257 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll
1bd96b5449e7f4e49599eecdfc4c0c6b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll
f009bc876b0d5c2896104c5497ca9747 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll
983708ab4bc45225d61c37ed110f25fc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll
be9feb87d36efe8fc7832fa2c2b29d11 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll
498a3247a2d4113117ac68dbeb626a73 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll
b2208bd9296e3ff89100743b64d65ec9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll
c9c73019d8a628e9058580975069878f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll
0db87ba47c50eefb5a19d8b637901839 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll
18d4678bca5f87e4e7bda4e78fd7520e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll
97ace99fe631f6c38e843c0218ccba22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll
0913df5e9c19a049944455216d6c90af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll
462c0d5d7cd340418a8dfbc1187f5946 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll
a3678075d56943c14d5bbc48d3758287 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll
ca4865cf13eb7258d13a45ea1f7ab5d8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll
8315343ac4fa8b98aa546906c5eb3c6a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll
8a594c5410f37e6beae7a3cbfb54479c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll
e24a2defa5c3cf20ae1da44755a44777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll
db52f5401a058170c8d41d4aba550ab2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll
4c3942d1ce30fb9d483b6bd534f764fe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll
679de67d4897f15b9273b2eccbfeac88 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll
b25247beeb2ab330af23bdf557057b5d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll
19a6eeaff2b6cea27949ecc5a59c5b03 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll
b516ee24868e6d6ced3c52025e524740 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll
8906d7cad6007e9eaa5718fb14fb4fd0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll
9900d06b8027222609d6f53e160dfe79 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll
28ce05e08253d40ca84ff3c156e8f151 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll
7d4383d6a1d8a63d9878184ebdc097b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll
bd7575143d50b9b40fa56b90e4d26f7d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll
283ffa3ea779b4ecd75d525a14921daf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll
e412837bc5148eeddbc06ae0c9464bbb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll
156f6226a3c2fa34198aafc978c8f53f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psmachine.dll
ed9ae12a56cce0d9f905153d74971958 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psuser.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.223
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.223
File Description: CatalinaGroup Update Setup
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 47535 47616 4.63635 2752a1441fa592610b94de20c1f02a58
.rdata 53248 10788 11264 3.70498 f8b087598f2912cfeac2e6c544d973d1
.data 65536 6460 3584 1.72368 8e425fbedc6927dfabb8fdfaaf8e8d97
.rsrc 73728 651528 651776 5.29872 8f31078265e68ca8bd2c7c465bdd0aab
.reloc 729088 5598 5632 2.64966 17957bd86fff892742280f82a0bf537a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://gs1.wpc.v2cdn.net/80A164/ch-cdn/download/citrio_48.0.2564.270_1.exe
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 13.107.4.50
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 13.107.4.50
hxxp://wpc.A164.taucdn.net/80A164/ch-cdn/download/citrio_48.0.2564.270_1.exe
catalinahub.net 95.211.171.218
wpc.a164.taucdn.net 93.184.221.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 18
Content-Type: text/plain
Last-Modified: Thu, 28 Jan 2016 17:51:53 GMT
Accept-Ranges: bytes
ETag: "80823092f459d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: RU
X-MSEdge-Ref: Ref A: 555255EDE5EB43EF9710372C41C1094C Ref B: 0783A5C2F0384DA8C6A9618408859E22 Ref C: Fri Apr 22 02:15:02 2016 PST
Date: Fri, 22 Apr 2016 09:15:01 GMT
1401D159F4929680B9....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 49661
Content-Type: application/octet-stream
Last-Modified: Thu, 28 Jan 2016 18:43:43 GMT
Accept-Ranges: bytes
ETag: "80d9e4cffb59d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: RU
X-MSEdge-Ref: Ref A: 21F5CECDC8D44B7C922E5BE835A3F154 Ref B: 06BD794EFD41FDE7615E08842E039B20 Ref C: Fri Apr 22 02:15:02 2016 PST
Date: Fri, 22 Apr 2016 09:15:02 GMT
MSCF............,...................I.......d.........<H.T .authroo
t.stl. ..-.8..CK...<Tk........./.........Z..e..P..D.&.BRTH...E..E.b
.["$qS)....-...[..}.o~g...q...Y...n...........aF\!.lI.4..0..ef.W.....C
`....Y..F.D5...Y.A....1.|..c.1...Nc.Y..x..D...NP[[email protected].....'.B.
......"(~3z-.@~..|}(.......g4.p.........h.n.dQz..t.V.......;.....Q...d
/../.pJ...6....E...A.@..]..T9..28..,..p...).....P:}.K...]=.7X.f..9..yB
.P....uP$$...Q.u..y..".=......7...........#.X..P.8....>U....v.[.$.e
...H.@~..........ea`.3...tLX...].-....<.........v.....M../..z6.t^..
...p....M...v(CP%F.......!eX..a...-..G.....S%..l.....Y..(.*.-....C.L0.
..G.....).rm8...(7.T{.Q...."...B`H.....3..9..-..Vv.5Q.e.W.../...RY.v.P
. .........l......8'.&z......3.;:...U4.."....yu... .."....d .e/7.;.XD*
tn%$.........];..fY.R...7.....o.=xh...]..4...\.:...v....t..9 .nO.i}.T.
./(uke..p.&.6.E#[email protected]...*.s....h......(/.s.%.3g...:*X.].7.IE....
E,.w.8......v...r4.qOh}~..E.5t...l...(*..2....`..F..".a:.t....9...W.kO
?5..=..HhYrI.Sf..[:...3..2..)DB...;......(...B.......U(...._F./#.k@...
.9c.Y..G'..]...p..;M_o..~.3?.}.1M.5.f5)._......t _.6...l..K....OsY.0..
....H...^..\$P;U....8..)...1........J...uE..#n.......h.......17.P=,P..
...}z.&..../..a.........p@.|KB..o.E..|..o.mr......m=.(v.:[email protected]
>4y....P........F...&... ....r$d..{B...)..A.`..x4E'~`V.."..(..(./G.
..@_Q`.....O...~`..~...x..KN~....Dko/A{..!...W..G,`)...*...#......q`..
H.........%m..G....5..4.....?.......F...{.%..2....l.L....."...Y.......
. ...].\........... D..Y...!1..*.....M?..G..A.|Ex......~...s.!.=..
<<< skipped >>>


HEAD /80A164/ch-cdn/download/citrio_48.0.2564.270_1.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: wpc.A164.taucdn.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0, public
Content-Type: application/octet-stream;charset=UTF-8
Date: Fri, 22 Apr 2016 09:15:08 GMT
Etag: W/"59175824-1459869281000"
Expires: Fri, 22 Apr 2016 09:15:09 GMT
Last-Modified: Tue, 05 Apr 2016 15:14:41 GMT
Server: Apache-Coyote/1.1
X-Cache: HIT
Content-Length: 59175824
HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=0, publi
c..Content-Type: application/octet-stream;charset=UTF-8..Date: Fri, 22
 Apr 2016 09:15:08 GMT..Etag: W/"59175824-1459869281000"..Expires: Fri
, 22 Apr 2016 09:15:09 GMT..Last-Modified: Tue, 05 Apr 2016 15:14:41 G
MT..Server: Apache-Coyote/1.1..X-Cache: HIT..Content-Length: 59175824.
.....


GET /80A164/ch-cdn/download/citrio_48.0.2564.270_1.exe HTTP/1.1


Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: wpc.A164.taucdn.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=0, public
Content-Type: application/octet-stream;charset=UTF-8
Date: Fri, 22 Apr 2016 09:15:08 GMT
Etag: W/"59175824-1459869281000"
Expires: Fri, 22 Apr 2016 09:15:10 GMT
Last-Modified: Tue, 05 Apr 2016 15:14:41 GMT
Server: Apache-Coyote/1.1
X-Cache: HIT
Content-Length: 59175824
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........W...6...6..
.6..d.?..6...6...6...O...6...d/..6...6c..6...O*..6..Rich.6............
..............PE..L....<.V.................&..........:#.......@...
[email protected]..................................
......P..P....`....................... ..........8....................
........................P...............................text...'%.....
..&.................. ..`.data........@[email protected]
a.......P.......*..............@[email protected]........`.......0.............
.@[email protected]....... [email protected].........................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................<.V........m...
 ... ........<.V....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4
.9.D.5.-.B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1
.3.C.A.-.4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.D.E.2.8.A
.2.E.A.-.7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....{
.F.0.B.5.0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.6
.0.}.......@.-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.r
.o.m.e.-.f.r.a.m.e.....-.-.m.u.l.t.i.-.i.n.s.t.a.l.l...-.-.s.y.s.t
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

CatalinaCrashHandler.exe_788:

.text
`.data
.text/DE
@.rsrc
@.reloc
SHELL32.dll
USER32.dll
SHLWAPI.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
CatalinaUpdate_unsigned.pdb
RegOpenKeyExW
ADVAPI32.dll
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--This Id value indicates the application supports Windows 8 functionality-->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--This Id value indicates the application supports Windows 8.1 functionality-->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--This Id value indicates the application supports Windows 10.0 functionality-->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
###7777_{
###____777
###````87{
2 2$2(2,20242~2
4 4$4(4,4
?$?(?,?4?
> >@>\>`>
? ?@?\?`?
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe
KERNEL32.DLL
mscoree.dll
goopdate.dll
CatalinaUpdate.exe
Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}
1.3.25.223
2007-2010
2007-2010

citrio.exe_1520:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_516:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_516_rwx_06E0A000_000F5000:

webk
=.DOU
=.DOUu
=WWW.

citrio.exe_2736:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_2764:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_2736_rwx_06E0A000_000F5000:

XVWSSShH

citrio.exe_2624:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_2764_rwx_07A0A000_000F5000:

Ph%xi
Phß
j.hYv
webk
=.DOU
=.DOUu
=.ha"
=.ha"u

citrio.exe_2764_rwx_0860A000_000F5000:

.facu
Ph%dX
webv
=.FAC
=.FACu
Ph%Un
=HTTP

citrio.exe_2624_rwx_0520A000_00038000:

Ph-%c

citrio.exe_2624_rwx_0680A000_000F5000:

PhÍ

citrio.exe_2876:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_4016:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe

citrio.exe_4016_rwx_06F0A000_000F5000:

WebK

citrio.exe_1300:

.text
`.rdata
@.data
.rsrc
@.reloc
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
HtdHtHHHt.HH
j.Yf;
_tcPVj@
.PjRW
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\chrome_exe_main_win.cc
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
1.3.21.115
Chrome
0.0.0.0-devel
font_key_name
url-chunk
subresource_url
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\browser_watcher\watcher_client_win.cc
%s-%x
CHROME_MAIN_TICKS
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\module_util_win.cc
No valid Chrome version found
chrome-sxs
googlechrome
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\channel_info.cc
iexplore.exe
googlechromeframe
Cannot initialize AppCommands from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_commands.cc
Failed to open key "
Skipping over key "
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\language_selector.cc
Cannot initialize an AppCommand from an invalid key.
c:\jenkins\workspace\citrio-dev-clone\browser\src\chrome\installer\util\app_command.cc
kernel32.dll
c:\jenkins\workspace\citrio-dev-clone\browser\src\sandbox\win\src\sandbox_policy_base.cc
CreateNamedPipeW
NtCreateKey
NtOpenKey
NtOpenKeyEx
MetricsReportingEnabled
widevinecdmadapter.dll
CHROME_VERSION
CHROME_HEADLESS
CHROME_METRO_CONNECTED
CHROME_CRASHED
CHROME_RESTART
user_experience_metrics.reporting_enabled
CITRIO_BREAKPAD_PIPE_NAME
c:\jenkins\workspace\citrio-dev-clone\browser\src\components\crash\content\app\breakpad_win.cc
NTDLL.DLL
SHELL32.dll
ole32.dll
OLEAUT32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
%s-%Iu
(%d = %3.1f%%)
Histogram: %s recorded %d samples
(flags = 0x%x)
PlatformFile.UnknownErrors.Windows
user32.dll
.thunks
.syzygy
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
full-memory-crash-report
c:\jenkins\workspace\Citrio-Dev-Clone\browser\src\out\Release\initialexe\citrio.exe.pdb
citrio.exe
ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
SetCrashKeyValueImpl
SignalChromeElf
citrio_elf.dll
VERSION.dll
WINMM.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
CloseWindowStation
CreateWindowStationW
SetProcessWindowStation
USER32.dll
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
USERENV.dll
WTSAPI32.dll
GetCPInfo
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
zcÁ
444.44...4
4.4....4.
..44.44@4
4@444@4.
.4@4@@4.
}.GnO
 Ôjo
k.SZ[
j.oii
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="48.0.2564.270" version="48.0.2564.270" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
00J0
4O4
>">'>,>9>
=&=/=6=>=!>
8!8)8/888
8 8$8(8,8
< <$<(<,<0<4<8<<<
4 4(40484
4 4$4(4,40444
7 7$7(7,7
5(545@5`5
citrio_watcher.dll
citrio.dll
citrio_child.dll
metro_driver.dll
{E9F24A7C-13CA-42FB-A4D9-79C3C9D21B28}
ChromeCanary
ChromeSSHTM
Chrome Canary HTML Document
{1BEAC3E3-B852-44F4-B468-8906C062422E}
BGoogle Chrome Canary
{3599E25E-6314-4BE9-AE14-E51877342426}
{675046A3-9F4F-4805-A81C-CBF753FE3428}
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio
-chrome
-chromeframe
WebAccessible
{92F8A219-E740-49D5-B785-B962AD819724}
{8BF2F61B-E8C2-4A67-85D0-D6A69F9FD948}
hXXp://VVV.citrio.com/goodbye.html?intl=$1&survey_id=%ls
%d.%d.%d
{DE28A2EA-77FA-4F2B-8252-C3B5844F6455}
DGoogle Chrome Frame
Chrome in a Frame.
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{F0B50D5A-4BBA-4514-AD2C-EBA50C29C460}
Google Chrome binaries
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
ntdll.dll
pipe\
Ckernel32.dll
kernelbase.dll
\Sessions\%d\AppContainerNamedObjects\%ls
ALPC Port
eKey
gdi32.dll
xntdll.dll
wow_helper.exe"
shell32.dll
Crash Reports
script.log
resources.pak
chrome
pepflashplayer.dll
version.json
NPSWF32.dll
${windows}
\\.\pipe\CatalinaGroupCrashServices\
\\.\pipe\CitrioCrashServices
error %u
chrome.exe
hunspecified-crash-key
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
x-x-x-xx-xxxxxx
Ndebug.log
\StringFileInfo\xx\%ls
Chrome_MessageWindow
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe
IDR_X006_CITRIO_CHROMESTORE
48.0.2564.270
citrio_exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    CatalinaUpdate.exe:1176
    CatalinaUpdate.exe:1076
    CatalinaUpdate.exe:1824
    CatalinaUpdate.exe:2000
    CatalinaUpdate.exe:1388
    CatalinaUpdate.exe:1484
    citrio.exe:1436
    citrio.exe:900
    citrio.exe:2980
    citrio.exe:1836
    citrio.exe:1716
    citrio.exe:2092
    citrio.exe:304
    citrio.exe:1152
    citrio.exe:1032
    citrio.exe:1452
    citrio.exe:1484
    citrio.exe:436
    citrio.exe:364
    citrio.exe:2064
    citrio.exe:252
    CatalinaCrashHandler.exe:788
    setup.exe:132
    %original file name%.exe:1108
    citrio_48.0.2564.270_1.exe:916

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (49 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_te.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ca.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ru.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_nl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fr.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psmachine.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_uk.dll (26 bytes)
    %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_th.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-TW.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_vi.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es-419.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdate.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fil.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ta.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_tr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ar.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sk.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_is.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_mr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sw.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_es.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hr.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ja.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_kn.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_en-GB.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\psuser.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_no.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ml.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateHelper.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ur.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_am.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-BR.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bn.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sv.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_et.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_gu.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_da.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdate.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_fa.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ms.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_sl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hu.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_cs.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_iw.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lt.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ko.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_el.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_hi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_lv.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_zh-CN.dll (19 bytes)
    %WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_de.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_id.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateOnDemand.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_pt-PT.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_bg.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\npCatalinaUpdate3.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaUpdateBroker.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\CatalinaCrashHandler.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_ro.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.223\goopdateres_it.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install\{6314A6BB-F8EF-431B-8E6C-E0F22F781FA8}\citrio_48.0.2564.270_1.exe (449813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Download\{92F8A219-E740-49D5-B785-B962AD819724}\48.0.2564.270\citrio_48.0.2564.270_1.exe (449813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\icon.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\popup.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\style.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\jquery-1.11.0.min.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\active.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\download-all-disable.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\theme.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\id\messages.json (994 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\select-all.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\DECODED_MESSAGE_CATALOGS (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\static.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\disable.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\select-all-active.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\download-all.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\sprite.png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\locale.js (244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\en\messages.json (981 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\background.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\select-all-hover.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\manifest.json (557 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\_locales\th\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\DECODED_IMAGES (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\js.js (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\CRX_INSTALL\skin\icons\open-icon.png (15904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ar\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ms\messages.json (548 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\DECODED_IMAGES (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\logo.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\16-old.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\manifest.json (595 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\16.png (497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\DECODED_MESSAGE_CATALOGS (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\en\messages.json (514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon16.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\popup.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\fil\messages.json (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon128.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\js\locale.js (271 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\uk\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon.tw.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\ru\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\css\template.css (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon.fb.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\th\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\id\messages.json (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon35.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\background.js (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\_locales\pt_BR\messages.json (593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon48.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon64.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\js\popup.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\CRX_INSTALL\images\icon.gp.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\uk\messages.json (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\reg-logo.png (64797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\man.png (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osble700.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossce600.woff2 (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\pt_BR\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\login\login.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\dollar-green.png (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ms\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossc600.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\angular-animate.min.js (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osce400.woff2 (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\recover\recoverOk.html (635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon16.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osl400.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\id\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossl600.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\manifest.json (825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\fil\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\oslle300.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\header-dollar-icon.png (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\animation.css (640 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\registration\registrationOk.html (630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osbce700.woff2 (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\oslce300.woff2 (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\login\loginCtrl.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ar\messages.json (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon128.png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\icon32.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\background.js (339 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\DECODED_IMAGES (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\popup.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\recover\recover.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\registration\registrationCtrl.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\statistic\statisticCtrl.js (709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\style.css (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\angular.js (64174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\ossle600.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\statistic.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osbc700.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\registration\registration.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osc400.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\angular-route.min.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\oslc300.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osbl700.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\globalService.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\fonts.css (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\DECODED_MESSAGE_CATALOGS (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osll300.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\libs\jquery-2.1.4.min.js (6872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\recover\recoverCtrl.js (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\en\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\app.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\app\statistic\statistic.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\ru\messages.json (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\_locales\th\messages.json (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\css\font\osle400.woff2 (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\CRX_INSTALL\images\close.png (64683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\debug.log (129 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000003.log (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\10.tmp (287042 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\uk\messages.json (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_7YjEcZG5LWFE2yA (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\download_all.crx (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ru\messages.json (538 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data (3478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1C.tmp (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\13.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\index (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\11.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon128.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\19.tmp (327 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_3 (2808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_2 (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_1 (18792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\data_0 (53600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_hhft7kb30WbZELS (292 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\citrio_ext.crx (114298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_0L6kzSrLIHtUDZV (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\LOG (221 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\D.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_8429\media_downloader.crx (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\18.tmp (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000001 (89 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\proxy.crx (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\First Run (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\th\messages.json (589 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies (1043 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data (29629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\16.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\pt_BR\messages.json (487 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\000003.log (366 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\LOG (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies (1043 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ms\messages.json (473 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Login Data-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cache\f_000002 (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal (5545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_xmqsjnT2msxoNHR (286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_QpsafpCJEzphWcA (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\1B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\LOG (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\id\messages.json (451 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1A.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon16.png (420 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Visited Links (836 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\15.tmp (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_QccOEVX8Z1CTdLn (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor (5093 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Top Sites-journal (12948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_3034\10.tmp (13122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_vg9F8HkO8Hkm7Sp (286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\fil\messages.json (490 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_19.png (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\14.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History (21181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\README (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts (592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_21420\share_page.crx (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Current Session (4849 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\etilqs_X39xQmJOdX9TZjg (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_16.png (478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons (4342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\12.tmp (4998877 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Web Data-journal (13750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\History-journal (12512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\LOG (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\en\messages.json (459 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\F.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\1D.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Favicons-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000003.log (9746 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\_locales\ar\messages.json (523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\17.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Safe Browsing Cookies-journal (5308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\data_reduction_proxy_leveldb\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Network Action Predictor-journal (11985 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Cookies-journal (5308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension State\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\C.tmp (1478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Extension Rules\MANIFEST-000001 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\User Data\Default\Shortcuts-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ao.png (535 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ml.png (463 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mm.png (451 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ad.png (540 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ag.png (622 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\doT.min.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ck.png (630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cx.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bt.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\icon_128.png (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\background.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pf.png (476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kn.png (662 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\am.png (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\io.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ee.png (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ht.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\om.png (446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ch.png (434 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bj.png (422 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bw.png (425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bv.png (485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dk.png (416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nu.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kr.png (658 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\aq.png (586 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pe.png (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\ms\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lc.png (631 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dz.png (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ng.png (441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kg.png (525 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\speed.png (885 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\tmpl.js (667 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bh.png (529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gt.png (549 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gu.png (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mx.png (526 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\th\messages.json (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mf.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ir.png (471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pl.png (316 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mp.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ms.png (592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cz.png (492 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hn.png (432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\jm.png (711 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fi.png (405 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gy.png (686 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ki.png (679 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\co.png (387 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ke.png (631 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dm.png (668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lu.png (367 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\er.png (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\es.png (493 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kz.png (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gl.png (521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\at.png (363 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mq.png (604 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ly.png (383 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gq.png (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mn.png (546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cl.png (424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\ru\messages.json (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cy.png (456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gw.png (465 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fj.png (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\et.png (566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hk.png (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\au.png (614 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gg.png (501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\it.png (440 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cc.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\settings.png (871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\je.png (632 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bl.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\model.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mu.png (416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ie.png (432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fo.png (462 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pg.png (629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bo.png (461 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gd.png (683 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ge.png (509 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cd.png (621 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bf.png (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\la.png (530 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bb.png (573 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bm.png (606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lb.png (491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mg.png (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pa.png (514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\close.png (552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\no.png (485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gm.png (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mr.png (567 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\icon_mono_off.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ai.png (609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bd.png (577 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\jo.png (521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mk.png (690 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\spine.js (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\id\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\is.png (494 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\logging.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ae.png (446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gp.png (509 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\jquery.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\me.png (555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ci.png (428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cu.png (513 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\dj.png (514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kw.png (476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\ar\messages.json (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bg.png (352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ec.png (564 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\iq.png (475 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kh.png (535 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\eg.png (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\eh.png (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\af.png (534 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nf.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hr.png (553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\manifest.json (511 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\uk\messages.json (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\ic16_gear.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lt.png (395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cr.png (364 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\az.png (472 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\de.png (391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nz.png (623 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\settings-act.png (883 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\in.png (431 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bz.png (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\base64.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\profile_detail.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\br.png (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ls.png (639 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\fil\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gf.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\sandbox.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mw.png (485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cf.png (514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\spine.route.js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\an.png (477 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\mochi.js (363 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gs.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\list-img.png (603 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\id.png (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gh.png (453 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gi.png (516 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\icon_128.png (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\il.png (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ba.png (627 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\ic16_gear.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ar.png (439 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\as.png (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\na.png (717 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\km.png (561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ph.png (516 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gr.png (433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\spine.local.js (619 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\new.js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cv.png (492 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\np.png (634 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nr.png (465 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gn.png (453 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mv.png (537 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mo.png (647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\ui.js (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\im.png (543 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\aw.png (453 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hm.png (614 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\be.png (452 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\sandbox.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ca.png (570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cn.png (469 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cm.png (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\md.png (548 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\popup.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\list-img-ac.png (620 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\do.png (432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fk.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ax.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\by.png (441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\icon_mono_off.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mh.png (698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\cg.png (674 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\styles\mochi.css (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ni.png (431 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fr.png (446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nl.png (367 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\my.png (509 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lr.png (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\fm.png (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mt.png (410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\kp.png (480 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\pt_BR\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\al.png (535 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\agent.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ne.png (442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\hu.png (369 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ma.png (479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\styles\style.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bn.png (654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lk.png (586 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mz.png (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\li.png (462 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bs.png (494 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ky.png (600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\gb.png (707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\icon_mono_on.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\image\icon_mono_on.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\ga.png (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\jp.png (471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pk.png (600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\nc.png (608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\sl_arrow.png (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\popup.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\mc.png (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\bi.png (740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\lv.png (367 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\image\flags\pm.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\scripts\profile_list.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_32672\CRX_INSTALL\_locales\en\messages.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\search.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\button.logo.inactive.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\DECODED_MESSAGE_CATALOGS (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\logo.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\DTA.ui.js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\DTA.popup.js (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\icon.close.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\lib\jquery.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\DECODED_IMAGES (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\DTA.interface.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\background.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\js\locale.js (684 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\css\template.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_27275\CRX_INSTALL\images\button.logo.png (60000 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\QtCore4.dll (152471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\background_notification.js (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\python34.dll (164484 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_lzma.pyd (9496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\background.html (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\msvcp100.dll (27336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\DECODED_IMAGES (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\QtGui4.dll (541377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\youtube-dl.exe (195990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\unicodedata.pyd (48768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\content_dv.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\dlnlib.dll (38624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\msvcr100.dll (49672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\pywintypes34.dll (7784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_socket.pyd (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\libeay32.dll (76989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\select.pyd (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_bz2.pyd (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\libtorrent.dll (129574 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\icon_empty.png (158 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\Include\pyconfig.h (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\ssleay32.dll (18768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\imageformats\qico4.dll (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_elementtree.pyd (9496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_ssl.pyd (66767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\DECODED_MESSAGE_CATALOGS (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\zlib1.dll (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_hashlib.pyd (49912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\background_dv.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\win32wnet.pyd (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\citrio_ext.dll (34392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\pyexpat.pyd (9496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\base_library.zip (206432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\_ctypes.pyd (6872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\libcurl.dll (22840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\background_stats.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\scripts\content_stats.js (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scoped_dir_1520_20544\CRX_INSTALL\binaries\win\win32api.pyd (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_watcher.dll (1661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\48.0.2564.270.manifest (252 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\el.pak (1752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sr.pak (1681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\wow_helper.exe (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\et.pak (233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ca.pak (265 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Citrio.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\th.pak (1798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\hu.pak (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sk.pak (274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_elf.dll (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\mr.pak (1812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\delegate_execute.exe (3802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\pt-BR.pak (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\48.0.2564.270\Installer\setup.exe (9098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\secondarytile.png (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Citrio.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\chrome.VisualElementsManifest.xml (342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\PepperFlash\pepflashplayer.dll (124061 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\share_page.crx (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\nacl_irt_x86_64.nexe (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\libexif.dll (307 bytes)
    %Documents and Settings%\%current user%\Desktop\Facebook.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\media_downloader.crx (1670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\he.pak (306 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\es.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Application\citrio.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\hi.pak (1820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\citrio.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\kn.pak (3680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_child.dll (321430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\zh-TW.pak (219 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\libglesv2.dll (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\nb.pak (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\icudtl.dat (75554 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\lt.pak (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\gu.pak (1805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\nl.pak (252 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fa.pak (1654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\nacl64.exe (12289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\natives_blob.bin (1711 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\en-GB.pak (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\vi.pak (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\te.pak (1870 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\id.pak (234 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\am.pak (1647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\hr.pak (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\pl.pak (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\bg.pak (1714 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fr.pak (284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\resources.pak (150724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio.dll (259439 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\en-US.pak (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\cs.pak (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\bn.pak (1839 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\d3dcompiler_47.dll (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\de.pak (262 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\it.pak (257 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ms.pak (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\nacl_irt_x86_32.nexe (20507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\da.pak (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\zh-CN.pak (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\tr.pak (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\download_all.crx (1766 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sw.pak (241 bytes)
    %Documents and Settings%\%current user%\Desktop\YouTube.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fi.pak (247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\widevinecdmadapter.dll (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ml.pak (3743 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ar.pak (1641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\VisualElements\smalllogo.png (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\citrio_ext.crx (110258 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\uk.pak (1698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\PepperFlash\version.json (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\fil.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\metro_driver.dll (1796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\VisualElements\logo.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\proxy.crx (1676 bytes)
    %Documents and Settings%\%current user%\Desktop\Citrio.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\libegl.dll (78 bytes)
    %Documents and Settings%\%current user%\Desktop\Chrome Web Store.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sv.pak (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\citrio.7z (1358422 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\lv.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ko.pak (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ja.pak (318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ta.pak (3691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\snapshot_blob.bin (1802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_100_percent.pak (6303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ru.pak (1688 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_material_200_percent.pak (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_material_100_percent.pak (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\pt-PT.pak (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\es-419.pak (264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Extensions\external_extensions.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\citrio_200_percent.pak (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\sl.pak (250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Citrio\Temp\source132_27533\Citrio-bin\48.0.2564.270\Locales\ro.pak (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\setup.exe (20838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\SETUP.EX_ (1731 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CR_8A650.tmp\CITRIO.PACKED.7Z (443233 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now