PUA.RedSurf

Updated: January 31, 2019 11:11:15 AM
Type: Potentially Unwanted App
Infection Length: Varies
Name: RedSurf-client
Version: 2.2.6.0
Publisher: Redsurf.ru
Risk Impact: Medium
Systems Affected: Windows

Behavior

PUA.RedSurf is a potentially unwanted application that may be used for online advertising to generate revenue.

When the application is installed, it creates the following folders:

  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\cache2
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\datareporting
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\gmp
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\tmp
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\cache2\doomed
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\cache2\entries
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\safebrowsing
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\startupCache
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\update
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\browser
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\chrome.manifest

The application then creates the following files:

  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\cfg.ini
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\redsurf.exe
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\unins000.dat
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\unins000.exe
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\XulFx.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\XulFx.Windows.Forms.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\XulFx.xpi
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\cert8.db
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\key3.db
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\permissions.sqlite
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\places.sqlite
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\places.sqlite-shm
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\places.sqlite-wal
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\pluginreg.dat
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\secmod.db
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\times.json
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\datareporting\aborted-session-ping
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\datareporting\session-state.json
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\datareporting\state.json
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\profile_52\tmp\mozilla-temp-files
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\alt_red.png
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\no_connect.html
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\no_site.html
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\no_slot.html
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\no_wait.html
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\update\ICSharpCode.SharpZipLib.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\res\update\update.exe
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\Accessible.tlb
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\AccessibleMarshal.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-console-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-datetime-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-debug-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-errorhandling-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-file-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-file-l1-2-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-file-l2-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-handle-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-heap-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-interlocked-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-libraryloader-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-localization-l1-2-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-memory-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-namedpipe-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-processenvironment-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-processthreads-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-processthreads-l1-1-1.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-profile-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-rtlsupport-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-string-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-synch-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-synch-l1-2-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-sysinfo-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-timezone-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-core-util-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-conio-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-convert-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-environment-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-filesystem-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-heap-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-locale-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-math-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-multibyte-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-private-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-process-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-runtime-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-stdio-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-string-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-time-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\api-ms-win-crt-utility-l1-1-0.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\application.ini
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\breakpadinjector.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\crashreporter.ini
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\D3DCompiler_43.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\d3dcompiler_47.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\dependentlibs.list
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\firefox.VisualElementsManifest.xml
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\freebl3.chk
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\freebl3.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\gmp-clearkey
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\IA2Marshal.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\lgpllibs.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\libEGL.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\libGLESv2.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\mozavcodec.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\mozavutil.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\mozglue.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\msvcp140.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\nss3.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\nssckbi.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\nssdbm3.chk
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\nssdbm3.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\omni.ja
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\platform.ini
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\qipcap.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\removed-files
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\softokn3.chk
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\softokn3.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\ucrtbase.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\update-settings.ini
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\updater.ini
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\vcruntime140.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\xul.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\gmp-clearkey\0.1
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\gmp-clearkey\0.1\clearkey.dll
  • %AllUsersProfile%\test\AppData\Roaming\RedSurf-client\xulrunner_52\gmp-clearkey\0.1\clearkey.info

Next, the application creates the following registry subkeys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\1
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100\Shell
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\1
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100\Shell

The application then creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”Inno Setup: Setup Version” = “5.5.9 (a)”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”Inno Setup: App Path” = “%AllUsersProfile%\test\AppData\Roaming\RedSurf-client”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”InstallLocation” = “%AllUsersProfile%\test\AppData\Roaming\RedSurf-client\”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”Inno Setup: Icon Group” = “RedSurf-client”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”Inno Setup: User” = “test”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”Inno Setup: Language: “russian”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”DisplayName: “RedSurf-client, âåðñèÿ 2.2.6”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”UninstallString: “”%AllUsersProfile%\test\AppData\Roaming\RedSurf-client\unins000.exe””
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”QuietUninstallString: “”%AllUsersProfile%\test\AppData\Roaming\RedSurf-client\unins000.exe” /SILENT”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”DisplayVersion: “2.2.6”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”URLInfoAbout: “http://redsurf.ru/”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”HelpLink: “http://redsurf.ru/”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”URLUpdateInfo” = “http://redsurf.ru/”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”NoModify” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”NoRepair” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”InstallDate” = “20190128”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”MajorVersion” = “2”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”MinorVersion” = “2”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”VersionMajor” = “2”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”VersionMinor” = “2”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC018B2D-6FB2-4E65-9366-425E255435EC}_is1\”EstimatedSize” = “13017”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\%AllUsersProfile%\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RedSurf-client\”RedSurf-client.lnk” = “1”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RedSurf-client\”RedSurf-client.lnk” = “1”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\grfg\Qrfxgbc\”erqfhes_frghc_i.2.2.6.rkr” = “[HEXADECIMAL VALUE]”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Run\”redsurf” = “%AllUsersProfile%\test\AppData\Roaming\RedSurf-client\redsurf.exe -up”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Sysinternals\Process Monitor\”FilterDialog” = “[HEXADECIMAL VALUE]”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Sysinternals\Process Monitor\”FilterControlColumns” = “[HEXADECIMAL VALUE]”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\”1″ = “[HEXADECIMAL VALUE]”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\1\”NodeSlot” = “64”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\1\”MRUListEx” = “FF FF FF FF”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100\Shell\”KnownFolderDerivedFolderType” = “{57807898-8C4F-4462-BB63-71042380B109}”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100\Shell\”SniffedFolderType” = “Generic”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\”1″ = “[HEXADECIMAL VALUE]”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\1\”NodeSlot” = “64”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\1\”MRUListEx” = “FF FF FF FF”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100\Shell\”KnownFolderDerivedFolderType” = “{57807898-8C4F-4462-BB63-71042380B109}”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\100\Shell\”SniffedFolderType” = “Generic”

The application may be used for online advertising to generate revenue.

Leave a Reply

Your email address will not be published. Required fields are marked *