Sample_75e7eceef8

by malwarelabrobot on January 9th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 75e7eceef8e7ca5b32d0ad799f4d6c53
SHA1: f6b2425f39288e6cdac393eaf175ffa4a2c4f43e
SHA256: fe69f891db4b20023c66683213341cd9950b3d0eb9f5cbf93af4e2956e34caf0
SSDeep: 12288:SSxG0z63smyt888888888888W88888888888sYopWcV0v7cjyrCZgobNMtsYOrXh:ZxGd9Dsob tsYOJqvQcErEq ExAy
Size: 1060224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

75e7eceef8e7ca5b32d0ad799f4d6c53.tmp:3512
aff_setup.exe:3464
install.exe:1676
thirdpartyinstaller.exe:3516
TrustedInstaller.exe:3732
%original file name%.exe:4048
makecab.exe:2096
MyPC Backup.exe:3324
pm-standalone-setup.exe:2428
vcredist_x64.exe:2188
pm-standalone-setup.tmp:1716
CloudBackup3560.exe:3524
pc-mechanic.exe:2332

The Malware injects its code into the following process(es):

pc-mechanic.exe:3612

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 75e7eceef8e7ca5b32d0ad799f4d6c53.tmp:3512 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\microsoft_partner.bmp (53 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (7428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QBJTKM0\pcmechanicpm-standalone-setup[1].exe (1872937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\pm_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-01-08 #001.txt (21109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\backupmypc_check_mark.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\pm-standalone-setup.exe (574582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MUZW4P0\aff_setup[1].exe (31295 bytes)

The process aff_setup.exe:3464 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsk6C2B.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup3560.exe (18815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)

The process install.exe:1676 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI2EF3.txt (124006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWLB07A.tmp (392 bytes)
C:\03475fae8081ee08cba41440\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI2EF3.txt (208131 bytes)

The process thirdpartyinstaller.exe:3516 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (266 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)

The process TrustedInstaller.exe:3732 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19880 bytes)
C:\Windows\winsxs\Temp\c633571cf52ad00118000000940e4402\c633571cf52ad00119000000940e4402_manifest (760 bytes)
C:\Windows\System32\config\SOFTWARE (55923 bytes)
C:\Windows\winsxs\Temp\c633571cf52ad00118000000940e4402\c633571cf52ad0011a000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\c633571cf52ad00118000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\98cf0a1ef52ad0012f000000940e4402_manifest (13 bytes)
C:\Windows\winsxs\Temp\0f9fcb1ef52ad0014c000000940e4402 (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\b3d2d81df52ad00128000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\1955141ef52ad0013a000000940e4402_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\b9f3111ef52ad00136000000940e4402_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402\0364121af52ad00103000000940e4402_manifest (859 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00134000000940e4402_mfc90deu.dll (670 bytes)
C:\Windows\System32 (824 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00133000000940e4402_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402\89039c1ef52ad00147000000940e4402_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00131000000940e4402_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\cbc8661bf52ad00113000000940e4402_msvcm90.dll (1526 bytes)
C:\Windows\System32\config\COMPONENTS (203596 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402 (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00132000000940e4402_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\7109b41cf52ad00123000000940e4402_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\cbc8661bf52ad00112000000940e4402_msvcp90.dll (7701 bytes)
C:\Windows\Logs\CBS\CBS.log (85727 bytes)
C:\Windows\winsxs\Temp\e54e781ef52ad0013f000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\e3c0211bf52ad00109000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\e54e781ef52ad0013f000000940e4402\e54e781ef52ad00140000000940e4402_manifest (766 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (59958 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\50e5ac1cf52ad00121000000940e4402_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402\29a2991ef52ad00146000000940e4402_manifest (864 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\b3d2d81df52ad00128000000940e4402\b3d2d81df52ad0012a000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (78873 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\b9f3111ef52ad00138000000940e4402_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\1955141ef52ad0013b000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\6a67641bf52ad00111000000940e4402_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402\0364121af52ad00104000000940e4402_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402\64c5141af52ad00105000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\e54e781ef52ad0013f000000940e4402\e54e781ef52ad00141000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (5206 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\1955141ef52ad00139000000940e4402_mfc90kor.dll (95 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\98cf0a1ef52ad00130000000940e4402_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\6a67641bf52ad00110000000940e4402_manifest (5 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\f083aa1cf52ad00120000000940e4402_mfcm90.dll (670 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15248 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\b9f3111ef52ad00137000000940e4402_mfc90ita.dll (129 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\f083aa1cf52ad0011f000000940e4402_manifest (6 bytes)
C:\Windows\winsxs\Temp\0f9fcb1ef52ad0014c000000940e4402\0f9fcb1ef52ad0014e000000940e4402_catalog (22 bytes)
C:\Windows\winsxs\Temp\e3c0211bf52ad00109000000940e4402\e3c0211bf52ad0010a000000940e4402_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM (3712 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\e3c0211bf52ad00109000000940e4402\4322241bf52ad0010b000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\cbc8661bf52ad00114000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\b3d2d81df52ad00128000000940e4402\b3d2d81df52ad00129000000940e4402_manifest (760 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\11a8b11cf52ad00122000000940e4402_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00135000000940e4402_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402\e9649e1ef52ad00148000000940e4402_catalog (22 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\7109b41cf52ad00124000000940e4402_catalog (21 bytes)
C:\Windows (672 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\System32\config (1364 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\0f9fcb1ef52ad0014c000000940e4402\0f9fcb1ef52ad0014d000000940e4402_manifest (676 bytes)

The process %original file name%.exe:4048 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-84CDS.tmp\75e7eceef8e7ca5b32d0ad799f4d6c53.tmp (50 bytes)

The process makecab.exe:2096 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Temp\cab_2096_3 (76 bytes)
C:\Windows\Temp\cab_2096_2 (564989 bytes)
C:\Windows\Logs\CBS\CbsPersist_20150108034217.cab (11744 bytes)
C:\Windows\Temp\cab_2096_6 (8 bytes)
C:\Windows\Temp\cab_2096_5 (76 bytes)
C:\Windows\Temp\cab_2096_4 (564989 bytes)

The process MyPC Backup.exe:3324 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\MyPC Backup\ObjectListView.dll (430 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (192 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8871.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (49 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8870.tmp (56 bytes)

The process pm-standalone-setup.exe:2428 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1G1BI.tmp\pm-standalone-setup.tmp (50 bytes)

The process vcredist_x64.exe:2188 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\03475fae8081ee08cba41440\install.res.1028.dll (1130 bytes)
C:\03475fae8081ee08cba41440\globdata.ini (1 bytes)
C:\03475fae8081ee08cba41440 (8 bytes)
C:\03475fae8081ee08cba41440\install.exe (13918 bytes)
C:\03475fae8081ee08cba41440\install.res.1041.dll (1126 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\03475fae8081ee08cba41440\vcredist.bmp (5 bytes)
C:\03475fae8081ee08cba41440\eula.3082.txt (12 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\03475fae8081ee08cba41440\eula.1031.txt (229 bytes)
C:\03475fae8081ee08cba41440\eula.1049.txt (13 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\03475fae8081ee08cba41440\eula.1036.txt (12 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\03475fae8081ee08cba41440\install.res.1033.dll (1452 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\03475fae8081ee08cba41440\install.res.2052.dll (1632 bytes)
C:\03475fae8081ee08cba41440\install.ini (844 bytes)
C:\03475fae8081ee08cba41440\install.res.1036.dll (1355 bytes)
C:\03475fae8081ee08cba41440\vc_red.msi (3176 bytes)
C:\03475fae8081ee08cba41440\eula.1033.txt (10 bytes)
C:\03475fae8081ee08cba41440\install.res.1042.dll (1988 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs (8 bytes)
C:\03475fae8081ee08cba41440\install.res.1031.dll (1160 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\03475fae8081ee08cba41440\$shtdwn$.req (788 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\03475fae8081ee08cba41440\install.res.1049.dll (1720 bytes)
C:\03475fae8081ee08cba41440\install.res.3082.dll (989 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\03475fae8081ee08cba41440\eula.1040.txt (657 bytes)
C:\03475fae8081ee08cba41440\eula.1042.txt (650 bytes)
C:\03475fae8081ee08cba41440\eula.1041.txt (5 bytes)
C:\03475fae8081ee08cba41440\eula.1028.txt (3 bytes)
C:\03475fae8081ee08cba41440\vc_red.cab (65618 bytes)
C:\03475fae8081ee08cba41440\eula.2052.txt (3 bytes)
C:\03475fae8081ee08cba41440\install.res.1040.dll (2110 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)

The process pm-standalone-setup.tmp:1716 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-TE4UF.tmp (112 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-7A1VJ.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-S1RVH.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (31262 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-MF0A4.tmp (58 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-P493A.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-DSJ1P.tmp (62 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\x86\is-3HORS.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-K2M1J.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-HGIFJ.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-803BF.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-0F7QN.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SRJ01.tmp (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-QPONS.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-SFOAL.tmp (64 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-TDDHI.tmp (63 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-S058F.tmp (18934 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-9PR4H.tmp (63 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-IJMC1.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1TF14.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-VMHU7.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-ITEL3.tmp (64 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-CDMSC.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-I8R1F.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-R5OQ9.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-TGC5E.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-9GPUK.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\x86\is-IA3ER.tmp (2321 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-9CPSM.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-QQN0O.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-01-08 #002.txt (476000 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-AUVDV.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2PNKV.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5J3B4.tmp (11 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-1QQ3S.tmp (28498 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5MSI7.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-8JQ4R.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-CEGUH.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-31IFP.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-IVS8T.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-KPPPC.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-QQUP9.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-765ST.tmp (64 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0T8DQ.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-B59E3.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-VHUF3.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-13OAR.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-OBJ8B.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-6B6PF.tmp (107078 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-6U1HO.tmp (1281 bytes)

The process CloudBackup3560.exe:3524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7233.tmp (16365 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (330514 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (272028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)

The process pc-mechanic.exe:2332 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (4275 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\x86\Trackerbird.py.clr4.dll (454 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)

The process pc-mechanic.exe:3612 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (5577 bytes)

Registry activity

The process 75e7eceef8e7ca5b32d0ad799f4d6c53.tmp:3512 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "DB 35 4E 89 16 19 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallerBuiltWithOffers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "7C 01 C9 08 F5 2A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "7C 01 C9 08 F5 2A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process TrustedInstaller.exe:3732 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\COMPONENTS\CanonicalData\Catalogs\333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"S1H" = "14 AA 6E 76 31 91 54 C4 03 11 34 8A 36 B3 FF AB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 0F 8E 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 5A 96 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 B9 C8 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90kor.dll" = "4D 00 46 00 43 00 39 00 30 00 4B 00 4F 00 52 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 00 F9 52 01 E0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll" = "41 54 4C 39 30 2E 64 6C 6C"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"CatalogThumbprint" = "fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3TÃ…Â¨"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"S256H" = "24 BE B9 75 C2 7B 1D 95 FD D4 FE 4E 13 54 0E 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 98 E5 52 01 68 13 00 00"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"S1H" = "38 09 81 95 0B 31 B2 00 22 13 37 FF CF FB FF 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"CT" = "36 00 64 00 63 00 31 00 62 00 39 00 63 00 33 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"S1H" = "FE 8C 92 2C 75 1D 5B CC FB 3B D3 CB 22 A9 B8 23"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 B0 52 01 C6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"S1H" = "AE 6F 51 9A C7 46 73 82 69 39 92 25 65 46 09 57"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll" = "4D 46 43 39 30 43 48 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90u.dll" = "6D 00 66 00 63 00 39 00 30 00 75 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"S1H" = "76 C9 DC 05 BC 6B 6B 4C A3 FA EB 6F 47 42 95 CE"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4e]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 A5 9E 52 01 3E 08 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"CatalogThumbprint" = "333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85edÃ…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"S256H" = "26 93 44 15 5C 4C F6 E2 AE DE 35 F5 1F 79 11 C0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"CatalogThumbprint" = "cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322Ã®Â¾ÂÃ…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 24 08 53 01 6C 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90enu.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 4E 00 55 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
"CatalogThumbprint" = "522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7Ã¯Â¿Â¿Ã…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 59 D2 52 01 3F 13 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 42 89 52 01 CD 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"S1H" = "E4 EC 8B 0B 75 55 36 62 51 1D 04 0E 86 AD 97 AC"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"CatalogThumbprint" = "d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a2Ã…Â©"
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90fra.dll" = "4D 00 46 00 43 00 39 00 30 00 46 00 52 00 41 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 CD 52 01 D2 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90rus.dll" = "4D 00 46 00 43 00 39 00 30 00 52 00 55 00 53 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 90 0D 53 01 8F 04 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 1F 12 53 01 D6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 74 84 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"S1H" = "EF 36 D4 10 E0 A9 EA 70 90 91 65 79 2A 07 E7 18"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 E3 A6 52 01 D4 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)]
"UtilizedSpace_MCP_c22d037d" = "F7 22 52 01 00 00 00 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"CT" = "64 00 32 00 63 00 61 00 38 00 66 00 33 00 35 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"S1H" = "83 EB 34 D7 CE D2 B9 DC 71 DB B8 49 AA 21 EA 78"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"S256H" = "69 55 F7 F5 CC 99 69 B8 69 B9 90 86 6D B9 02 DA"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll" = "4D 46 43 39 30 46 52 41 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"CT" = "30 00 32 00 34 00 34 00 65 00 61 00 63 00 36 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"CatalogThumbprint" = "95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90Ã‹Â£Ã…Â©"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"S1H" = "DD 16 14 4C C5 08 00 43 4F CC B2 B6 FE 9C 3F 5E"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"S1H" = "AA 99 E7 4A 4B C1 C0 3A D2 57 8D E2 4A 0B 3A 42"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
"S256H" = "6C E2 C2 01 E1 39 B8 B7 FD D6 B0 15 1A D0 20 DB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 B3 02 53 01 71 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"S1H" = "23 CA 6B 65 00 D5 28 6A FC B4 CD 40 F3 13 09 16"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"S256H" = "34 66 B6 B0 1E 23 20 74 33 3A E8 90 DE BA 8F D9"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esn.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 4E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"f!atl90.dll" = "41 00 54 00 4C 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"CatalogThumbprint" = "4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343Ã…Â©"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 9F 79 52 01 6B 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90.dll" = "6D 00 66 00 63 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"S1H" = "59 FC 44 3F E4 A9 36 69 AC E0 F5 9F A7 98 6B C9"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 FC BE 52 01 BD 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 B7 AB 52 01 D0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90enu.dll" = "4D 46 43 39 30 45 4E 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90jpn.dll" = "4D 00 46 00 43 00 39 00 30 00 4A 00 50 00 4E 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"CT" = "39 00 35 00 63 00 65 00 30 00 36 00 33 00 38 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90deu.dll" = "4D 00 46 00 43 00 39 00 30 00 44 00 45 00 55 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"CatalogThumbprint" = "6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4eÃ…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"S1H" = "4F C7 D7 36 AD BC B2 7C 10 86 7E 21 90 BD D1 34"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"CT" = "34 00 63 00 34 00 31 00 39 00 37 00 31 00 63 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"S1H" = "DA 6E 20 D5 AE 2F 76 AF 71 19 31 70 48 42 36 52"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll" = "4D 46 43 39 30 4B 4F 52 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"CT" = "61 00 38 00 30 00 39 00 35 00 65 00 66 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"CT" = "63 00 63 00 37 00 30 00 61 00 38 00 36 00 31 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PublisherPolicyChangeTime" = "Type: REG_QWORD, Length: 8"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 E0 FD 52 01 D3 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"S1H" = "E6 CA F0 F6 A2 0D C9 9F 62 27 42 55 D7 B2 1B 34"
"CT" = "66 00 65 00 30 00 66 00 61 00 63 00 34 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"CT" = "35 00 32 00 32 00 65 00 64 00 34 00 30 00 31 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcm90.dll" = "6D 00 73 00 76 00 63 00 6D 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2015/1/8:3:42:18.604 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"S1H" = "64 21 A7 13 7F 81 51 EC C9 C6 32 1F CB 89 4E ED"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"f!vcomp90.dll" = "76 00 63 00 6F 00 6D 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esp.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 50 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"CatalogThumbprint" = "a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7dÃ‹ËœÃ…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"S1H" = "CC E5 48 A1 81 09 83 7C D5 26 1A F8 35 AB 54 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esp.dll" = "4D 46 43 39 30 45 53 50 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"S1H" = "74 EA A7 88 4B 21 D7 1F 33 34 94 89 89 7C 0A F6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90ita.dll" = "4D 00 46 00 43 00 39 00 30 00 49 00 54 00 41 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90cht.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 54 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll" = "4D 46 43 39 30 45 53 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcp90.dll" = "6D 00 73 00 76 00 63 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"S1H" = "80 93 28 44 A9 44 70 27 55 3E C3 07 5D F5 63 DF"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS]
"StoreDirty" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"S1H" = "31 95 AA CA BF 6A 85 7B 8A 02 CC 29 B3 F8 BA 35"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 4D B5 52 01 AF 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"S256H" = "08 8C D1 14 A3 5A A0 03 0F 8A C8 09 40 2C 7C 22"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"CT" = "33 00 33 00 33 00 63 00 33 00 63 00 38 00 61 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll" = "4D 46 43 39 30 4A 50 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"S256H" = "8D C0 05 84 25 4A F1 6C 47 CA 9C 96 C9 44 75 51"

[HKLM\COMPONENTS]
"ExecutionState" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 0A 7F 52 01 6A 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"S256H" = "FE AE 5D B0 21 40 AA 1D 6C CD 8E EF 81 27 94 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"S256H" = "EB E1 76 88 C7 DC EA 0B F8 87 58 62 C8 C7 2A 58"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll" = "4D 46 43 39 30 52 55 53 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll" = "4D 46 43 39 30 44 45 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcr90.dll" = "6D 00 73 00 76 00 63 00 72 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"S1H" = "9E 2C 9A 79 1D 8E C7 78 4A 73 08 8C 2E 1E AF C1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"S256H" = "0E DF 78 65 CB 6E 59 40 E6 8D 63 1A FE E7 83 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\CanonicalData\Catalogs\cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"S1H" = "E3 17 DA F8 C4 AE B9 52 16 AF B2 EE 85 45 57 D7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"CatalogThumbprint" = "0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90chs.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 53 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90u.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 75 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll" = "4D 46 43 39 30 43 48 54 2E 44 4C 4C"
"mfc90ita.dll" = "4D 46 43 39 30 49 54 41 2E 44 4C 4C"

The Malware deletes the following registry key(s):

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]

The Malware deletes the following value(s) in system registry:

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll"
"mfc90esp.dll"

[HKLM\COMPONENTS]
"PoqexecFailure"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll"
"mfc90enu.dll"

[HKLM\COMPONENTS]
"PendingXmlIdentifier"
"LastScavengeFlags"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll"
"msvcp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll"

[HKLM\COMPONENTS]
"RepairTransactionPended"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll"

[HKLM\COMPONENTS]
"LastScavengeCookie"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll"

[HKLM\COMPONENTS]
"ExecutionState"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS]
"StoreDirty"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90ita.dll"

The process MyPC Backup.exe:3324 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

The process pm-standalone-setup.tmp:1716 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Icon Group" = "Uniblue\PC Mechanic"

[HKCR\pc-mechanic]
"URL Protocol" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"NoModify" = "1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"EstimatedSize" = "61761"
"InstallDate" = "20150108"
"Comments" = "Uninstall PC Mechanic"
"MinorVersion" = "0"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"EcommercePlatform" = "cleverbridge"
"analytics" = "0"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)" = "pc-mechanic.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = "allowtracking"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe /SILENT"
"DisplayVersion" = "1.0.2.1"
"URLUpdateInfo" = "http://uniblue.com/software/pcmechanicpm/updates/"
"UninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe"

[HKCR\pc-mechanic]
"(Default)" = "URL:PC-Mechanic Protocol"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MajorVersion" = "1"
"DisplayName" = "PC Mechanic"
"Publisher" = "Uniblue Systems Limited"
"HelpLink" = "http://www.uniblue.com/support/manuals/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallDate" = "2015-01-08"

[HKCR\pc-mechanic\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe --serial=%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Setup Version" = "5.5.4 (u)"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl" = "http://www.uniblue.com/cm/pcproblem/pcmechanicpm/banner1-pcm/purchase/"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"URLInfoAbout" = "http://www.uniblue.com/support/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"lang" = "en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\PC-Mechanic"

The Malware deletes the following value(s) in system registry:

[HKCR\pc-mechanic]
"URL Protocol"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)"

[HKCR\pc-mechanic]
"(Default)"

[HKCR\pc-mechanic\shell\open\command]
"(Default)"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl"
"InstalledLocation"

The process CloudBackup3560.exe:3524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsSCM.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayName" = "MyPC Backup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"
"Publisher" = "JDi Backup Ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayIcon" = "%Program Files% (x86)\MyPC Backup\MyPC Backup.exe"
"UninstallString" = "%Program Files% (x86)\MyPC Backup\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup]
"(Default)" = "%Program Files% (x86)\MyPC Backup\BackupStack.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"HelpLink" = "http://support.mypcbackup.com"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pc-mechanic.exe:2332 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process pc-mechanic.exe:3612 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

Dropped PE files

MD5	File path
96f6e497f8ce5bc21b9d3140965104aa	c:\Program Files (x86)\MyPC Backup\AlphaFS.dll
5bfc53c0daee82e70ef02b9cf7ae3042	c:\Program Files (x86)\MyPC Backup\AlphaVSS.51.x86.dll
ba1d420f7fa1b4eef8cc127bee74a023	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x64.dll
568754948b2aa5fcc41217fb28425cc5	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x86.dll
a3ef02398e089dcd9708cbc4e427d0f7	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x64.dll
057cf7fd20135899d616714534d0b7a8	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x86.dll
3116e40a8b9709917e1dc1db4e068152	c:\Program Files (x86)\MyPC Backup\AlphaVSS.Common.dll
a0a4dd8d711d55884c163a3784eac55e	c:\Program Files (x86)\MyPC Backup\BackupStack.exe
3c3cb9d58660b527d47e7d46d292940c	c:\Program Files (x86)\MyPC Backup\BackupStackUI.dll
d15d57943417ca58884e643da0ce2464	c:\Program Files (x86)\MyPC Backup\BplusDotNet.dll
f5b669bd36f27089b36323ccbf8ebcda	c:\Program Files (x86)\MyPC Backup\Configuration Updater.exe
76928476bdcf7ea4dbe8589d85793315	c:\Program Files (x86)\MyPC Backup\GetText.dll
c97cc489f20c67c3b2f36782ca139ce4	c:\Program Files (x86)\MyPC Backup\InstMgr.dll
6ded8fcbf5f1d9e422b327ca51625e24	c:\Program Files (x86)\MyPC Backup\Ionic.Zip.dll
e5cc3997457cd365e43c19f0f9110148	c:\Program Files (x86)\MyPC Backup\LinqBridge.dll
9b2ac62a9aab3369b253411c14b92fcb	c:\Program Files (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll
e4da474b2f2415664a286c07022222a0	c:\Program Files (x86)\MyPC Backup\MPCBClient.dll
dddf97700f9d4a951783b73d5971ce48	c:\Program Files (x86)\MyPC Backup\MPCBContextMenu.dll
24b83d9a02acf4b10c3fe0e9f7153eef	c:\Program Files (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll
01623e484d03fe777a733f3f6f28d673	c:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
f89e670f3f9de99e80b4d39436a27d9e	c:\Program Files (x86)\MyPC Backup\NativeHashWrapper.dll
16da92c91e58f6d8a22e493ae442edbf	c:\Program Files (x86)\MyPC Backup\Newtonsoft.Json.dll
6e0e7abd35565d70986eedc71f1a7bb5	c:\Program Files (x86)\MyPC Backup\ObjectListView.dll
6605874ea071ad6904aa8f67e75c18a1	c:\Program Files (x86)\MyPC Backup\PipeDiff.dll
4bb211393828d585cb5396a273008d94	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe
74a8c01b69adedd7f1330245cd994821	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe
bb830033c3e24a0b82caf23662918278	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe
a6a26e38b3596fa740f7039d98bd3a22	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe
0d8aa68059d0103b04ef5afdf755f779	c:\Program Files (x86)\MyPC Backup\Service Start.exe
6f5ab2bf45a14dedcb642e804480c9c7	c:\Program Files (x86)\MyPC Backup\Shared Stack.dll
9d0cc110ab0605885d98ae08377f6f66	c:\Program Files (x86)\MyPC Backup\Signup Wizard.exe
eeabc4815562083a50a666e2709c5998	c:\Program Files (x86)\MyPC Backup\SignupWizard.dll
0790e1d72901d1b98a9abfd43d1c592c	c:\Program Files (x86)\MyPC Backup\System.Data.SQLite.DLL
ba95c010731d3a1b20816242995e5a5a	c:\Program Files (x86)\MyPC Backup\UnRegisterExtensions.exe
da063ab4cd89efa829dbdce1fcb1cf70	c:\Program Files (x86)\MyPC Backup\Updater.exe
0cc8dad6c96bb0f2a833e0cb460d4191	c:\Program Files (x86)\MyPC Backup\Updater_.dll
53b9dfe8be74f29dc10d12df6b438f31	c:\Program Files (x86)\MyPC Backup\uninst.exe
1688cecb8af9cedde1b60163c98d1765	c:\Program Files (x86)\MyPC Backup\websocket-sharp.dll
fd666249228fb1be3f9fc9399aa70d3a	c:\Program Files (x86)\MyPC Backup\x64\SQLite.Interop.dll
f25a493607f771a033a3afe8ac26a505	c:\Program Files (x86)\MyPC Backup\x86\SQLite.Interop.dll
5dbaecd2ffac4a50e2cd1635f470b4b8	c:\Program Files (x86)\Uniblue\PC-Mechanic\InstallerExtensions.dll
6de5c66e434a9c1729575763d891c6c2	c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcp90.dll
e7d91d008fe76423962b91c43c88e4eb	c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcr90.dll
5434e18b933e03f274d8da59fda4c676	c:\Program Files (x86)\Uniblue\PC-Mechanic\icudt.dll
28888738b5521923a244fac763767db4	c:\Program Files (x86)\Uniblue\PC-Mechanic\libcef.dll
f8597c2abfcfdf16c9e561dcde4bc5d1	c:\Program Files (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
0cb30f42ea8f4937e39535700afcb64f	c:\Program Files (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe
8aba13b86a85a76f8621cdc3c3e41a80	c:\Program Files (x86)\Uniblue\PC-Mechanic\unins000.exe
5e4f1a6e0904a2b6eede27aa66730d3d	c:\Program Files (x86)\Uniblue\PC-Mechanic\x86\Trackerbird.py.clr2.dll
5a0fc0fa3b87c88bb7a93d83208c29b3	c:\Program Files (x86)\Uniblue\PC-Mechanic\x86\Trackerbird.py.clr4.dll
256f360db3c119ab9e1b6eb4c8f66680	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MUZW4P0\aff_setup[1].exe
e6def9d9a02c5a0e8e66739e5ae6634b	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QBJTKM0\pcmechanicpm-standalone-setup[1].exe
bcba8747ab53932f8613c006444078e9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup3560.exe
256f360db3c119ab9e1b6eb4c8f66680	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe
5dbaecd2ffac4a50e2cd1635f470b4b8	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\InstallerExtensions.dll
526426126ae5d326d0a24706c77d8c5c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\_isetup\_setup64.tmp
92dc6ef532fbb4a5c3201469a5b5eb63	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\_isetup\_shfoldr.dll
e6def9d9a02c5a0e8e66739e5ae6634b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\pm-standalone-setup.exe
62efa7b730eb0523a026ea4325403b77	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsSCM.dll
40395c175553cb14d2050888efccdf00	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe
c101f49f8fbdc203757ebf954d83af12	c:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8
45e475fa46d8f04a682eb5eed5476e08	c:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818\ATL90.dll
1e7ce519349ca4b49930ad843470a3f9	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcm90.dll
1f914c93052445e6629c37b81d421f7b	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcp90.dll
425d035880430fbed64dd6205c77f5b2	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcr90.dll
e75de70a944462a9912c93e888b4106f	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90.dll
6962af1e97d8566e9c3496dc118fd3b7	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90u.dll
e6ffdd8f997366fd88a799743579d389	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90.dll
f668d2f0c2377cc3b1459506a00b0f0b	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90u.dll
deebddd75a0ecb8afd463bd3b2d9131a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHS.DLL
b0552cba0f603e1730762056add5eb9a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHT.DLL
2822498a5df669d223e6b093c00cb93a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90DEU.DLL
91e5d7df820fb0fe7ead68c32bead0da	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ENU.DLL
85bdf40f2af1944f579a7a134bd08a34	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESN.DLL
390ab412debb2be22fcaca5a59c9a3c2	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESP.DLL
598dcb951afd9a3d3d2e1abf7603de60	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90FRA.DLL
9e87f90e281ea1f41669920b349189c5	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ITA.DLL
67695d68d782b48625a6c3ec08954216	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90JPN.DLL
91f1a8b875354dd5a1939e329af45656	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90KOR.DLL
32a4c8c6c2d09b98b14af92cd991a6d8	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90RUS.DLL
63e472c8410a0e9ce25c35a0482bbbbf	c:\Windows\winsxs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633\vcomp90.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Uniblue Systems Limited
Product Name: PC Mechanic
Product Version: 1.0.2.1
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.2.1
File Description: PC Mechanic Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	61740	61952	4.43024	3a126e478661f20816f9d9285615f98e
.itext	69632	2884	3072	3.97317	ba48b9b17b3dd8b92da3bd93f20ddb34
.data	73728	3208	3584	1.55702	d7fd5f4b562d7961758f3d6a8c834fd0
.bss	77824	22196	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	102400	3536	3584	3.44625	93d91a2b90e60bd758fc0c4908856ae1
.tls	106496	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	110592	24	512	0.14174	3dffc444ccc131c9dcee18db49ee6403
.rsrc	114688	240000	240128	3.69357	4d6a8b52ee059948b5b52cd43360585a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
595f1fc6db9af2f5b74feffe71c7a123

URLs

URL	IP
hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/pm/1.0.2.1/pcmechanicpm-standalone-setup.exe
hxxp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.2.1/pcmechanicpm-standalone-setup.exe	54.230.45.191
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/pm/version.txt?from=1.0.2.1
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track
hxxp://api.uniblue.net/v1/geo/country-code	54.228.215.241
hxxp://s3-1-w.amazonaws.com/latest_updates/application.txt
hxxp://track.mypcbackup.com/9bf5853a/D0wnloads-PC-Mechanic/MyPCBackup_Setup.exe	184.154.150.131
hxxp://uniblue.com/api/v1/geo/country-code	176.34.125.17
hxxp://mypcbackup.jdibackup.netdna-cdn.com/MyPCBackup_Setup.exe
hxxp://track.mypcbackup.com/aadebc4830c51c2794a960fe5a9e11df.php	184.154.150.131
hxxp://a767.dscms.akamai.net/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
hxxp://ep.backupgrid.net/install/win/1/live/net2	184.154.150.137
hxxp://backupgrid.jdibackup.netdna-cdn.com/mypcbackup.1.5.0.2.101.7z
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f627832da9ecced4
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.166
hxxp://download.uniblue.com/product/pm/1.0.2.1/pcmechanicpm-standalone-setup.exe	107.21.127.37
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=	93.184.220.29
hxxp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt	54.231.16.57
hxxp://update.uniblue.com/pm/version.txt?from=1.0.2.1	107.21.127.37
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=	93.184.220.29
hxxp://tracking.uniblue.com/v1/collect	54.246.127.16
hxxp://www.uniblue.com/api/v1/geo/country-code	176.34.125.17
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.166
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f627832da9ecced4	88.221.132.177
hxxp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z	94.31.29.237
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.166
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.166
hxxp://tracking.uniblue.com/v1/track	54.246.127.16
hxxp://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe	80.239.149.72
hxxp://cdn.mypcbackup.com/MyPCBackup_Setup.exe	94.31.29.238
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://cdn.backupgrid.net/aff_setup.exe	94.31.29.237
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY Python-urllib/ Suspicious User Agent
SURICATA STREAM SHUTDOWN RST invalid ack
SURICATA STREAM Packet with invalid ack

Traffic

GET /mypcbackup.1.5.0.2.101.7z HTTP/1.0

Host: cdn.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Thu, 08 Jan 2015 03:42:29 GMT

Content-Type: application/octet-stream

Content-Length: 4072385

Connection: close

x-amz-id-2: xv68XKK59DIbGp7uvOVdviNkK3vpI0QxnyQA5YB RRSLiXOKc3fHEx9zTRNm3LNG

x-amz-request-id: A073BDC80FB47ED3

Last-Modified: Tue, 25 Nov 2014 19:49:29 GMT

ETag: "dea41132628ea08c816693a67102fd48"

Server: NetDNA-cache/2.2

X-Cache: HIT
7z..'.....p.|#>.....%........8l...`...\..I.})R...M.....f=o}.hcJ..7.
/.3..._....A.._-.PJE$..Y[f.j/..S.o;.r7J........E..."..j.....nb....I...
:....bal...?.....[.....S}....[. -...jG..U..y....8.....Q..,l........r..
.........W2]o.f....2..6.B....~.....#-..U)a.\.....q..!.../...A..6.A.p..
..P..7Vf....zki..Tx.h.B.6.u..x.txXD.)..k..U....Co...B..........q......
..C.\........j.1.q......4....@k....k.r*6...L.mni...dj....t.(..!.....'.
....Q.Q.|Rx............A...D......$....~...';.bU...\.<?#.X.....yu$.
...Y..t..BBh...M.........p...{_c..$Z.I..#b..Hd-6.....#&4=..v...5..i...
.........ouZ]K.^D.UK...b...Gu\.........i....f..I.w.....V.H.V.J&....W.h
O.......F..{S...W.(.....f..<.......Dg.d....{..$zkV..X...oc..... .!.
k.i..b. .Q(..p..w......&C.X..D.M.Y...PI...Ol.C ...M.wO...K.......lk...
.w..O.)...a`2.H..b:....w 7.WU@(8-....V....G.;......|.....q?|4.j....%..
.......Rg;.ZgN..~.............w*3...0.^.IySd...F_..6.".!..c.3...N:.kc.
._.R...[....o^..\..FmH....Q...T..T.O8....x\.>k'......<.^.\3NL1..
...v.n~O.=.F....Hp...,-GhuA..L.?......-.w.........J.R...<.......y.g
.......&.....J}..W...4...r..A...............R.R.m...yB....47.....5.!..
.....3.v.q.9]....S...(.3.!.iX........)...v...!G.#.]4....w..I4.?...`..E
..._.An.0........._..H... .q......h...W!....|..(...G[@.[..5Te..l..~.&g
t; ...|v..\.......K..........7ho..v4.ZHn. .. @.#.I. C`E.5....jx.....o.
).'{._.J.....t.c..........H,.7..d....`..J...........(..Q.5.)....8.).m.
N...;.......S."....a..:........?..~.....So(=....?5o.=...s<....6..&.
B......zD...%...'Pg7....'.>.~...h...2....S..".2......L..|r"?...<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 126

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.standalone","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:20 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:20 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 125

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.standalone","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:21 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:21 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 127

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.standalone","client_id":"","event":"prod.pm.install_completed","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:26 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:26 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /aff_setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: cdn.backupgrid.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 08 Jan 2015 03:42:24 GMT

Content-Type: application/octet-stream

Transfer-Encoding: chunked

Connection: keep-alive

x-amz-id-2: zAXi DSLV7o0q7G0O6LT5VsZ6FfDWH fPLkpgEBC5TOLXzpJlID/s9mNkWmOgftC7Tw/5A/OjbY=

x-amz-request-id: 76B8C89732E23136

Last-Modified: Mon, 06 Oct 2014 10:15:06 GMT

ETag: W/"256f360db3c119ab9e1b6eb4c8f66680"

Server: NetDNA-cache/2.2

X-Cache: HIT

Content-Encoding: gzip
900a.............}.\TU...f.......mR,..YHIh..E.D.Gf..$..&..{M[.a.>.x
...V[m..j..[....2......d.Vd..i..4D%....;.....g..~_.?>.z=...<.9.y
..<..K.m... .....B......?....C.xm....w.l..}.....ZKuM......e...U..N.
.F...WZr..- ..\.....#M__.x.<4\...G.X~...Y....Q/...y..G.....K.*..\P.
.Mu...DA.........M..L...8A(F.^....7 l.TS)..........#T.* JZ.A@....zT.?/
<(Q.\ ./..^p.....}..l.\...!..(....$..ZB.........d..Y.a....R.T......
).NK..~V.d.VL8...k#2........BpRe.`...5.^*WS[..E4.........Yy....7....EJ
....W.h...o."&.I..T...n.)...6U6.r.*...C.U...g..Jf....f'. ..,........q-
-.iJ]...#(#.V....3.......az..)../`..[.;....N..... ..I....../`.V.-...B.
....6...Y......M/..w..S6.A........._L.i.$.)f ........Yu....UU}.-R%..j.
...Z.A.....D.....7..v...PS.(..Z.TS.)$' ...p.....-(g....I3....{LD>..
t.HR..;.d.o...,(s.....f..>{..T,5.SY.c...#.....P.3..];Sy.|...ruF....
#.g.G....A.{...H.....,.V>.......C.j^,..Z.y..%..4....B............@.
..I....$T..[b..Y..R\....<cv.G"W.Y..H.M5.f.......-`O...5..z[..^..{[u
R,.aD..c....f[F....i.|u..t.W.'Hq.yFk..e....:.....1....82z}g,.S.8)VM...
N%fK.|I.:......K.D]8&..?&.~..1.x..m....f.V.......f..L'..b.".e..J.n...V
T2...6.2.wg.<N...A 8.QA....g...c..]...1.J R....)..U..;...-.S)....}.
..R.;E..c6.Jn..1X7...`.).v%..(d.....t(R.1.Q..$3P. ..o.M.I.6...N...IE6.
.@cP6X......J..V...DA.N..........tO.........*..1.nUJOUS.paco....%..jr]
.;.NI":......#.............U0Q}.fH.f..`%..../.....{3..|Z..*E]J.r..D...
.......7.3........`(8.k=.;.c...d ...<.*.m....Z....g.}V.^S.....)K.w.
.a..z^U.Qz7.....mc}7..6.3C. ..t...1....k5.{...^5e.5..b.]1Y%...J.R.<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 137

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.standalone","client_id":"","event":"prod.pm.third_party_offer_not_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:41 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:41 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 117

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.standalone","client_id":"","event":"prod.pm.install","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:42 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:42 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: api.uniblue.net

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Thu, 08 Jan 2015 03:46:58 GMT

Location: hXXp://uniblue.com/api/v1/geo/country-code

Server: nginx/1.1.19

Content-Length: 161

Connection: Close
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.1.19</c
enter>..</body>..</html>....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.mypcbackup_offer_included","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:45:49 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:45:49 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 126

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.third_party_offer_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:01 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:01 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 129

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.third_party_offer_accepted","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:06 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:06 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 138

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.install_standalone_download_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:07 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}....


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 138

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:28 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:28 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

HEAD /aff_setup.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: cdn.backupgrid.net


HTTP/1.1 200 OK

Date: Thu, 08 Jan 2015 03:41:45 GMT

Content-Type: application/octet-stream

Content-Length: 263224

Connection: keep-alive

x-amz-id-2: zAXi DSLV7o0q7G0O6LT5VsZ6FfDWH fPLkpgEBC5TOLXzpJlID/s9mNkWmOgftC7Tw/5A/OjbY=

x-amz-request-id: 76B8C89732E23136

Last-Modified: Mon, 06 Oct 2014 10:15:06 GMT

ETag: "256f360db3c119ab9e1b6eb4c8f66680"

Server: NetDNA-cache/2.2

X-Cache: HIT

HTTP/1.1 200 OK..Date: Thu, 08 Jan 2015 03:41:45 GMT..Content-Type: ap
plication/octet-stream..Content-Length: 263224..Connection: keep-alive
..x-amz-id-2: zAXi DSLV7o0q7G0O6LT5VsZ6FfDWH fPLkpgEBC5TOLXzpJlID/s9mN
kWmOgftC7Tw/5A/OjbY=..x-amz-request-id: 76B8C89732E23136..Last-Modifie
d: Mon, 06 Oct 2014 10:15:06 GMT..ETag: "256f360db3c119ab9e1b6eb4c8f66
680"..Server: NetDNA-cache/2.2..X-Cache: HIT..

GET /pm/version.txt?from=1.0.2.1 HTTP/1.1

Accept-Encoding: identity

Host: update.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 302 Found

Cache-Control: max-age=600

Content-Type: text/plain

Date: Thu, 08 Jan 2015 03:42:28 GMT

Location: hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt

Server: openresty/1.5.8.1

Content-Length: 69

Connection: Close

hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt.
.

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=407199, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 20:49:30 GMT

Expires: Mon, 12 Jan 2015 20:49:30 GMT

Date: Thu, 08 Jan 2015 03:46:49 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015010
5204930Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150105204930Z....20150112204930Z0...*.H.....
........$M.....sd...e&...|.W3.y........bQ.N.I.nT.. A.G^fJ.@3(...Z.....
..&0*..u.n......uC......^...0e..W..J..wD8....u..G....?i.r...k.R.....tx
.x...c.f.m.R.....el\.sG.......c%.h%.d...w"....RT...G...@q...o.F.*6...F
......".._..s.....e...:..;X$..:......rb.9%G..Z..Hl...n....0...0...0...
........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign
, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public 
Primary Certification Authority - G50...141202000000Z..151216235959Z0.
.1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust
 Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificat
e 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`J
G.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[.
..u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.
......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.
J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.
. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symaut
h.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U..
..0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.
....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.v.Q

<<< skipped >>>

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.pm-1_0_2_1.web", "event": "prod.pm.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:47:05 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe HTTP/1.0

Host: download.microsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.0 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 08 Aug 2008 21:48:10 GMT

Accept-Ranges: bytes

ETag: "df115773a0f9c81:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Content-Length: 4961800

Date: Thu, 08 Jan 2015 03:42:32 GMT

Connection: close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........K...K...
K.......D...K... ......._.......J.......J...RichK...........PE..L...{.
.B.................z..........rY... ........... ......................
........9.L.......... ..........................@...........t.........
....K..$...........!............................................... ..
.............................text....x... ...z.................. ..`.d
ata................~..............@....rsrc...t.........K.............
....@..@..............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................t...Z.............
......&...<...L............................................... ...:
...J...V...^...x.......................................&...<...J...
^...t.......................................(...:...R...b...p.........
..........................&...N...b...|...............r.......\...L...
:...,...........................................~...f.................
......z...............................&...0...D...:...............:...
........$...................{..B.............&..................Z.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=566539, public, no-transform, must-revalidate

Last-Modified: Wed, 7 Jan 2015 17:04:40 GMT

Expires: Wed, 14 Jan 2015 17:04:40 GMT

Date: Thu, 08 Jan 2015 03:46:44 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015010
7170440Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150107170440Z....20150114170440Z0...*.H........
.....|...L.oRb..UWu....y..X>PRu.b.(.....w.VXJ.|^.-......Zy .......r
.l..#M........(..!.X]k.2....u/..l.BG:.A...X.......O!...Waxr.U.X=...S..
Pbo.Oby.Q........7j[f...:Q.x..R..J.@...ppF9.....%,........c:.'.....6..
.........Q.(.)......A7.d.0.e).`....s5.6{..K.....;...).....0...0...0..3
......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSi
gn, Inc.1705..U....Class 3 Public Primary Certification Authority0...1
41202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corpora
tion1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA -
 G1 OCSP Responder Certificate 30.."0...*.H.............0..........'..
....Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).
....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p.
.^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._..
.... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. 
.e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. ....
...0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0..
. .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$
..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D..
.........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,.
...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=587704, public, no-transform, must-revalidate

Last-Modified: Wed, 7 Jan 2015 22:59:52 GMT

Expires: Wed, 14 Jan 2015 22:59:52 GMT

Date: Thu, 08 Jan 2015 03:46:44 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
7225952Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150107225952Z....20150114225952Z0...*.H........
.....}d&vWP... ...._.D.....49..(4.w..7...k......f.q@Xg14Gq...e........
......U.....;\x......LwB!.>.E...m.....i4..3C..n.A)6.......p...TZ..*
....Q>]k....0|.8.>.s.V...8\.'.......-[..H.,(/].....&.......>%
F.0O?....6...2..j.WhX.n..M.g..Q(....q8...R.pt............ b:......#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk
....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..J
A..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h&
lt;.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0.
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=399558, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT

Expires: Mon, 12 Jan 2015 18:44:32 GMT

Date: Thu, 08 Jan 2015 03:46:49 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
5184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150105184432Z....20150112184432Z0...*.H........
.....P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0
.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....
w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`p...AA....W.?..@UI..3
pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /9bf5853a/D0wnloads-PC-Mechanic/MyPCBackup_Setup.exe HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 301 Moved Permanently

Date: Thu, 08 Jan 2015 03:42:29 GMT

Server: Apache

Set-Cookie: SESSID=evdff14lhv6kkoqqdemn8jgmh0; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Sun, 18-Jan-2015 03:42:29 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Sun, 18-Jan-2015 03:42:29 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Sun, 18-Jan-2015 03:42:29 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Sun, 18-Jan-2015 03:42:29 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: 748a7624422584634822bd3a2bf604ae=f41c9a0257fe7f671281deefc350233e; expires=Fri, 08-May-2015 03:42:29 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: intc=1; expires=Fri, 09-Jan-2015 03:42:29 GMT; path=/; domain=.mypcbackup.com

P3P: CP="We do not have a P3P policy"

location: hXXp://cdn.mypcbackup.com/MyPCBackup_Setup.exe

Set-Cookie: aff_id=67333; expires=Sun, 08-Feb-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_name=MaxiDisk1; expires=Sun, 08-Feb-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_id=97175; expires=Sun, 08-Feb-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hash=c7c76b5ca2c97345b3596296b1ac249c; expires=Sun, 08-Feb-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: tid=D0wnloads-PC-Mechanic; expires=Sun, 08-Feb-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: 9bf5853aunique=true; expires=Wed, 08-Apr-2015 03:42:29 GMT; path=/; domain=mypcbackup.com

Content-Length: 0

Content-Type: text/html; charset=UTF-8

Set-Cookie: MPBWWW=3891563201.1.1048124816.134350368; path=/
<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 119

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:45:49 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:45:49 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 125

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.mypcbackup_offer_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:01 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:01 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 118

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:06 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:06 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 140

Host: tracking.uniblue.com


HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:17 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:17 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

GET /product/pm/1.0.2.1/pcmechanicpm-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: d21bsqatndqkg8.cloudfront.net


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 18766128

Connection: keep-alive

Date: Wed, 17 Dec 2014 12:11:51 GMT

Cache-Control: max-age=86400, public

Last-Modified: Wed, 17 Dec 2014 11:52:02 GMT

ETag: "e6def9d9a02c5a0e8e66739e5ae6634b"

Accept-Ranges: bytes

Server: AmazonS3

Age: 58640

X-Cache: Hit from cloudfront

Via: 1.1 9869723f5e01c68981d50cd8c20c49a6.cloudfront.net (CloudFront)

X-Amz-Cf-Id: XO9cRFrrE4YqxJLDJbUKyMsrp3PozIsIBk8bANUJkkV4qTO0JtH1hQ==

MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....WZR............
......................... ....@..........................p.......n....
.......@...................................................?..........
......................................................................
...............text...,........................... ..`.itext..D.......
.................... ..`.data........ ......................@....bss..
...V...0...........................idata..............................
@....tls.....................................rdata....................
..........@..@.rsrc................ ..............@..@................
....................@..@..............................................
......................................................................
..............................................@...AnsiChar............
@...string(.@...AnsiString......@...............................@.....
.... 9@.(9@..9@..9@..9@..9@..9@..9@.,8@.H8@..8@..TObject.%..A....%..A.
...%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..
A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%
h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A...
.%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A.
..S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....

<<< skipped >>>

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: VVV.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK

Cache-Control: max-age=7200

Content-Type: text/plain

Date: Thu, 08 Jan 2015 03:42:30 GMT

Server: ngx_openresty

Content-Length: 3

Connection: Close

UA...

GET /product/pm/1.0.2.1/pcmechanicpm-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: download.uniblue.com

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Thu, 08 Jan 2015 03:42:07 GMT

Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.2.1/pcmechanicpm-standalone-setup.exe

Server: openresty/1.5.8.1

Content-Length: 166

Connection: keep-alive
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>openresty/1.5.8.1&
lt;/center>..</body>..</html>..HTTP/1.1 302 Moved Tempo
rarily..Content-Type: text/html..Date: Thu, 08 Jan 2015 03:42:07 GMT..
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.2.1/pcme
chanicpm-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Leng
th: 166..Connection: keep-alive..<html>..<head><title&g
t;302 Found</title></head>..<body bgcolor="white">..
<center><h1>302 Found</h1></center>..<hr>
;<center>openresty/1.5.8.1</center>..</body>..</h
tml>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=514541

Content-Type: application/ocsp-response

Date: Thu, 08 Jan 2015 03:42:37 GMT

Etag: "54add966-1d7"

Expires: Wed, 14 Jan 2015 15:42:37 GMT

Last-Modified: Thu, 08 Jan 2015 01:12:06 GMT

Server: ECS (frf/87DB)

X-Cache: HIT

Content-Length: 471

0..........0..... .....0......0...0......E.......1-Q...!..m....2015010
7200000Z0s0q0I0... ............@..D3=?..Mn8...Q..E.......1-Q...!..m...
....._..fuSC.o.P.....20150107200000Z....20150114200000Z0...*.H........
.....!n....H..?*/...(...VN.{.....M..E.{G.`..]M..[............>...~u
...&.b..".....'..Q...}.i.2.:@..`<f..}..V.X..N."_.p.......NYzIn?.x..
-...vb..n.n...f...iu....C..%...f.......'..Sc.b....E...V...?A...N.....N
tk...a..:....8..=.'..c...j...N.R..O........ .r/......B.......

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=516507

Content-Type: application/ocsp-response

Date: Thu, 08 Jan 2015 03:42:37 GMT

Etag: "54ade11d-1d7"

Expires: Wed, 14 Jan 2015 15:42:37 GMT

Last-Modified: Thu, 08 Jan 2015 01:45:01 GMT

Server: ECS (frf/87CA)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......Z..{*....q..`.-.eu.X..2015010
8013000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*....q..`.-.eu.X.
.....2hT........\....20150108013000Z....20150115014500Z0...*.H........
.....q/.QB.f.l<....^..2...E._..`.=wW.`.e...L#.....0a.S...2N\..S.Woh
.6e.P<A.....k....S..&.Y..YY.._....t|V.U.aa\.U......t.Cx.......`.<
; ....3(..[`..)e.]6...u..."..".J........Z.}I1..*;Z....4.?2.P..H....y@z
..0..s..Z.?.|........)mO.D..n.{Od.~=d8..0gj...):/...g@:ubUP.HTTP/1.1 2
00 OK..Accept-Ranges: bytes..Cache-Control: max-age=516507..Content-Ty
pe: application/ocsp-response..Date: Thu, 08 Jan 2015 03:42:37 GMT..Et
ag: "54ade11d-1d7"..Expires: Wed, 14 Jan 2015 15:42:37 GMT..Last-Modif
ied: Thu, 08 Jan 2015 01:45:01 GMT..Server: ECS (frf/87CA)..X-Cache: H
IT..Content-Length: 471..0..........0..... .....0......0...0......Z..{
*....q..`.-.eu.X..20150108013000Z0s0q0I0... .........G.h...#......Vm.Q
....Z..{*....q..`.-.eu.X......2hT........\....20150108013000Z....20150
115014500Z0...*.H.............q/.QB.f.l<....^..2...E._..`.=wW.`.e..
.L#.....0a.S...2N\..S.Woh.6e.P<A.....k....S..&.Y..YY.._....t|V.U.aa
\.U......t.Cx.......`.< ....3(..[`..)e.]6...u..."..".J........Z.}I1
..*;Z....4.?2.P..H....y@z..0..s..Z.?.|........)mO.D..n.{Od.~=d8..0gj..
.):/...g@:ubUP...<<< skipped >>>

GET /aadebc4830c51c2794a960fe5a9e11df.php HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Thu, 08 Jan 2015 03:42:31 GMT

Server: Apache

Set-Cookie: SESSID=7f3du1a9qf3rk6k46h2c0207u0; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Sun, 18-Jan-2015 03:42:31 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Sun, 18-Jan-2015 03:42:31 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Sun, 18-Jan-2015 03:42:31 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Sun, 18-Jan-2015 03:42:31 GMT; path=/; domain=.mypcbackup.com

Content-Length: 8

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: MPBWWW=3891563201.1.1048124336.134350368; path=/
Complete..

GET /MyPCBackup_Setup.exe HTTP/1.0

Host: cdn.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Thu, 08 Jan 2015 03:42:26 GMT

Content-Type: application/octet-stream

Content-Length: 297672

Connection: close

x-amz-id-2: ITSfTeTXt7nuSaLoUJg24XmzZcO6StHVwLM5wJapi75duw8Sx8YDdBsZh0xfQyneSKJD7WgytLk=

x-amz-request-id: 3805B55A5D27E049

Last-Modified: Mon, 24 Nov 2014 22:28:10 GMT

ETag: "bcba8747ab53932f8613c006444078e9"

Server: NetDNA-cache/2.2

X-Cache: HIT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........c..................................................(m........
..hx..`...............................................................
.............................text....a.......b.................. ..`.r
data...............f..............@..@.data................x..........
....@....ndata.......p...........................rsrc...(m.......n....
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@
..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u
....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..
T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /latest_updates/application.txt HTTP/1.1

Accept-Encoding: identity

Host: pm.uniblue.com.s3.amazonaws.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK

x-amz-id-2: RGKfBD0XzgnT0fQVYqaSDzmb/fJlkdLVtPldpXlaJnO9b /2yMS6Nq0okfzAc2rMjmXFXnK kvs=

x-amz-request-id: F5B61CA438F9BC21

Date: Thu, 08 Jan 2015 03:42:30 GMT

Cache-Control: max-age=86400, public

Last-Modified: Mon, 22 Dec 2014 10:20:50 GMT

ETag: "19a766f0861dc1fcfa3a8689ea036e95"

Accept-Ranges: bytes

Content-Type: text/plain

Content-Length: 7

Server: AmazonS3

1.0.2.1..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?f627832da9ecced4 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 12 Sep 2014 18:47:05 GMT

If-None-Match: "805a83f2b9cecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

ETag: "805a83f2b9cecf1:0"

Cache-Control: max-age=604800

Date: Thu, 08 Jan 2015 03:42:36 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Fri, 12 Sep 2014 18:47:05 GMT..ETag: "805a83f2b9cecf1:0"..
Cache-Control: max-age=604800..Date: Thu, 08 Jan 2015 03:42:36 GMT..Co
nnection: keep-alive..

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.5

VTag: 438410416000000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Thu, 08 Jan 2015 03:43:04 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z
.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.5

VTag: 4389615400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Thu, 08 Jan 2015 03:43:04 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 438346843700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Thu, 08 Jan 2015 03:43:04 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
.@..lHTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modifie
d: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d
511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 438346843700000000..P3P: 
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR S
AMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Conte
nt-Length: 550..Cache-Control: max-age=900..Date: Thu, 08 Jan 2015 03:
43:04 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U
....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corp
oration1!0...U....Microsoft Time-Stamp PCA..141218221600Z..15031910360
0Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10
... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\...
.F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D..
.......-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e.
..Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..

<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.standalone","client_id":"","event":"prod.pm.analytics_disabled","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:21 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:21 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 301 Moved Permanently

Content-Type: text/html

Date: Thu, 08 Jan 2015 03:42:29 GMT

Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code

Server: ngx_openresty

Content-Length: 178

Connection: Close
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.pm-1_0_2_1.web", "event": "prod.pm.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:50 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.mypcbackup_offer_accepted","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:36 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:36 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 139

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_2_1.web","client_id":"","event":"prod.pm.third_party_offer_download_initiated","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Thu, 08 Jan 2015 03:46:57 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Thu, 08 Jan 2015 03:46:57 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /install/win/1/live/net2 HTTP/1.0

Host: ep.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 302 Found

Date: Thu, 08 Jan 2015 03:42:33 GMT

Server: Apache

Set-Cookie: SESSID=8mk0gvsgrs7hl1p0lq6nni3t62; path=/; domain=.backupgrid.net

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

Set-Cookie: BGWWW=3891563201.1.1048164160.134350400; path=/

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.5

VTag: 791163458000000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 08 Jan 2015 03:46:48 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...

The Malware connects to the servers at the folowing location(s):

pc-mechanic.exe_3612:

.text

`.rdata

@.data

.rsrc

tCPV

USER32.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

KERNEL32.dll

windows_exe

%s\%s

PYTHON27.DLL

zlib.pyd

ZLIB.PYD

<zlib.pyd>

Not enough space for new sys.path

no mem for late sys.path

PY2EXE_VERBOSE

PyImport_ImportModule

PyExc_ImportError

PyImport_AddModule

undefined symbol %s -> exit(-1)

Importer which can load extension modules from memory

s#sss:import_module

MemoryLoadLibrary failed loading %s

Could not find function %s

import_module

import_module(code, initfunc, dllname[, finder]) -> module

_memimporter

%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat

%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe

%Program Files% (x86)\Uniblue\PC-Mechanic

pc-mechanic.exe

library.dat

windows_exet

.logc

The logfile '%s' could not be opened:

See the logfile '%s' for details(

C:\jenkins\jobs\pm\workspace\apps\rc\env\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR

C:\jenkins\jobs\pm\workspace\apps\rc\env\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt

zipextimportert

<install zipextimporter>R$

library.dats

app.main(

joint

__import__t

bootstrap_main.pyR$

332222##

%%cxaax

`>>>>=>`

\4544545454545444

C.yLF

<asmv3:windowsSettings

xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

<assemblyIdentity type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />

<!--Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

1.0.2.1

pc-mechanic.exe_3612_rwx_1E30A000_000F5000:

ò>Z

Vhò>

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

75e7eceef8e7ca5b32d0ad799f4d6c53.tmp:3512
aff_setup.exe:3464
install.exe:1676
thirdpartyinstaller.exe:3516
TrustedInstaller.exe:3732
%original file name%.exe:4048
makecab.exe:2096
MyPC Backup.exe:3324
pm-standalone-setup.exe:2428
vcredist_x64.exe:2188
pm-standalone-setup.tmp:1716
CloudBackup3560.exe:3524
pc-mechanic.exe:2332
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\microsoft_partner.bmp (53 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (7428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QBJTKM0\pcmechanicpm-standalone-setup[1].exe (1872937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\pm_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-01-08 #001.txt (21109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\backupmypc_check_mark.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-HK7HJ.tmp\pm-standalone-setup.exe (574582 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0MUZW4P0\aff_setup[1].exe (31295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsk6C2B.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup3560.exe (18815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6C4B.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI2EF3.txt (124006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWLB07A.tmp (392 bytes)
C:\03475fae8081ee08cba41440\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI2EF3.txt (208131 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19880 bytes)
C:\Windows\winsxs\Temp\c633571cf52ad00118000000940e4402\c633571cf52ad00119000000940e4402_manifest (760 bytes)
C:\Windows\System32\config\SOFTWARE (55923 bytes)
C:\Windows\winsxs\Temp\c633571cf52ad00118000000940e4402\c633571cf52ad0011a000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\98cf0a1ef52ad0012f000000940e4402_manifest (13 bytes)
C:\Windows\winsxs\Temp\0f9fcb1ef52ad0014c000000940e4402 (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\b3d2d81df52ad00128000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\1955141ef52ad0013a000000940e4402_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\b9f3111ef52ad00136000000940e4402_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402\0364121af52ad00103000000940e4402_manifest (859 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00134000000940e4402_mfc90deu.dll (670 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00133000000940e4402_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402\89039c1ef52ad00147000000940e4402_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00131000000940e4402_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\cbc8661bf52ad00113000000940e4402_msvcm90.dll (1526 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00132000000940e4402_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\7109b41cf52ad00123000000940e4402_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\cbc8661bf52ad00112000000940e4402_msvcp90.dll (7701 bytes)
C:\Windows\Logs\CBS\CBS.log (85727 bytes)
C:\Windows\winsxs\Temp\e54e781ef52ad0013f000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\e3c0211bf52ad00109000000940e4402 (4 bytes)
C:\Windows\winsxs\Temp\e54e781ef52ad0013f000000940e4402\e54e781ef52ad00140000000940e4402_manifest (766 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (59958 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\50e5ac1cf52ad00121000000940e4402_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402\29a2991ef52ad00146000000940e4402_manifest (864 bytes)
C:\Windows\winsxs\Temp\b3d2d81df52ad00128000000940e4402\b3d2d81df52ad0012a000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (78873 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\b9f3111ef52ad00138000000940e4402_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\1955141ef52ad0013b000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\6a67641bf52ad00111000000940e4402_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402\0364121af52ad00104000000940e4402_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\0364121af52ad00102000000940e4402\64c5141af52ad00105000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\e54e781ef52ad0013f000000940e4402\e54e781ef52ad00141000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (5206 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\1955141ef52ad00139000000940e4402_mfc90kor.dll (95 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\98cf0a1ef52ad00130000000940e4402_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\6a67641bf52ad00110000000940e4402_manifest (5 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\f083aa1cf52ad00120000000940e4402_mfcm90.dll (670 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15248 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\b9f3111ef52ad00137000000940e4402_mfc90ita.dll (129 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\f083aa1cf52ad0011f000000940e4402_manifest (6 bytes)
C:\Windows\winsxs\Temp\0f9fcb1ef52ad0014c000000940e4402\0f9fcb1ef52ad0014e000000940e4402_catalog (22 bytes)
C:\Windows\winsxs\Temp\e3c0211bf52ad00109000000940e4402\e3c0211bf52ad0010a000000940e4402_manifest (760 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\e3c0211bf52ad00109000000940e4402\4322241bf52ad0010b000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\6a67641bf52ad0010f000000940e4402\cbc8661bf52ad00114000000940e4402_catalog (21 bytes)
C:\Windows\winsxs\Temp\b3d2d81df52ad00128000000940e4402\b3d2d81df52ad00129000000940e4402_manifest (760 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\11a8b11cf52ad00122000000940e4402_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\98cf0a1ef52ad0012e000000940e4402\59920f1ef52ad00135000000940e4402_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\29a2991ef52ad00145000000940e4402\e9649e1ef52ad00148000000940e4402_catalog (22 bytes)
C:\Windows\winsxs\Temp\f083aa1cf52ad0011e000000940e4402\7109b41cf52ad00124000000940e4402_catalog (21 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\winsxs\Temp\0f9fcb1ef52ad0014c000000940e4402\0f9fcb1ef52ad0014d000000940e4402_manifest (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-84CDS.tmp\75e7eceef8e7ca5b32d0ad799f4d6c53.tmp (50 bytes)
C:\Windows\Temp\cab_2096_3 (76 bytes)
C:\Windows\Temp\cab_2096_2 (564989 bytes)
C:\Windows\Logs\CBS\CbsPersist_20150108034217.cab (11744 bytes)
C:\Windows\Temp\cab_2096_6 (8 bytes)
C:\Windows\Temp\cab_2096_5 (76 bytes)
C:\Windows\Temp\cab_2096_4 (564989 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (430 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (192 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8871.tmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (49 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8870.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1G1BI.tmp\pm-standalone-setup.tmp (50 bytes)
C:\03475fae8081ee08cba41440\install.res.1028.dll (1130 bytes)
C:\03475fae8081ee08cba41440\globdata.ini (1 bytes)
C:\03475fae8081ee08cba41440\install.exe (13918 bytes)
C:\03475fae8081ee08cba41440\install.res.1041.dll (1126 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\03475fae8081ee08cba41440\vcredist.bmp (5 bytes)
C:\03475fae8081ee08cba41440\eula.3082.txt (12 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\03475fae8081ee08cba41440\eula.1031.txt (229 bytes)
C:\03475fae8081ee08cba41440\eula.1049.txt (13 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\03475fae8081ee08cba41440\eula.1036.txt (12 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\03475fae8081ee08cba41440\install.res.2052.dll (1632 bytes)
C:\03475fae8081ee08cba41440\install.ini (844 bytes)
C:\03475fae8081ee08cba41440\install.res.1036.dll (1355 bytes)
C:\03475fae8081ee08cba41440\vc_red.msi (3176 bytes)
C:\03475fae8081ee08cba41440\eula.1033.txt (10 bytes)
C:\03475fae8081ee08cba41440\install.res.1042.dll (1988 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\03475fae8081ee08cba41440\install.res.1031.dll (1160 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\03475fae8081ee08cba41440\$shtdwn$.req (788 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\03475fae8081ee08cba41440\install.res.1049.dll (1720 bytes)
C:\03475fae8081ee08cba41440\install.res.3082.dll (989 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\03475fae8081ee08cba41440\eula.1040.txt (657 bytes)
C:\03475fae8081ee08cba41440\eula.1042.txt (650 bytes)
C:\03475fae8081ee08cba41440\eula.1041.txt (5 bytes)
C:\03475fae8081ee08cba41440\eula.1028.txt (3 bytes)
C:\03475fae8081ee08cba41440\vc_red.cab (65618 bytes)
C:\03475fae8081ee08cba41440\eula.2052.txt (3 bytes)
C:\03475fae8081ee08cba41440\install.res.1040.dll (2110 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\03475fae8081ee08cba41440\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-TE4UF.tmp (112 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-7A1VJ.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-S1RVH.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (31262 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-MF0A4.tmp (58 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-P493A.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-DSJ1P.tmp (62 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\x86\is-3HORS.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-K2M1J.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-HGIFJ.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-803BF.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-0F7QN.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SRJ01.tmp (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-QPONS.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-SFOAL.tmp (64 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-TDDHI.tmp (63 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-S058F.tmp (18934 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-9PR4H.tmp (63 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-IJMC1.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1TF14.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-VMHU7.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-ITEL3.tmp (64 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-CDMSC.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-I8R1F.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-R5OQ9.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-TGC5E.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-9GPUK.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\x86\is-IA3ER.tmp (2321 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-9CPSM.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-QQN0O.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-01-08 #002.txt (476000 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-AUVDV.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2PNKV.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5J3B4.tmp (11 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-1QQ3S.tmp (28498 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5MSI7.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-8JQ4R.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-CEGUH.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-31IFP.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-IVS8T.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-KPPPC.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-QQUP9.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-765ST.tmp (64 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0T8DQ.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-B59E3.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-VHUF3.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-13OAR.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-OBJ8B.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-6B6PF.tmp (107078 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-0S8OD.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-6U1HO.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7233.tmp (16365 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (330514 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (272028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu7234.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (4275 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\x86\Trackerbird.py.clr4.dll (454 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Sample_75e7eceef8

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Sample_75e7eceef8

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet