Sample_83d775fee9

by malwarelabrobot on February 18th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 83d775fee9f43007d4447ff8e6b93730
SHA1: f913312a01c4bd66458947b3e3e750b8c867191b
SHA256: f90846bf9537ad329a749405510e70de3be2e60a5bfaecc26c75f7bee3f63229
SSDeep: 24576:fxGNnZn10a1Kle9yg105BAcppONu 8qfH1tRJTJE2vIu9p5iWa//L:oXn10a1Kle9yg1052Ar5K1tLlxJQWa/j
Size: 1322080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

aff_setup.exe:2564
speedupmypc.exe:2040
install.exe:3720
thirdpartyinstaller.exe:992
83d775fee9f43007d4447ff8e6b93730.tmp:3352
sp-standalone-setup.exe:692
vcredist_x64.exe:472
sp-standalone-setup.tmp:3884
makecab.exe:3860
TrustedInstaller.exe:3336
CloudBackup1109.exe:3524
MyPC Backup.exe:3792
%original file name%.exe:3428

The Malware injects its code into the following process(es):

speedupmypc.exe:2668

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process aff_setup.exe:2564 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf53AC.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup1109.exe (20751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)

The process speedupmypc.exe:2668 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (7631 bytes)

The process speedupmypc.exe:2040 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Tasks\SpeedUpMyPC Subscription.job (702 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (5975 bytes)
C:\Windows\Tasks\SpeedUpMyPC Maintenance.job (702 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\libcef.dll (10562 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\icudt.dll (2183 bytes)
C:\Windows\Tasks\SpeedUpMyPC Startup.job (684 bytes)

The process install.exe:3720 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWL9694.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI27D5.txt (207633 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI27D5.txt (124006 bytes)

The process thirdpartyinstaller.exe:992 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (266 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\installer_mypcbackup.log (853 bytes)

The process 83d775fee9f43007d4447ff8e6b93730.tmp:3352 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-17 #001.txt (24454 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\notcertified.bmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\sp_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UD5A27G\SpeedUpMyPC-standalone-setup[1].exe (1623515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (12592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZIHYEWG\aff_setup[1].exe (32789 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\license.en.rtf (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\sp-standalone-setup.exe (397498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\backupmypc_check_mark.bmp (310 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\thirdpartyinstaller.exe (339 bytes)

The process sp-standalone-setup.exe:692 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BR0S3.tmp\sp-standalone-setup.tmp (50 bytes)

The process vcredist_x64.exe:472 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\e37d6f8342539b7046ef2c01\vcredist.bmp (5 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1049.dll (1720 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.3082.dll (989 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1042.txt (650 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\vc_red.msi (3176 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1049.txt (13 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1040.txt (657 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1041.txt (5 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1033.dll (1452 bytes)
C:\e37d6f8342539b7046ef2c01\vc_red.cab (65618 bytes)
C:\e37d6f8342539b7046ef2c01\install.exe (13918 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1042.dll (1988 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1040.dll (2110 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\install.ini (844 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1036.dll (1355 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1028.dll (1130 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01 (8 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1041.dll (1126 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\eula.3082.txt (12 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1031.txt (229 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs (8 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1036.txt (12 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1028.txt (3 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\e37d6f8342539b7046ef2c01\eula.2052.txt (3 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.2052.dll (1632 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\e37d6f8342539b7046ef2c01\$shtdwn$.req (788 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1033.txt (10 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1031.dll (1160 bytes)
C:\e37d6f8342539b7046ef2c01\globdata.ini (1 bytes)

The process sp-standalone-setup.tmp:3884 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-3SL79.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-HKBG7.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fr\LC_MESSAGES\is-E1L0B.tmp (60 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-FLIFI.tmp (42037 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-6BI0B.tmp (524 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\sv\LC_MESSAGES\is-KMQ6B.tmp (56 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\de\LC_MESSAGES\is-3MMSQ.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-TFMLQ.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ja\LC_MESSAGES\is-8BUJI.tmp (62 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locales\is-N7F52.tmp (4 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-Q951Q.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-KM3CK.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-GAA7L.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe (291 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-MR6QK.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-GB43Q.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-0HR8P.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\da\LC_MESSAGES\is-60AIN.tmp (57 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-OB61I.tmp (30490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp (4 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\es\LC_MESSAGES\is-PJE5A.tmp (60 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-R7R5T.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-E2H7R.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.msg (646 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-AKNGR.tmp (197872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\notcertified.bmp (45 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-07DGD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-P9CC1.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-A1TDF.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ru\LC_MESSAGES\is-7QUE3.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-7DH2T.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\nl\LC_MESSAGES\is-OL3AN.tmp (57 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-BLB1M.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-S4SSS.tmp (112 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-67B4R.tmp (11 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-8V2Q6.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\is-528KH.tmp (53 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-C7BBE.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-17 #002.txt (457727 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-VIGCH.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\license.en.rtf (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-2F9OJ.tmp (10 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-K9540.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\it\LC_MESSAGES\is-ESV56.tmp (59 bytes)
C:\Users\Public\Desktop\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\pt_BR\LC_MESSAGES\is-OQC89.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\no\LC_MESSAGES\is-9H8AP.tmp (56 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-PSVVU.tmp (107054 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-B7706.tmp (1281 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\Uninstall SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-BVG2I.tmp (18934 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-I8JFQ.tmp (13 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-IB4KO.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fi\LC_MESSAGES\is-G0HSE.tmp (58 bytes)

The process makecab.exe:3860 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Logs\CBS\CbsPersist_20150216233605.cab (11744 bytes)
C:\Windows\Temp\cab_3860_6 (8 bytes)
C:\Windows\Temp\cab_3860_5 (76 bytes)
C:\Windows\Temp\cab_3860_4 (564989 bytes)
C:\Windows\Temp\cab_3860_3 (76 bytes)
C:\Windows\Temp\cab_3860_2 (564989 bytes)

The process TrustedInstaller.exe:3336 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\winsxs\Temp\4ba51657414ad00109000000080de00e (4 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19480 bytes)
C:\Windows\System32\config\SOFTWARE (63567 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\f1644d57414ad00111000000080de00e_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\6e79de59414ad0013f000000080de00e\6e79de59414ad00140000000080de00e_manifest (766 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e\b4d7125a414ad00147000000080de00e_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\c1986e59414ad00139000000080de00e_mfc90kor.dll (95 bytes)
C:\Windows\winsxs\Temp\fa331a58414ad00118000000080de00e\5a951c58414ad0011a000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\bd824859414ad00128000000080de00e\bd824859414ad00129000000080de00e_manifest (760 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\09819f58414ad00124000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\bd824859414ad00128000000080de00e\bd824859414ad0012a000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\289a9358414ad0011f000000080de00e_manifest (6 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\a0746759414ad00130000000080de00e_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\6e79de59414ad0013f000000080de00e\6e79de59414ad00141000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00133000000080de00e_mfc90esp.dll (130 bytes)
C:\Windows\System32 (824 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00132000000080de00e_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\09819f58414ad00123000000080de00e_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\a0746759414ad0012f000000080de00e_manifest (13 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e\efd82356414ad00103000000080de00e_manifest (859 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\61376c59414ad00136000000080de00e_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\5a97495a414ad0014c000000080de00e\5a97495a414ad0014e000000080de00e_catalog (22 bytes)
C:\Windows\winsxs\Temp\bd824859414ad00128000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\5a97495a414ad0014c000000080de00e (4 bytes)
C:\Windows\System32\config\COMPONENTS (203596 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\Logs\CBS\CBS.log (85863 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e\b4d7125a414ad00146000000080de00e_manifest (864 bytes)
C:\Windows\winsxs\Temp\4ba51657414ad00109000000080de00e\4ba51657414ad0010b000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\61376c59414ad00138000000080de00e_mfc90jpn.dll (95 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (82465 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\b2275257414ad00112000000080de00e_msvcp90.dll (7701 bytes)
C:\Windows\winsxs\Temp\fa331a58414ad00118000000080de00e\fa331a58414ad00119000000080de00e_manifest (760 bytes)
C:\Windows\winsxs\Temp\6e79de59414ad0013f000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00134000000080de00e_mfc90deu.dll (670 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\b2275257414ad00113000000080de00e_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\c1986e59414ad0013a000000080de00e_mfc90rus.dll (127 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e\1439155a414ad00148000000080de00e_catalog (22 bytes)
C:\Windows\winsxs\Temp\4ba51657414ad00109000000080de00e\4ba51657414ad0010a000000080de00e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (3427 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e\efd82356414ad00104000000080de00e_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e\efd82356414ad00105000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\f1644d57414ad00110000000080de00e_manifest (5 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\49be9a58414ad00122000000080de00e_mfc90.dll (38780 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (63998 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15480 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\e85c9858414ad00121000000080de00e_mfc90u.dll (38780 bytes)
C:\Windows\System32\config\SYSTEM (2376 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\88fb9558414ad00120000000080de00e_mfcm90.dll (670 bytes)
C:\Windows\winsxs\Temp\fa331a58414ad00118000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\c1986e59414ad0013b000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00131000000080de00e_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e (4 bytes)
C:\Windows (288 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\System32\config (592 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\b2275257414ad00114000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\61376c59414ad00137000000080de00e_mfc90ita.dll (129 bytes)
C:\Windows\winsxs\Temp\5a97495a414ad0014c000000080de00e\5a97495a414ad0014d000000080de00e_manifest (676 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00135000000080de00e_mfc90enu.dll (113 bytes)

The process CloudBackup1109.exe:3524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B4.tmp (16365 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (332246 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (266898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)

The process MyPC Backup.exe:3792 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\MyPC Backup\ObjectListView.dll (430 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (192 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (57 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar70AD.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (270 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (49 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (328 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab709D.tmp (57 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (49 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)

The process %original file name%.exe:3428 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MLD0U.tmp\83d775fee9f43007d4447ff8e6b93730.tmp (50 bytes)

Registry activity

The process speedupmypc.exe:2668 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process speedupmypc.exe:2040 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process 83d775fee9f43007d4447ff8e6b93730.tmp:3352 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "B7 0A 6F 48 41 4A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"InstallerBuiltWithOffers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "B7 0A 6F 48 41 4A D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "B7 0A 6F 48 41 4A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process sp-standalone-setup.tmp:3884 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"Inno Setup: Deselected Tasks" = ""
"Publisher" = "Uniblue Systems Limited"
"InstallDate" = "20150217"
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC"
"Comments" = "Uninstall SpeedUpMyPC"
"MajorVersion" = "6"
"Inno Setup: User" = "%CurrentUserName%"
"HelpLink" = "http://www.uniblue.com/support/manuals/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"EcommercePlatform" = "cleverbridge"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"Inno Setup: Language" = "en"
"EstimatedSize" = "61445"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe"
"InstallDate" = "2015-02-17"
"lang" = "en"
"PurchaseUrl" = "http://www.uniblue.com/cm/general/speedupmypc/spunit/purchase/"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"UninstallString" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\"
"NoRepair" = "1"

[HKCR\speedupmypc]
"URL Protocol" = ""
"(Default)" = "URL:SpeedUpMyPC Protocol"

[HKCR\speedupmypc\DefaultIcon]
"(Default)" = "speedupmypc.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"DisplayName" = "SpeedUpMyPC"
"MinorVersion" = "0"
"URLUpdateInfo" = "http://uniblue.com/software/speedupmypc/updates/"
"Inno Setup: Setup Version" = "5.5.4 (u)"
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"

[HKCR\speedupmypc\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe --serial=%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"Inno Setup: Icon Group" = "Uniblue\SpeedUpMyPC"
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe /SILENT"
"URLInfoAbout" = "http://www.uniblue.com/support/"
"NoModify" = "1"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe"
"DisplayVersion" = "6.0.6.1"

The Malware deletes the following value(s) in system registry:

[HKCR\speedupmypc]
"URL Protocol"
"(Default)"

[HKCR\speedupmypc\DefaultIcon]
"(Default)"

[HKCR\speedupmypc\shell\open\command]
"(Default)"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"PurchaseUrl"
"InstalledLocation"

The process TrustedInstaller.exe:3336 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\COMPONENTS\CanonicalData\Catalogs\333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"S1H" = "14 AA 6E 76 31 91 54 C4 03 11 34 8A 36 B3 FF AB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 0F 8E 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 5A 96 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 B9 C8 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90kor.dll" = "4D 00 46 00 43 00 39 00 30 00 4B 00 4F 00 52 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 00 F9 52 01 E0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll" = "41 54 4C 39 30 2E 64 6C 6C"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"CatalogThumbprint" = "fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"S256H" = "24 BE B9 75 C2 7B 1D 95 FD D4 FE 4E 13 54 0E 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 98 E5 52 01 68 13 00 00"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"S1H" = "38 09 81 95 0B 31 B2 00 22 13 37 FF CF FB FF 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"CT" = "36 00 64 00 63 00 31 00 62 00 39 00 63 00 33 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"S1H" = "FE 8C 92 2C 75 1D 5B CC FB 3B D3 CB 22 A9 B8 23"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 B0 52 01 C6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"S1H" = "AE 6F 51 9A C7 46 73 82 69 39 92 25 65 46 09 57"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll" = "4D 46 43 39 30 43 48 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90u.dll" = "6D 00 66 00 63 00 39 00 30 00 75 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"S1H" = "76 C9 DC 05 BC 6B 6B 4C A3 FA EB 6F 47 42 95 CE"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4e]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 A5 9E 52 01 3E 08 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"CatalogThumbprint" = "333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85eÃ‡ÂÃ…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"S256H" = "26 93 44 15 5C 4C F6 E2 AE DE 35 F5 1F 79 11 C0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"CatalogThumbprint" = "cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 24 08 53 01 6C 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90enu.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 4E 00 55 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
"CatalogThumbprint" = "522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 59 D2 52 01 3F 13 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 42 89 52 01 CD 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"S1H" = "E4 EC 8B 0B 75 55 36 62 51 1D 04 0E 86 AD 97 AC"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"CatalogThumbprint" = "d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a9Ã…Â©"
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90fra.dll" = "4D 00 46 00 43 00 39 00 30 00 46 00 52 00 41 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 CD 52 01 D2 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90rus.dll" = "4D 00 46 00 43 00 39 00 30 00 52 00 55 00 53 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 90 0D 53 01 8F 04 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 1F 12 53 01 D6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 74 84 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"S1H" = "EF 36 D4 10 E0 A9 EA 70 90 91 65 79 2A 07 E7 18"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 E3 A6 52 01 D4 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)]
"UtilizedSpace_MCP_c22d037d" = "F7 22 52 01 00 00 00 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"CT" = "64 00 32 00 63 00 61 00 38 00 66 00 33 00 35 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"S1H" = "83 EB 34 D7 CE D2 B9 DC 71 DB B8 49 AA 21 EA 78"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"S256H" = "69 55 F7 F5 CC 99 69 B8 69 B9 90 86 6D B9 02 DA"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll" = "4D 46 43 39 30 46 52 41 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"CT" = "30 00 32 00 34 00 34 00 65 00 61 00 63 00 36 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"CatalogThumbprint" = "95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90iÃ…Â©"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"S1H" = "DD 16 14 4C C5 08 00 43 4F CC B2 B6 FE 9C 3F 5E"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"S1H" = "AA 99 E7 4A 4B C1 C0 3A D2 57 8D E2 4A 0B 3A 42"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
"S256H" = "6C E2 C2 01 E1 39 B8 B7 FD D6 B0 15 1A D0 20 DB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 B3 02 53 01 71 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"S1H" = "23 CA 6B 65 00 D5 28 6A FC B4 CD 40 F3 13 09 16"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"S256H" = "34 66 B6 B0 1E 23 20 74 33 3A E8 90 DE BA 8F D9"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esn.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 4E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"f!atl90.dll" = "41 00 54 00 4C 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"CatalogThumbprint" = "4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343Ã…Â©"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 9F 79 52 01 6B 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90.dll" = "6D 00 66 00 63 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"S1H" = "59 FC 44 3F E4 A9 36 69 AC E0 F5 9F A7 98 6B C9"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 FC BE 52 01 BD 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 B7 AB 52 01 D0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90enu.dll" = "4D 46 43 39 30 45 4E 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90jpn.dll" = "4D 00 46 00 43 00 39 00 30 00 4A 00 50 00 4E 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"CT" = "39 00 35 00 63 00 65 00 30 00 36 00 33 00 38 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90deu.dll" = "4D 00 46 00 43 00 39 00 30 00 44 00 45 00 55 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"CatalogThumbprint" = "6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4eÃ…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"S1H" = "4F C7 D7 36 AD BC B2 7C 10 86 7E 21 90 BD D1 34"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"CT" = "34 00 63 00 34 00 31 00 39 00 37 00 31 00 63 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"S1H" = "DA 6E 20 D5 AE 2F 76 AF 71 19 31 70 48 42 36 52"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll" = "4D 46 43 39 30 4B 4F 52 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"CT" = "61 00 38 00 30 00 39 00 35 00 65 00 66 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"CT" = "63 00 63 00 37 00 30 00 61 00 38 00 36 00 31 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PublisherPolicyChangeTime" = "Type: REG_QWORD, Length: 8"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 E0 FD 52 01 D3 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"S1H" = "E6 CA F0 F6 A2 0D C9 9F 62 27 42 55 D7 B2 1B 34"
"CT" = "66 00 65 00 30 00 66 00 61 00 63 00 34 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"CT" = "35 00 32 00 32 00 65 00 64 00 34 00 30 00 31 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcm90.dll" = "6D 00 73 00 76 00 63 00 6D 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2015/2/16:23:36:7.179 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"S1H" = "64 21 A7 13 7F 81 51 EC C9 C6 32 1F CB 89 4E ED"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"f!vcomp90.dll" = "76 00 63 00 6F 00 6D 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esp.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 50 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"CatalogThumbprint" = "a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7dÃ§â€ºÅ¡Ã…Â©"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"S1H" = "CC E5 48 A1 81 09 83 7C D5 26 1A F8 35 AB 54 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esp.dll" = "4D 46 43 39 30 45 53 50 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"S1H" = "74 EA A7 88 4B 21 D7 1F 33 34 94 89 89 7C 0A F6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90ita.dll" = "4D 00 46 00 43 00 39 00 30 00 49 00 54 00 41 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90cht.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 54 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll" = "4D 46 43 39 30 45 53 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcp90.dll" = "6D 00 73 00 76 00 63 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"S1H" = "80 93 28 44 A9 44 70 27 55 3E C3 07 5D F5 63 DF"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS]
"StoreDirty" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"S1H" = "31 95 AA CA BF 6A 85 7B 8A 02 CC 29 B3 F8 BA 35"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 4D B5 52 01 AF 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"S256H" = "08 8C D1 14 A3 5A A0 03 0F 8A C8 09 40 2C 7C 22"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"CT" = "33 00 33 00 33 00 63 00 33 00 63 00 38 00 61 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll" = "4D 46 43 39 30 4A 50 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"S256H" = "8D C0 05 84 25 4A F1 6C 47 CA 9C 96 C9 44 75 51"

[HKLM\COMPONENTS]
"ExecutionState" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 0A 7F 52 01 6A 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"S256H" = "FE AE 5D B0 21 40 AA 1D 6C CD 8E EF 81 27 94 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"S256H" = "EB E1 76 88 C7 DC EA 0B F8 87 58 62 C8 C7 2A 58"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll" = "4D 46 43 39 30 52 55 53 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll" = "4D 46 43 39 30 44 45 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcr90.dll" = "6D 00 73 00 76 00 63 00 72 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"S1H" = "9E 2C 9A 79 1D 8E C7 78 4A 73 08 8C 2E 1E AF C1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"S256H" = "0E DF 78 65 CB 6E 59 40 E6 8D 63 1A FE E7 83 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\CanonicalData\Catalogs\cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"S1H" = "E3 17 DA F8 C4 AE B9 52 16 AF B2 EE 85 45 57 D7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"CatalogThumbprint" = "0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90chs.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 53 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90u.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 75 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll" = "4D 46 43 39 30 43 48 54 2E 44 4C 4C"
"mfc90ita.dll" = "4D 46 43 39 30 49 54 41 2E 44 4C 4C"

The Malware deletes the following registry key(s):

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]

The Malware deletes the following value(s) in system registry:

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll"
"mfc90esp.dll"

[HKLM\COMPONENTS]
"PoqexecFailure"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll"
"mfc90enu.dll"

[HKLM\COMPONENTS]
"PendingXmlIdentifier"
"LastScavengeFlags"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll"
"msvcp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll"

[HKLM\COMPONENTS]
"RepairTransactionPended"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll"

[HKLM\COMPONENTS]
"LastScavengeCookie"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll"

[HKLM\COMPONENTS]
"ExecutionState"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS]
"StoreDirty"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90ita.dll"

The process CloudBackup1109.exe:3524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsSCM.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayName" = "MyPC Backup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"
"Publisher" = "JDi Backup Ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayIcon" = "%Program Files% (x86)\MyPC Backup\MyPC Backup.exe"
"UninstallString" = "%Program Files% (x86)\MyPC Backup\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup]
"(Default)" = "%Program Files% (x86)\MyPC Backup\BackupStack.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"HelpLink" = "http://support.mypcbackup.com"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process MyPC Backup.exe:3792 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

Dropped PE files

MD5	File path
96f6e497f8ce5bc21b9d3140965104aa	c:\Program Files (x86)\MyPC Backup\AlphaFS.dll
5bfc53c0daee82e70ef02b9cf7ae3042	c:\Program Files (x86)\MyPC Backup\AlphaVSS.51.x86.dll
ba1d420f7fa1b4eef8cc127bee74a023	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x64.dll
568754948b2aa5fcc41217fb28425cc5	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x86.dll
a3ef02398e089dcd9708cbc4e427d0f7	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x64.dll
057cf7fd20135899d616714534d0b7a8	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x86.dll
3116e40a8b9709917e1dc1db4e068152	c:\Program Files (x86)\MyPC Backup\AlphaVSS.Common.dll
a0a4dd8d711d55884c163a3784eac55e	c:\Program Files (x86)\MyPC Backup\BackupStack.exe
3c3cb9d58660b527d47e7d46d292940c	c:\Program Files (x86)\MyPC Backup\BackupStackUI.dll
d15d57943417ca58884e643da0ce2464	c:\Program Files (x86)\MyPC Backup\BplusDotNet.dll
f5b669bd36f27089b36323ccbf8ebcda	c:\Program Files (x86)\MyPC Backup\Configuration Updater.exe
76928476bdcf7ea4dbe8589d85793315	c:\Program Files (x86)\MyPC Backup\GetText.dll
c97cc489f20c67c3b2f36782ca139ce4	c:\Program Files (x86)\MyPC Backup\InstMgr.dll
6ded8fcbf5f1d9e422b327ca51625e24	c:\Program Files (x86)\MyPC Backup\Ionic.Zip.dll
e5cc3997457cd365e43c19f0f9110148	c:\Program Files (x86)\MyPC Backup\LinqBridge.dll
9b2ac62a9aab3369b253411c14b92fcb	c:\Program Files (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll
e4da474b2f2415664a286c07022222a0	c:\Program Files (x86)\MyPC Backup\MPCBClient.dll
dddf97700f9d4a951783b73d5971ce48	c:\Program Files (x86)\MyPC Backup\MPCBContextMenu.dll
24b83d9a02acf4b10c3fe0e9f7153eef	c:\Program Files (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll
01623e484d03fe777a733f3f6f28d673	c:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
f89e670f3f9de99e80b4d39436a27d9e	c:\Program Files (x86)\MyPC Backup\NativeHashWrapper.dll
16da92c91e58f6d8a22e493ae442edbf	c:\Program Files (x86)\MyPC Backup\Newtonsoft.Json.dll
6e0e7abd35565d70986eedc71f1a7bb5	c:\Program Files (x86)\MyPC Backup\ObjectListView.dll
6605874ea071ad6904aa8f67e75c18a1	c:\Program Files (x86)\MyPC Backup\PipeDiff.dll
4bb211393828d585cb5396a273008d94	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe
74a8c01b69adedd7f1330245cd994821	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe
bb830033c3e24a0b82caf23662918278	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe
a6a26e38b3596fa740f7039d98bd3a22	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe
0d8aa68059d0103b04ef5afdf755f779	c:\Program Files (x86)\MyPC Backup\Service Start.exe
6f5ab2bf45a14dedcb642e804480c9c7	c:\Program Files (x86)\MyPC Backup\Shared Stack.dll
9d0cc110ab0605885d98ae08377f6f66	c:\Program Files (x86)\MyPC Backup\Signup Wizard.exe
eeabc4815562083a50a666e2709c5998	c:\Program Files (x86)\MyPC Backup\SignupWizard.dll
0790e1d72901d1b98a9abfd43d1c592c	c:\Program Files (x86)\MyPC Backup\System.Data.SQLite.DLL
ba95c010731d3a1b20816242995e5a5a	c:\Program Files (x86)\MyPC Backup\UnRegisterExtensions.exe
da063ab4cd89efa829dbdce1fcb1cf70	c:\Program Files (x86)\MyPC Backup\Updater.exe
0cc8dad6c96bb0f2a833e0cb460d4191	c:\Program Files (x86)\MyPC Backup\Updater_.dll
53b9dfe8be74f29dc10d12df6b438f31	c:\Program Files (x86)\MyPC Backup\uninst.exe
1688cecb8af9cedde1b60163c98d1765	c:\Program Files (x86)\MyPC Backup\websocket-sharp.dll
fd666249228fb1be3f9fc9399aa70d3a	c:\Program Files (x86)\MyPC Backup\x64\SQLite.Interop.dll
f25a493607f771a033a3afe8ac26a505	c:\Program Files (x86)\MyPC Backup\x86\SQLite.Interop.dll
0fe58867051066e90c39fe9cf2021b8b	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\InstallerExtensions.dll
6de5c66e434a9c1729575763d891c6c2	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\msvcp90.dll
e7d91d008fe76423962b91c43c88e4eb	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\msvcr90.dll
5434e18b933e03f274d8da59fda4c676	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\icudt.dll
28888738b5521923a244fac763767db4	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\libcef.dll
afb2e85409ab139ec384f799825d8844	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe
f4f76946266cf9287ed858f4bf5cec43	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\thirdpartyinstaller.exe
3e03d408023fd7bff56c0a8e358b7647	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\unins000.exe
c2f4c7ca8d9f133afb21a2cc173a39e4	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UD5A27G\SpeedUpMyPC-standalone-setup[1].exe
256f360db3c119ab9e1b6eb4c8f66680	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZIHYEWG\aff_setup[1].exe
bcba8747ab53932f8613c006444078e9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup1109.exe
256f360db3c119ab9e1b6eb4c8f66680	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe
0fe58867051066e90c39fe9cf2021b8b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\InstallerExtensions.dll
526426126ae5d326d0a24706c77d8c5c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\_isetup\_setup64.tmp
92dc6ef532fbb4a5c3201469a5b5eb63	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\_isetup\_shfoldr.dll
c2f4c7ca8d9f133afb21a2cc173a39e4	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\sp-standalone-setup.exe
62efa7b730eb0523a026ea4325403b77	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsSCM.dll
40395c175553cb14d2050888efccdf00	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe
c101f49f8fbdc203757ebf954d83af12	c:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8
45e475fa46d8f04a682eb5eed5476e08	c:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818\ATL90.dll
1e7ce519349ca4b49930ad843470a3f9	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcm90.dll
1f914c93052445e6629c37b81d421f7b	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcp90.dll
425d035880430fbed64dd6205c77f5b2	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcr90.dll
e75de70a944462a9912c93e888b4106f	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90.dll
6962af1e97d8566e9c3496dc118fd3b7	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90u.dll
e6ffdd8f997366fd88a799743579d389	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90.dll
f668d2f0c2377cc3b1459506a00b0f0b	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90u.dll
deebddd75a0ecb8afd463bd3b2d9131a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHS.DLL
b0552cba0f603e1730762056add5eb9a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHT.DLL
2822498a5df669d223e6b093c00cb93a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90DEU.DLL
91e5d7df820fb0fe7ead68c32bead0da	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ENU.DLL
85bdf40f2af1944f579a7a134bd08a34	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESN.DLL
390ab412debb2be22fcaca5a59c9a3c2	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESP.DLL
598dcb951afd9a3d3d2e1abf7603de60	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90FRA.DLL
9e87f90e281ea1f41669920b349189c5	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ITA.DLL
67695d68d782b48625a6c3ec08954216	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90JPN.DLL
91f1a8b875354dd5a1939e329af45656	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90KOR.DLL
32a4c8c6c2d09b98b14af92cd991a6d8	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90RUS.DLL
63e472c8410a0e9ce25c35a0482bbbbf	c:\Windows\winsxs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633\vcomp90.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Uniblue Systems Limited
Product Name: SpeedUpMyPC
Product Version: 6.0.6.1
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.0.6.1
File Description: SpeedUpMyPC Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	61740	61952	4.43024	3a126e478661f20816f9d9285615f98e
.itext	69632	2884	3072	3.97317	ba48b9b17b3dd8b92da3bd93f20ddb34
.data	73728	3208	3584	1.55702	d7fd5f4b562d7961758f3d6a8c834fd0
.bss	77824	22196	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	102400	3536	3584	3.44625	93d91a2b90e60bd758fc0c4908856ae1
.tls	106496	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	110592	24	512	0.14174	3dffc444ccc131c9dcee18db49ee6403
.rsrc	114688	468268	468480	3.06949	135238807b332a94f3aa20c01effc552

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 59
6055b96dbf2e3aa16fda1d990e211cf4
f0834957b00846ac1ff5ca65e22e2f24
9252272d53ab749d55b70d4a4efddc77
aaacdf65f0de19d6f10567be3b6fe264
b48ae2ace170dea79eeba3241b02e3d1
caa785bc4d87140af0d34cd85a7d67df
25980d029ee2f1b2bea49260abe4a29c
70a42e10182889a90ad2a1821a2008b7
522536f97c7e971b25e5a8e8bbccc8d9
475a901ab207dd024f2837639b725f0b
6dac1c166d3bbd28fcaf9d109b03a5de
d52c14e92b840227ea214214f654967a
0442b2389e55aa9ad09c1d451915ed78
251388b97a015274f61d7519ff1c7b98
dab4a8e50add0c45c0fc928de3f8a1df
bdc1b9b4f0eb35a627b00e6e8b39a285
cc6ff8e3998af657feda3b4995b9c823
d3325e14cebb1f6def1a6c78cd770ab5
e7e613ec4cb626301e1201af3edaeccf
11acd7770b3954de923ee24dfbaaae9f
4d6711da6c0e1f50ac74ec9debf1cbb9
610c4f48f6dd37a6b68f06822be99d6e
2f124e0f2c67dee6536b2a9dbc1912b8
86f6aaffcbc417a755123762948ab438
52a4ba693bfdfe116c287ebda4d5fb9a

URLs

URL	IP
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect
hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe
hxxp://d21bsqatndqkg8.cloudfront.net/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe	54.230.45.5
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/sp/version.txt?from=6.0.6.1
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track
hxxp://api.uniblue.net/v1/geo/country-code	54.247.100.209
hxxp://s3-2-w.amazonaws.com/latest_updates/application.txt
hxxp://uniblue.com/api/v1/geo/country-code	176.34.113.87
hxxp://uniblue-cdn-lb-eu-774953051.eu-west-1.elb.amazonaws.com/api/v1/geo/country-code
hxxp://track.mypcbackup.com/9bf5853a/D0wnloads-SpeedUpMyPC/MyPCBackup_Setup.exe	184.154.139.131
hxxp://mypcbackup.jdibackup.netdna-cdn.com/MyPCBackup_Setup.exe
hxxp://track.mypcbackup.com/aadebc4830c51c2794a960fe5a9e11df.php	184.154.139.131
hxxp://a767.dscms.akamai.net/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
hxxp://ep.backupgrid.net/install/win/1/live/net2	184.154.139.137
hxxp://backupgrid.jdibackup.netdna-cdn.com/mypcbackup.1.5.0.2.101.7z
hxxp://88.221.132.177/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?789040c0ed9fbd13
hxxp://88.221.132.177/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1844b46ffb4c5087
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.166
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1844b46ffb4c5087
hxxp://cdn.mypcbackup.com/MyPCBackup_Setup.exe	94.31.29.238
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe	80.239.149.75
hxxp://sump.uniblue.com.s3.amazonaws.com/latest_updates/application.txt	54.231.244.9
hxxp://tracking.uniblue.com/v1/collect	46.137.97.67
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?789040c0ed9fbd13
hxxp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z	94.31.29.237
hxxp://www.uniblue.com/api/v1/geo/country-code	176.34.125.17
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.166
hxxp://cdn.backupgrid.net/aff_setup.exe	94.31.29.237
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.166
hxxp://tracking.uniblue.com/v1/track	46.137.97.67
hxxp://update.uniblue.com/sp/version.txt?from=6.0.6.1	54.243.120.72
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.166
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=	93.184.220.29
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://download.uniblue.com/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe	107.21.127.37
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=	93.184.220.29
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI=	23.43.139.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3
ET POLICY Python-urllib/ Suspicious User Agent
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?789040c0ed9fbd13 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Mon, 16 Feb 2015 23:36:02 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Mon, 16 Feb 2015 23:36:02 GMT..Conn
ection: keep-alive..

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.sp-6_0_6_1.web", "event": "prod.sp.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:42 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /install/win/1/live/net2 HTTP/1.0

Host: ep.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 302 Found

Date: Mon, 16 Feb 2015 23:36:01 GMT

Server: Apache

Set-Cookie: SESSID=hr8stcl8stag0cj9im4e1v9vl7; path=/; domain=.backupgrid.net

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /sp/version.txt?from=6.0.6.1 HTTP/1.1

Accept-Encoding: identity

Host: update.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 302 Found

Cache-Control: max-age=600

Content-Type: text/plain

Date: Mon, 16 Feb 2015 23:35:57 GMT

Location: hXXp://sump.uniblue.com.s3.amazonaws.com/latest_updates/application.txt

Server: openresty/1.5.8.1

Content-Length: 71

Connection: Close

hXXp://sump.uniblue.com.s3.amazonaws.com/latest_updates/application.tx
t..

GET /product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: download.uniblue.com

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Mon, 16 Feb 2015 23:35:41 GMT

Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe

Server: openresty/1.5.8.1

Content-Length: 166

Connection: keep-alive
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>openresty/1.5.8.1&
lt;/center>..</body>..</html>..HTTP/1.1 302 Moved Tempo
rarily..Content-Type: text/html..Date: Mon, 16 Feb 2015 23:35:41 GMT..
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/sp/6.0.6.1/Spee
dUpMyPC-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Lengt
h: 166..Connection: keep-alive..<html>..<head><title>
;302 Found</title></head>..<body bgcolor="white">..&
lt;center><h1>302 Found</h1></center>..<hr>
<center>openresty/1.5.8.1</center>..</body>..</ht
ml>....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_accepted","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:27 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:27 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 139

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.third_party_offer_download_initiated","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:42 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:42 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 126

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.install_launched","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:38 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:38 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 127

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.install_completed","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:45 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:45 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.5

VTag: 279245755100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Mon, 16 Feb 2015 23:36:32 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{[email protected].|7z
.. ......>..Q...([email protected]\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.0

VTag: 279876544500000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Mon, 16 Feb 2015 23:36:32 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 43863145100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Mon, 16 Feb 2015 23:36:32 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modifie
d: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d
511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 43863145100000000..P3P: C
P="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SA
Mo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Conten
t-Length: 550..Cache-Control: max-age=900..Date: Mon, 16 Feb 2015 23:3
6:32 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U.
...US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpo
ration1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600
Z._0]0...U.#..0...#[email protected].. ..5..0... .....7.......0...U......10.
.. .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....
F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D...
......-.>...(...g.0.S.[?...T4q>[email protected].('..e..
.Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d<<< skipped >>>

HEAD /aff_setup.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: cdn.backupgrid.net


HTTP/1.1 200 OK

Date: Mon, 16 Feb 2015 23:35:13 GMT

Content-Type: application/octet-stream

Content-Length: 263224

Connection: keep-alive

x-amz-id-2: heKsvl3j4mQoHF4ROTaoLG9zfZTntPBgDQ3lKGCUILmF0U9R6aRyzP3DuqQTyyLRhcCJzPv0h9U=

x-amz-request-id: 627BB54DCFC00F79

Last-Modified: Mon, 06 Oct 2014 10:15:06 GMT

ETag: "256f360db3c119ab9e1b6eb4c8f66680"

Server: NetDNA-cache/2.2

X-Cache: HIT

HTTP/1.1 200 OK..Date: Mon, 16 Feb 2015 23:35:13 GMT..Content-Type: ap
plication/octet-stream..Content-Length: 263224..Connection: keep-alive
..x-amz-id-2: heKsvl3j4mQoHF4ROTaoLG9zfZTntPBgDQ3lKGCUILmF0U9R6aRyzP3D
uqQTyyLRhcCJzPv0h9U=..x-amz-request-id: 627BB54DCFC00F79..Last-Modifie
d: Mon, 06 Oct 2014 10:15:06 GMT..ETag: "256f360db3c119ab9e1b6eb4c8f66
680"..Server: NetDNA-cache/2.2..X-Cache: HIT..

GET /9bf5853a/D0wnloads-SpeedUpMyPC/MyPCBackup_Setup.exe HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 301 Moved Permanently

Date: Mon, 16 Feb 2015 23:35:58 GMT

Server: Apache

Set-Cookie: SESSID=hbmdo1f8d8g9lag05tm1s8h8d1; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Thu, 26-Feb-2015 23:35:58 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 26-Feb-2015 23:35:58 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Thu, 26-Feb-2015 23:35:58 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 26-Feb-2015 23:35:58 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: 748a7624422584634822bd3a2bf604ae=d93435a022fe9652ee58cf399e92bb68; expires=Tue, 16-Jun-2015 23:35:58 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: intc=1; expires=Tue, 17-Feb-2015 23:35:58 GMT; path=/; domain=.mypcbackup.com

P3P: CP="We do not have a P3P policy"

location: hXXp://cdn.mypcbackup.com/MyPCBackup_Setup.exe

Set-Cookie: aff_id=67333; expires=Tue, 17-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_name=MaxiDisk1; expires=Tue, 17-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_id=97175; expires=Tue, 17-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hash=732019e6c8160e73b5be19e616420cc2; expires=Tue, 17-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: tid=D0wnloads-SpeedUpMyPC; expires=Tue, 17-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: 9bf5853aunique=true; expires=Sun, 17-May-2015 23:35:58 GMT; path=/; domain=mypcbackup.com

Content-Length: 0

Content-Type: text/html; charset=UTF-8
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?1844b46ffb4c5087 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 12 Sep 2014 18:47:05 GMT

If-None-Match: "805a83f2b9cecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT

Accept-Ranges: bytes

ETag: "803565fb436d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 57591

Date: Mon, 16 Feb 2015 23:36:04 GMT

Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.
k..........{=/....{g.~...............'....6..N....w......(.$.>.7...
........'.....`.bx....^..$.'.^.K.C......<[email protected]
.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m..
....  .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4..
...*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s
...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.
=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.
u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%.
.G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]
H. .....A.O.Xg..B...#[email protected]..*.....T...}o._./S..h@$
[email protected]..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w
.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R.
 [email protected].....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^.
...1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|I
C.#.)6...q.E.J.i.E.>....".L........>...VV........1..:UJ .4.BB.P.
....q....ox.........5....'d...;......>.T....:.b&c .......O./.>,c
....L...s...m...Kw........G.M..g.V.~q.........V{.Z.8|...........G.?.|.
K....2f6...l.G...wbf...2....g_.X`h.\[email protected].......
.u1.%v.w....q..E.!%U.!...O.....t..-|L.c}P.#....?......9......o......9.
..7...... .._H.y].3~.M...,.=.E...6.......a..8p.....|.=............<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT

Accept-Ranges: bytes

ETag: "75565c7ac03ad01:0"

Server: Microsoft-IIS/8.0

VTag: 279610143200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Mon, 16 Feb 2015 23:40:25 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Y0... .....7......150427174215Z0.
..*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e
.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...
0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp
[email protected]..@.. ...M....z....Q...{u. .W....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 137

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.third_party_offer_not_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:38 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:38 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 125

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.install_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:40 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:40 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=517931

Content-Type: application/ocsp-response

Date: Mon, 16 Feb 2015 23:36:05 GMT

Etag: "54e26b35-1d7"

Expires: Mon, 23 Feb 2015 11:36:05 GMT

Last-Modified: Mon, 16 Feb 2015 22:12:05 GMT

Server: ECS (frf/87DB)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......E.......1-Q...!..m....2015021
6200000Z0s0q0I0... [email protected]=?..Mn8...Q..E.......1-Q...!..m...
....._..fuSC.o.P.....20150216200000Z....20150223200000Z0...*.H........
........~_...N....2..6....#....^....)..}....}.Q.. .#.M.....!....,..,..
.I......!Z/.T..t.Z..lD|...e.m".....')...h......~.,....K.....k. IL..)..
_... ..H..(...,.;..9TD..`<=1..j.!.G.....N.... ...&..LC.qqJ(..A....d
|$. .My..h..':..c..S....T,...4)..h./..2#..N.]....bI.v.....


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=509045

Content-Type: application/ocsp-response

Date: Mon, 16 Feb 2015 23:36:05 GMT

Etag: "54e248b4-1d7"

Expires: Mon, 23 Feb 2015 11:36:05 GMT

Last-Modified: Mon, 16 Feb 2015 19:44:52 GMT

Server: ECS (frf/87CA)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......Z..{*....q..`.-.eu.X..2015021
6193000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*....q..`.-.eu.X.
.....2hT........\....20150216193000Z....20150223194500Z0...*.H........
.....3...n8.....F.V'C"....:.........u......u|.g.'.6.l..@. .QVG/...;.xq
......JZia8..$..P....4..bL...{~.....1`.|.....T.W....S....-..43..b...~.
4.?..S....'.i......q...}.H47..|.y.o-v0L '?............SS..i.....;u!. .
.7.q]....&J#.....Z....Ol..]....g.5.^..-........r...HTTP/1.1 200 OK..Ac
cept-Ranges: bytes..Cache-Control: max-age=509045..Content-Type: appli
cation/ocsp-response..Date: Mon, 16 Feb 2015 23:36:05 GMT..Etag: "54e2
48b4-1d7"..Expires: Mon, 23 Feb 2015 11:36:05 GMT..Last-Modified: Mon,
 16 Feb 2015 19:44:52 GMT..Server: ECS (frf/87CA)..X-Cache: HIT..Conte
nt-Length: 471..0..........0..... .....0......0...0......Z..{*....q..`
.-.eu.X..20150216193000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*
....q..`.-.eu.X......2hT........\....20150216193000Z....20150223194500
Z0...*.H.............3...n8.....F.V'C"....:.........u......u|.g.'.6.l.
.@. .QVG/...;.xq......JZia8..$..P....4..bL...{~.....1`.|.....T.W....S.
...-..43..b...~.4.?..S....'.i......q...}.H47..|.y.o-v0L '?............
SS..i.....;u!. ..7.q]....&J#.....Z....Ol..]....g.5.^..-........r.....<<< skipped >>>

GET /download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe HTTP/1.0

Host: download.microsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.0 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 08 Aug 2008 21:48:10 GMT

Accept-Ranges: bytes

ETag: "df115773a0f9c81:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Content-Length: 4961800

Date: Mon, 16 Feb 2015 23:36:00 GMT

Connection: close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........K...K...
K.......D...K... ......._.......J.......J...RichK...........PE..L...{.
.B.................z..........rY... ........... ......................
........9.L.......... [email protected].........
....K..$...........!............................................... ..
.............................text....x... ...z.................. ..`.d
[email protected].............
....@..@..............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................t...Z.............
......&...<...L............................................... ...:
...J...V...^...x.......................................&...<...J...
^...t.......................................(...:...R...b...p.........
..........................&...N...b...|...............r.......\...L...
:...,...........................................~...f.................
......z...............................&...0...D...:...............:...
........$...................{..B.............&..................Z.

<<< skipped >>>

GET /product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: d21bsqatndqkg8.cloudfront.net


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 18779256

Connection: keep-alive

Date: Tue, 27 Jan 2015 11:29:54 GMT

Cache-Control: max-age=86400, public

Last-Modified: Tue, 27 Jan 2015 10:36:06 GMT

ETag: "c2f4c7ca8d9f133afb21a2cc173a39e4"

Accept-Ranges: bytes

Server: AmazonS3

Age: 50619

X-Cache: Hit from cloudfront

Via: 1.1 0c9cedd17c3277ae84a1fe06de20f49c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 1juJwzsxfniZGj_3CqmR0ISD2L-saCCTCw345_EZ5RXsDiL7mE3zpA==

MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....WZR............
.........D............... ....@.......................................
.......@......................................,%...........r..........
......................................................................
...............text...,........................... ..`.itext..D.......
.................... ..`.data........ [email protected]..
...V...0...........................idata..............................
@....tls.....................................rdata....................
..........@[email protected]...,%.......&... ..............@..@................
....................@..@..............................................
......................................................................
[email protected]............
@...string([email protected]......@...............................@.....
.... 9@.([email protected]@[email protected]@[email protected]@..9@.,[email protected]@[email protected].%..A....%..A.
...%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..
A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%
h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A...
.%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A.
..S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....

<<< skipped >>>

GET /aff_setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: cdn.backupgrid.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 16 Feb 2015 23:35:46 GMT

Content-Type: application/octet-stream

Transfer-Encoding: chunked

Connection: keep-alive

x-amz-id-2: heKsvl3j4mQoHF4ROTaoLG9zfZTntPBgDQ3lKGCUILmF0U9R6aRyzP3DuqQTyyLRhcCJzPv0h9U=

x-amz-request-id: 627BB54DCFC00F79

Last-Modified: Mon, 06 Oct 2014 10:15:06 GMT

ETag: W/"256f360db3c119ab9e1b6eb4c8f66680"

Server: NetDNA-cache/2.2

X-Cache: HIT

Content-Encoding: gzip
900a.............}.\TU...f.......mR,..YHIh..E.D.Gf..$..&..{M[.a.>.x
...V[m..j..[....2......d.Vd..i..4D%....;.....g..~_.?>.z=...<.9.y
..<..K.m... .....B......?....C.xm....w.l..}.....ZKuM......e...U..N.
.F...WZr..- ..\.....#M__.x.<4\...G.X~...Y....Q/...y..G.....K.*..\P.
.Mu...DA.........M..L...8A(F.^....7 l.TS)..........#T.* [email protected].?/
<(Q.\ ./..^p.....}..l.\...!..(....$..ZB.........d..Y.a....R.T......
).NK..~V.d.VL8...k#2........BpRe.`...5.^*WS[..E4.........Yy....7....EJ
....W.h...o."&.I..T...n.)...6U6.r.*...C.U...g..Jf....f'. ..,........q-
-.iJ]...#(#.V....3.......az..)../`..[.;....N..... ..I....../`.V.-...B.
....6...Y......M/..w..S6.A........._L.i.$.)f ........Yu....UU}.-R%..j.
...Z.A.....D.....7..v...PS.(..Z.TS.)$' ...p.....-(g....I3....{LD>..
t.HR..;.d.o...,(s.....f..>{..T,5.SY.c...#.....P.3..];Sy.|...ruF....
#.g.G....A.{...H.....,.V>.......C.j^,..Z.y..%..4....B............@.
..I....$T..[b..Y..R\....<cv.G"W.Y..H.M5.f.......-`O...5..z[..^..{[u
R,.aD..c....f[F....i.|u..t.W.'Hq.yFk..e....:.....1....82z}g,.S.8)VM...
N%fK.|I.:......K.D]8&..?&.~..1.x..m....f.V.......f..L'..b.".e..J.n...V
T2...6.2.wg.<N...A 8.QA....g...c..]...1.J R....)..U..;...-.S)....}.
..R.;E..c6.Jn..1X7...`.).v%..(d.....t(R.1.Q..$3P. ..o.M.I.6...N...IE6.
[email protected].........*..1.nUJOUS.paco....%..jr]
.;.NI":......#.............U0Q}.fH.f..`%..../.....{3..|Z..*E]J.r..D...
.......7.3........`(8.k=.;.c...d ...<.*.m....Z....g.}V.^S.....)K.w.
.a..z^U.Qz7.....mc}7..6.3C. ..t...1....k5.{...^5e.5..b.]1Y%...J.R.<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=393398, public, no-transform, must-revalidate

Last-Modified: Sat, 14 Feb 2015 12:53:05 GMT

Expires: Sat, 21 Feb 2015 12:53:05 GMT

Date: Mon, 16 Feb 2015 23:40:26 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015021
4125305Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150214125305Z....20150221125305Z0...*.H.....
..........N..4#.p.........2X-..%......\4o..T...L...*.pQ7K.....t.#.$...
A..o....>.y.....v.N..K.R...........YO.s.:.4....~...U^..v.......!...
......l<......18].Ty.R..^..1B..`.....16..J..b....q...p.~3P.,...tr.&
gt;.\.'i,B....*... Su.A.g.VV.......}.><......7...?..RL.{[email protected]...
...0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1
.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c
) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign 
Class 3 Public Primary Certification Authority - G50...141202000000Z..
151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U...
.Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Respo
nder Certificate 30.."0...*.H.............0...............2&..PL...,..
2....:..tH...`JG.%..*...s.c%[email protected]"
1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.
....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^.
.s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`
.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...ht
tp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... ....
.0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..
eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=546752, public, no-transfo

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 301 Moved Permanently

Content-Type: text/html

Date: Mon, 16 Feb 2015 23:35:57 GMT

Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code

Server: ngx_openresty

Content-Length: 178

Connection: Close
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....

GET /aadebc4830c51c2794a960fe5a9e11df.php HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Mon, 16 Feb 2015 23:35:59 GMT

Server: Apache

Set-Cookie: SESSID=tqvpa9hme0k8nbcrim65p8voj2; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Thu, 26-Feb-2015 23:35:59 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 26-Feb-2015 23:35:59 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Thu, 26-Feb-2015 23:35:59 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 26-Feb-2015 23:35:59 GMT; path=/; domain=.mypcbackup.com

Content-Length: 8

Connection: close

Content-Type: text/html; charset=UTF-8
Complete..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_included","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:16 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:16 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 126

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.third_party_offer_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:28 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}....


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 118

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:34 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:34 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 138

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_standalone_download_started","buildtest_id":"","unit_id":""}POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 138

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:49 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 119

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_launched","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:16 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:16 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 125

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:28 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:28 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 129

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.third_party_offer_accepted","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:34 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:34 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 140

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_standalone_download_completed","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:39 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 16 Feb 2015 23:36:39 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

GET /mypcbackup.1.5.0.2.101.7z HTTP/1.0

Host: cdn.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Mon, 16 Feb 2015 23:35:51 GMT

Content-Type: application/octet-stream

Content-Length: 4072385

Connection: close

x-amz-id-2: ugFz1chxWbuVkKFX9hRTMILY8Ptr7tw8agA3jDmuLq/hpgl2fLIqE0CKRkhl4VHuNxUeydi2/HI=

x-amz-request-id: C559ACF4D62CC0E9

Last-Modified: Tue, 25 Nov 2014 19:49:29 GMT

ETag: "dea41132628ea08c816693a67102fd48"

Server: NetDNA-cache/2.2

X-Cache: HIT
7z..'.....p.|#>.....%........8l...`...\..I.})R...M.....f=o}.hcJ..7.
/.3..._....A.._-.PJE$..Y[f.j/..S.o;.r7J........E..."..j.....nb....I...
:....bal...?.....[.....S}....[. -...jG..U..y....8.....Q..,l........r..
.........W2]o.f....2..6.B....~.....#-..U)a.\.....q..!.../...A..6.A.p..
..P..7Vf....zki..Tx.h.B.6.u..x.txXD.)..k..U....Co...B..........q......
..C.\[email protected]*6...L.mni...dj....t.(..!.....'.
....Q.Q.|Rx............A...D......$....~...';.bU...\.<?#.X.....yu$.
...Y..t..BBh...M.........p...{_c..$Z.I..#b..Hd-6.....#&4=..v...5..i...
.........ouZ]K.^D.UK...b...Gu\.........i....f..I.w.....V.H.V.J&....W.h
O.......F..{S...W.(.....f..<.......Dg.d....{..$zkV..X...oc..... .!.
k.i..b. .Q(..p..w......&C.X..D.M.Y...PI...Ol.C ...M.wO...K.......lk...
.w..O.)...a`2.H..b:....w 7.WU@(8-....V....G.;......|.....q?|4.j....%..
.......Rg;.ZgN..~.............w*3...0.^.IySd...F_..6.".!..c.3...N:.kc.
._.R...[....o^..\..FmH....Q...T..T.O8....x\.>k'......<.^.\3NL1..
...v.n~O.=.F....Hp...,-GhuA..L.?......-.w.........J.R...<.......y.g
.......&.....J}..W...4...r..A...............R.R.m...yB....47.....5.!..
.....3.v.q.9]....S...(.3.!.iX........)...v...!G.#.]4....w..I4.?...`..E
..._.An.0........._..H... .q......h...W!....|..(...G[@.[..5Te..l..~.&g
t; ...|v..\.......K..........7ho..v4.ZHn. .. @.#.I. C`E.5....jx.....o.
).'{._.J.....t.c..........H,.7..d....`..J...........(..Q.5.)....8.).m.
N...;.......S."....a..:........?..~.....So(=....?5o.=...s<....6..&.
B......zD...%...'Pg7....'.>.~...h...2....S..".2......L..|r"?...<<< skipped >>>

GET /MyPCBackup_Setup.exe HTTP/1.0

Host: cdn.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Mon, 16 Feb 2015 23:35:48 GMT

Content-Type: application/octet-stream

Content-Length: 297672

Connection: close

x-amz-id-2: ITSfTeTXt7nuSaLoUJg24XmzZcO6StHVwLM5wJapi75duw8Sx8YDdBsZh0xfQyneSKJD7WgytLk=

x-amz-request-id: 3805B55A5D27E049

Last-Modified: Mon, 24 Nov 2014 22:28:10 GMT

ETag: "bcba8747ab53932f8613c006444078e9"

Server: NetDNA-cache/2.2

X-Cache: HIT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........c..................................................(m........
..hx..`...............................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected]...(m.......n....
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....<<< skipped >>>

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.sp-6_0_6_1.web", "event": "prod.sp.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 16 Feb 2015 23:36:56 GMT

Server: ngx_openresty

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: VVV.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK

Cache-Control: max-age=7200

Content-Type: text/plain

Date: Mon, 16 Feb 2015 23:35:57 GMT

Server: ngx_openresty

Content-Length: 3

Connection: Close

UA...

GET /v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: api.uniblue.net

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Mon, 16 Feb 2015 23:36:42 GMT

Location: hXXp://uniblue.com/api/v1/geo/country-code

Server: nginx/1.1.19

Content-Length: 161

Connection: Close
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.1.19</c
enter>..</body>..</html>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=491589, public, no-transform, must-revalidate

Last-Modified: Sun, 15 Feb 2015 16:13:12 GMT

Expires: Sun, 22 Feb 2015 16:13:12 GMT

Date: Mon, 16 Feb 2015 23:40:20 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015021
5161312Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150215161312Z....20150222161312Z0...*.H........
.........,./.......0..C..9"%.66........toD..:.:..;..\..e."b.I..O_...&l
t;X.h.<}j%1 .C.._.y{...~|.C.$6....Gd9)Z..a...V...qL.;.*[email protected].
...'.f......C...f.C.....G.8`.....:[email protected]
b)..:.].|_h.^E....{D.f..Y.6^.,l.;..4......R..(XZF7...0.......0...0...0
..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....Ver
iSign, Inc.1705..U....Class 3 Public Primary Certification Authority0.
..141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corp
oration1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PC
A - G1 OCSP Responder Certificate 30.."0...*.H.............0..........
'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-;
 ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS
.p..^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=.
_...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..
U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .
......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........
0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H...........
..$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..
D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=494955, public, no-transform, must-revalidate

Last-Modified: Sun, 15 Feb 2015 17:08:25 GMT

Expires: Sun, 22 Feb 2015 17:08:25 GMT

Date: Mon, 16 Feb 2015 23:40:20 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015021
5170825Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150215170825Z....20150222170825Z0...*.H........
[email protected]{PiI...T.t..=9d).....4b.A.A
>.)?.C.....v`R.... :&Bk-y..........G.9...(.|c..l.Il.l.;i....l.....f
eX...p..H<a..c.{..&c.N......(p...C~.k.P..3...!@.>......rZ.j.%..0
.R.[..5p.....5....A.s....!s&.GJh.%{=.h&...N<.*..s.....'(2ox....#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.........{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk
....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..J
A..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h&
lt;.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0.
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710<<< skipped >>>

GET /latest_updates/application.txt HTTP/1.1

Accept-Encoding: identity

Host: sump.uniblue.com.s3.amazonaws.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK

x-amz-id-2: VGObUcQ3KeTV7iTrCcEk7yMhy8tq1mzPE5CTYUfUA DMBi3QikmhL8d ODCwgFR1

x-amz-request-id: 22ABC17FB4DD8232

Date: Mon, 16 Feb 2015 23:35:58 GMT

Cache-Control: max-age=86400, public

Last-Modified: Mon, 02 Feb 2015 10:06:08 GMT

ETag: "ee43fe28aafb80da3828de4c55a54451"

Accept-Ranges: bytes

Content-Type: text/plain

Content-Length: 7

Server: AmazonS3

6.0.6.1..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=335830, public, no-transform, must-revalidate

Last-Modified: Fri, 13 Feb 2015 20:53:01 GMT

Expires: Fri, 20 Feb 2015 20:53:01 GMT

Date: Mon, 16 Feb 2015 23:40:25 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015021
3205301Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150213205301Z....20150220205301Z0...*.H........
.....?..D<... .|?.........4H......hu..t...G...0.oT.D..A.I..M.1,..D.
j...y.9-..v.....4... .......Yx0...hAo71x.......F..)....<V..1......m
....=...{wX.!./j.2.....HS..<X....NcE.,..)._H.m...u8.D......X..E....
.K\6.).|%?lfH..\..] [email protected]>0....D.Ac.[..q..Ood....[.f.......#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.........{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk
....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..J
A..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h&
lt;.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0.
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

speedupmypc.exe_2668:

.text

`.rdata

@.data

.rsrc

tCPV

USER32.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

KERNEL32.dll

windows_exe

%s\%s

PYTHON27.DLL

zlib.pyd

ZLIB.PYD

<zlib.pyd>

Not enough space for new sys.path

no mem for late sys.path

PY2EXE_VERBOSE

PyImport_ImportModule

PyExc_ImportError

PyImport_AddModule

undefined symbol %s -> exit(-1)

Importer which can load extension modules from memory

s#sss:import_module

MemoryLoadLibrary failed loading %s

Could not find function %s

import_module

import_module(code, initfunc, dllname[, finder]) -> module

_memimporter

%Program Files% (x86)\Uniblue\SpeedUpMyPC\library.dat

%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe

%Program Files% (x86)\Uniblue\SpeedUpMyPC

speedupmypc.exe

library.dat

windows_exet

.logc

The logfile '%s' could not be opened:

See the logfile '%s' for details(

C:\jenkins\jobs\sp\workspace\env\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR

C:\jenkins\jobs\sp\workspace\env\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt

zipextimportert

<install zipextimporter>R$

library.dats

app.main(

joint

__import__t

bootstrap_main.pyR$

sS.vX6y]<z^?{_>{^<|Z2zU({P

mS2udP{rf

{`.sP

333333330

3333333333330

3333333333333333

3333333333333333330

333333333337

333333333333

3333333333

33333333

333333333333330

33333333333333330

3333333338

33333333333

<asmv3:windowsSettings

xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

<assemblyIdentity type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />

<!--Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

6.0.6.1

speedupmypc.exe_2668_rwx_2FC0A000_00060000:

Ph%Sq

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

aff_setup.exe:2564
speedupmypc.exe:2040
install.exe:3720
thirdpartyinstaller.exe:992
83d775fee9f43007d4447ff8e6b93730.tmp:3352
sp-standalone-setup.exe:692
vcredist_x64.exe:472
sp-standalone-setup.tmp:3884
makecab.exe:3860
TrustedInstaller.exe:3336
CloudBackup1109.exe:3524
MyPC Backup.exe:3792
%original file name%.exe:3428
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsf53AC.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup1109.exe (20751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu53BC.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (7631 bytes)
C:\Windows\Tasks\SpeedUpMyPC Subscription.job (702 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\settings.dat (15 bytes)
C:\Windows\Tasks\SpeedUpMyPC Maintenance.job (702 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\libcef.dll (10562 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\icudt.dll (2183 bytes)
C:\Windows\Tasks\SpeedUpMyPC Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWL9694.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI27D5.txt (207633 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI27D5.txt (124006 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (266 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\installer_mypcbackup.log (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-17 #001.txt (24454 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\notcertified.bmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\sp_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UD5A27G\SpeedUpMyPC-standalone-setup[1].exe (1623515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZIHYEWG\aff_setup[1].exe (32789 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\license.en.rtf (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\sp-standalone-setup.exe (397498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-D4GQ0.tmp\backupmypc_check_mark.bmp (310 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\thirdpartyinstaller.exe (339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BR0S3.tmp\sp-standalone-setup.tmp (50 bytes)
C:\e37d6f8342539b7046ef2c01\vcredist.bmp (5 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1049.dll (1720 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.3082.dll (989 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1042.txt (650 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\vc_red.msi (3176 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1049.txt (13 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1040.txt (657 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1041.txt (5 bytes)
C:\e37d6f8342539b7046ef2c01\vc_red.cab (65618 bytes)
C:\e37d6f8342539b7046ef2c01\install.exe (13918 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1042.dll (1988 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1040.dll (2110 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\install.ini (844 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1036.dll (1355 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1028.dll (1130 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1041.dll (1126 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\eula.3082.txt (12 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1031.txt (229 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1036.txt (12 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1028.txt (3 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\e37d6f8342539b7046ef2c01\eula.2052.txt (3 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.2052.dll (1632 bytes)
C:\e37d6f8342539b7046ef2c01\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\e37d6f8342539b7046ef2c01\$shtdwn$.req (788 bytes)
C:\e37d6f8342539b7046ef2c01\eula.1033.txt (10 bytes)
C:\e37d6f8342539b7046ef2c01\install.res.1031.dll (1160 bytes)
C:\e37d6f8342539b7046ef2c01\globdata.ini (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-3SL79.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-HKBG7.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fr\LC_MESSAGES\is-E1L0B.tmp (60 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-FLIFI.tmp (42037 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-6BI0B.tmp (524 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\sv\LC_MESSAGES\is-KMQ6B.tmp (56 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\de\LC_MESSAGES\is-3MMSQ.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-TFMLQ.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ja\LC_MESSAGES\is-8BUJI.tmp (62 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locales\is-N7F52.tmp (4 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-Q951Q.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-KM3CK.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-GAA7L.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe (291 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-MR6QK.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-GB43Q.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-0HR8P.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\da\LC_MESSAGES\is-60AIN.tmp (57 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-OB61I.tmp (30490 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\es\LC_MESSAGES\is-PJE5A.tmp (60 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-R7R5T.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-E2H7R.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.msg (646 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-AKNGR.tmp (197872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\notcertified.bmp (45 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-07DGD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-P9CC1.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-A1TDF.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ru\LC_MESSAGES\is-7QUE3.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-7DH2T.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\nl\LC_MESSAGES\is-OL3AN.tmp (57 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-BLB1M.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-S4SSS.tmp (112 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-67B4R.tmp (11 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-8V2Q6.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\is-528KH.tmp (53 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-C7BBE.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-17 #002.txt (457727 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-VIGCH.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-7IKOE.tmp\license.en.rtf (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-2F9OJ.tmp (10 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-K9540.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\it\LC_MESSAGES\is-ESV56.tmp (59 bytes)
C:\Users\Public\Desktop\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\pt_BR\LC_MESSAGES\is-OQC89.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\no\LC_MESSAGES\is-9H8AP.tmp (56 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-PSVVU.tmp (107054 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-B7706.tmp (1281 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\Uninstall SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-BVG2I.tmp (18934 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-I8JFQ.tmp (13 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-IB4KO.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fi\LC_MESSAGES\is-G0HSE.tmp (58 bytes)
C:\Windows\Logs\CBS\CbsPersist_20150216233605.cab (11744 bytes)
C:\Windows\Temp\cab_3860_6 (8 bytes)
C:\Windows\Temp\cab_3860_5 (76 bytes)
C:\Windows\Temp\cab_3860_4 (564989 bytes)
C:\Windows\Temp\cab_3860_3 (76 bytes)
C:\Windows\Temp\cab_3860_2 (564989 bytes)
C:\Windows\winsxs\Temp\4ba51657414ad00109000000080de00e (4 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19480 bytes)
C:\Windows\System32\config\SOFTWARE (63567 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\f1644d57414ad00111000000080de00e_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\6e79de59414ad0013f000000080de00e\6e79de59414ad00140000000080de00e_manifest (766 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e\b4d7125a414ad00147000000080de00e_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\c1986e59414ad00139000000080de00e_mfc90kor.dll (95 bytes)
C:\Windows\winsxs\Temp\fa331a58414ad00118000000080de00e\5a951c58414ad0011a000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\bd824859414ad00128000000080de00e\bd824859414ad00129000000080de00e_manifest (760 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\09819f58414ad00124000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\bd824859414ad00128000000080de00e\bd824859414ad0012a000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\289a9358414ad0011f000000080de00e_manifest (6 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\a0746759414ad00130000000080de00e_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e (4 bytes)
C:\Windows\winsxs\Temp\6e79de59414ad0013f000000080de00e\6e79de59414ad00141000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00133000000080de00e_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00132000000080de00e_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\09819f58414ad00123000000080de00e_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\a0746759414ad0012f000000080de00e_manifest (13 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e\efd82356414ad00103000000080de00e_manifest (859 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\61376c59414ad00136000000080de00e_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\5a97495a414ad0014c000000080de00e\5a97495a414ad0014e000000080de00e_catalog (22 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\Logs\CBS\CBS.log (85863 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e\b4d7125a414ad00146000000080de00e_manifest (864 bytes)
C:\Windows\winsxs\Temp\4ba51657414ad00109000000080de00e\4ba51657414ad0010b000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\61376c59414ad00138000000080de00e_mfc90jpn.dll (95 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (82465 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\b2275257414ad00112000000080de00e_msvcp90.dll (7701 bytes)
C:\Windows\winsxs\Temp\fa331a58414ad00118000000080de00e\fa331a58414ad00119000000080de00e_manifest (760 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00134000000080de00e_mfc90deu.dll (670 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\b2275257414ad00113000000080de00e_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\c1986e59414ad0013a000000080de00e_mfc90rus.dll (127 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\b4d7125a414ad00145000000080de00e\1439155a414ad00148000000080de00e_catalog (22 bytes)
C:\Windows\winsxs\Temp\4ba51657414ad00109000000080de00e\4ba51657414ad0010a000000080de00e_manifest (760 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (3427 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e\efd82356414ad00104000000080de00e_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\efd82356414ad00102000000080de00e\efd82356414ad00105000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\f1644d57414ad00110000000080de00e_manifest (5 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\49be9a58414ad00122000000080de00e_mfc90.dll (38780 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (63998 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15480 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\e85c9858414ad00121000000080de00e_mfc90u.dll (38780 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (195404 bytes)
C:\Windows\winsxs\Temp\289a9358414ad0011e000000080de00e\88fb9558414ad00120000000080de00e_mfcm90.dll (670 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\c1986e59414ad0013b000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00131000000080de00e_mfc90cht.dll (79 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\winsxs\Temp\f1644d57414ad0010f000000080de00e\b2275257414ad00114000000080de00e_catalog (21 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\61376c59414ad00137000000080de00e_mfc90ita.dll (129 bytes)
C:\Windows\winsxs\Temp\5a97495a414ad0014c000000080de00e\5a97495a414ad0014d000000080de00e_manifest (676 bytes)
C:\Windows\winsxs\Temp\a0746759414ad0012e000000080de00e\01d66959414ad00135000000080de00e_mfc90enu.dll (113 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B4.tmp (16365 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (332246 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (266898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp59B5.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar70AD.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (328 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab709D.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MLD0U.tmp\83d775fee9f43007d4447ff8e6b93730.tmp (50 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Sample_83d775fee9

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Sample_83d775fee9

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet