Sample_f0834957b0

by malwarelabrobot on February 25th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: f0834957b00846ac1ff5ca65e22e2f24
SHA1: 7092774f08e078f87de622d349592f321c5f2dff
SHA256: 0e789e649d6e3cab3343cef53bb881cccb05523085c4c8c38d07c22b7c06a613
SSDeep: 24576:mxGNnZn10a1Kle9yg105uAcppONu 8qfHktTfdC9XWai4a :rXn10a1Kle9yg105bAr5KIA5WaK
Size: 1322032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

TPAutoConnSvc.exe:1776
aff_setup.exe:2016
speedupmypc.exe:3448
install.exe:3508
thirdpartyinstaller.exe:2284
TrustedInstaller.exe:408
sp-standalone-setup.exe:2044
sp-standalone-setup.tmp:2520
%original file name%.exe:2944
GoogleUpdate.exe:3776
GoogleUpdate.exe:3924
GoogleUpdate.exe:2324
GoogleUpdate.exe:3340
GoogleUpdate.exe:3572
GoogleUpdate.exe:4064
GoogleUpdate.exe:2064
makecab.exe:3068
CloudBackup9837.exe:108
vcredist_x64.exe:3552
taskeng.exe:2348
MyPC Backup.exe:1848
GoogleUpdateComRegisterShell64.exe:3692
GoogleUpdateComRegisterShell64.exe:1276
GoogleUpdateComRegisterShell64.exe:1452
f0834957b00846ac1ff5ca65e22e2f24.tmp:3640
GoogleUpdateSetup.exe:3772

The Malware injects its code into the following process(es):

speedupmypc.exe:3992

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process aff_setup.exe:2016 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse9CEB.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup9837.exe (18611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)

The process speedupmypc.exe:3448 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Tasks\SpeedUpMyPC Subscription.job (702 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (5943 bytes)
C:\Windows\Tasks\SpeedUpMyPC Maintenance.job (702 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\libcef.dll (10562 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\icudt.dll (2183 bytes)
C:\Windows\Tasks\SpeedUpMyPC Startup.job (684 bytes)

The process speedupmypc.exe:3992 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (7539 bytes)

The process install.exe:3508 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI4520.txt (122198 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWLB902.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI4520.txt (210781 bytes)

The process thirdpartyinstaller.exe:2284 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (266 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\installer_mypcbackup.log (853 bytes)

The process TrustedInstaller.exe:408 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19520 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a\fe7f2076c04fd001470000009801dc0a_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001130000009801dc0a_msvcm90.dll (1526 bytes)
C:\Windows\System32\config\SOFTWARE (50992 bytes)
C:\Windows\winsxs\Temp\97fde475c04fd001280000009801dc0a (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\53aac375c04fd001230000009801dc0a_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\5cd60f76c04fd0013f0000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001330000009801dc0a_mfc90esp.dll (130 bytes)
C:\Windows\System32\config (1544 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001120000009801dc0a_msvcp90.dll (7701 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd0013b0000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001340000009801dc0a_mfc90deu.dll (670 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001320000009801dc0a_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001100000009801dc0a_manifest (5 bytes)
C:\Windows\winsxs\Temp\81103d76c04fd0014c0000009801dc0a\81103d76c04fd0014e0000009801dc0a_catalog (22 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\f348c175c04fd001210000009801dc0a_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\519fb075c04fd001180000009801dc0a\519fb075c04fd001190000009801dc0a_manifest (760 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\53aac375c04fd001240000009801dc0a_catalog (21 bytes)
C:\Windows\System32\config\COMPONENTS (202636 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001370000009801dc0a_mfc90ita.dll (129 bytes)
C:\Windows\winsxs\Temp\519fb075c04fd001180000009801dc0a (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\5cd60f76c04fd0013f0000009801dc0a\5cd60f76c04fd001400000009801dc0a_manifest (766 bytes)
C:\Windows\Logs\CBS\CBS.log (87580 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001140000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\8cc68575c04fd001090000009801dc0a (4 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (51344 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001310000009801dc0a_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\519fb075c04fd001180000009801dc0a\519fb075c04fd0011a0000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\97fde475c04fd001280000009801dc0a\97fde475c04fd0012a0000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\97fde475c04fd001280000009801dc0a\97fde475c04fd001290000009801dc0a_manifest (760 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd0012f0000009801dc0a_manifest (13 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (78601 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\5cd60f76c04fd0013f0000009801dc0a\5cd60f76c04fd001410000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\f348c175c04fd001200000009801dc0a_mfcm90.dll (670 bytes)
C:\Windows\winsxs\Temp\81103d76c04fd0014c0000009801dc0a\81103d76c04fd0014d0000009801dc0a_manifest (676 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001300000009801dc0a_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\8cc68575c04fd001090000009801dc0a\8cc68575c04fd0010b0000009801dc0a_catalog (21 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\f348c175c04fd001220000009801dc0a_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a\072b5675c04fd001050000009801dc0a_catalog (21 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (8790 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\93e7be75c04fd0011f0000009801dc0a_manifest (6 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a (4 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15608 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001350000009801dc0a_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001360000009801dc0a_mfc90fra.dll (670 bytes)
C:\Windows\System32\config\SYSTEM (6690 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (191164 bytes)
C:\Windows\winsxs\Temp\8cc68575c04fd001090000009801dc0a\8cc68575c04fd0010a0000009801dc0a_manifest (760 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001110000009801dc0a_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd0013a0000009801dc0a_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a\fe7f2076c04fd001460000009801dc0a_manifest (864 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a\fe7f2076c04fd001480000009801dc0a_catalog (22 bytes)
C:\Windows\winsxs\Temp\81103d76c04fd0014c0000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001390000009801dc0a_mfc90kor.dll (95 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a\072b5675c04fd001040000009801dc0a_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a\072b5675c04fd001030000009801dc0a_manifest (859 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001380000009801dc0a_mfc90jpn.dll (95 bytes)

The process sp-standalone-setup.exe:2044 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QKMEI.tmp\sp-standalone-setup.tmp (50 bytes)

The process sp-standalone-setup.tmp:2520 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-2CNU2.tmp (13 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-7VP56.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-98ML1.tmp (2105 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-DNRNQ.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\de\LC_MESSAGES\is-PVP1A.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\es\LC_MESSAGES\is-45FV2.tmp (60 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fr\LC_MESSAGES\is-BVL58.tmp (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-F5EQA.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-R82NO.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-N9L1N.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-HSD82.tmp (1281 bytes)
C:\Users\Public\Desktop\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-C7UCQ.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-6LJC3.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-KKVOT.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-07D74.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-1HFBF.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-5A7P3.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe (291 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-E63OK.tmp (11 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-052F4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-Q6TH3.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-744GK.tmp (524 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-E2I70.tmp (10 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\is-D9M5I.tmp (53 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locales\is-GHQB1.tmp (4 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-9U1A9.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\license.en.rtf (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-I0JU8.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-JAR7P.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fi\LC_MESSAGES\is-MG1JN.tmp (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ru\LC_MESSAGES\is-FJL3C.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-BSNOI.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-RJDBT.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\no\LC_MESSAGES\is-8RL8M.tmp (56 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\pt_BR\LC_MESSAGES\is-97D8E.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\da\LC_MESSAGES\is-JSA8A.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\notcertified.bmp (45 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-HRTP4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ja\LC_MESSAGES\is-USU79.tmp (62 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-J99TD.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\it\LC_MESSAGES\is-267G7.tmp (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-BQTD6.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-2B3E6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp (4 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\sv\LC_MESSAGES\is-MCJNB.tmp (56 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-R23LK.tmp (112 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\nl\LC_MESSAGES\is-I3URQ.tmp (57 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-6CBIV.tmp (30490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-24 #002.txt (456415 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-BNB3O.tmp (42037 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-QPFHH.tmp (107054 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\Uninstall SpeedUpMyPC.lnk (1 bytes)

The process %original file name%.exe:2944 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GG5JD.tmp\f0834957b00846ac1ff5ca65e22e2f24.tmp (50 bytes)

The process GoogleUpdate.exe:3776 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Install\{B8883498-A8EA-481A-ADFD-598CCBB0653A}\GoogleUpdateSetup.exe (7721 bytes)
%Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.26.9\GoogleUpdateSetup.exe (6841 bytes)

The process GoogleUpdate.exe:3924 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_et.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_iw.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ro.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (12490 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_da.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_el.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_bn.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_mr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sr.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_te.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_cs.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psuser.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psmachine_64.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ko.dll (70 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_zh-CN.dll (64 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ms.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ar.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_th.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_vi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_tr.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_de.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe (105 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe (4210 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fi.dll (78 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_en.dll (40 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_lv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_pl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll (32380 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateWebPlugin.exe (105 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ta.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdate.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psuser_64.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psmachine.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_id.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_nl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_kn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sv.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_pt-PT.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_it.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_lt.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fa.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_is.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_no.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.25.11 (28 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ml.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_es-419.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateSetup.exe (20458 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sw.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (105 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_uk.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_hi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ca.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_es.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_pt-BR.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fil.dll (79 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdate.dll (49 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_zh-TW.dll (64 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_gu.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_bg.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ur.dll (78 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_am.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateHelper.msi (56 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_hr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ja.dll (71 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sk.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_hu.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ru.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_en.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_en-GB.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateComRegisterShell64.exe (1738 bytes)

The process makecab.exe:3068 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Logs\CBS\CbsPersist_20150223232840.cab (11744 bytes)
C:\Windows\Temp\cab_3068_6 (8 bytes)
C:\Windows\Temp\cab_3068_5 (76 bytes)
C:\Windows\Temp\cab_3068_4 (564989 bytes)
C:\Windows\Temp\cab_3068_3 (76 bytes)
C:\Windows\Temp\cab_3068_2 (564989 bytes)

The process CloudBackup9837.exe:108 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EA.tmp (16365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (327593 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (276767 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)

The process vcredist_x64.exe:3552 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\6ab8995d4d9ae8d59ce668\eula.1042.txt (650 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.3082.txt (12 bytes)
C:\6ab8995d4d9ae8d59ce668\vc_red.msi (3176 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1042.dll (1988 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\6ab8995d4d9ae8d59ce668\globdata.ini (1 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1028.txt (3 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1028.dll (1130 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1041.dll (1126 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1031.dll (1160 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1049.dll (1720 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1036.dll (1355 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1040.dll (2110 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs (8 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.2052.txt (3 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.3082.dll (989 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1036.txt (12 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\6ab8995d4d9ae8d59ce668\install.ini (844 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1033.txt (10 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1031.txt (229 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\6ab8995d4d9ae8d59ce668\vcredist.bmp (5 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1033.dll (1452 bytes)
C:\6ab8995d4d9ae8d59ce668\$shtdwn$.req (788 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1040.txt (657 bytes)
C:\6ab8995d4d9ae8d59ce668\install.exe (13918 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.2052.dll (1632 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1049.txt (13 bytes)
C:\6ab8995d4d9ae8d59ce668\vc_red.cab (65618 bytes)
C:\6ab8995d4d9ae8d59ce668 (8 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1041.txt (5 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)

The process MyPC Backup.exe:1848 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB8F2.tmp (57 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (208 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (328 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (430 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB8F3.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (49 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (270 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (57 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (61 bytes)

The process f0834957b00846ac1ff5ca65e22e2f24.tmp:3640 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\notcertified.bmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\aff_setup[1].exe (35858 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (9742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\sp_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\backupmypc_check_mark.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-24 #001.txt (24403 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\license.en.rtf (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\thirdpartyinstaller.exe (339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\sp-standalone-setup.exe (104952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SpeedUpMyPC-standalone-setup[1].exe (1604115 bytes)

The process GoogleUpdateSetup.exe:3772 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateBroker.exe (52 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psuser.dll (165 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ru.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateWebPlugin.exe (52 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ms.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_te.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_pl.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_nl.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_et.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_bg.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_hi.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fr.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ja.dll (35 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ko.dll (34 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_de.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp (28 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sk.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ml.dll (41 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sw.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sr.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_kn.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_is.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_lt.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_en.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateComRegisterShell64.exe (115 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_lv.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psmachine.dll (165 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fa.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleCrashHandler.exe (232 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ur.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psuser_64.dll (188 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fi.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_th.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ar.dll (36 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_pt-PT.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psmachine_64.dll (188 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_am.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateHelper.msi (28 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_tr.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_uk.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_iw.dll (36 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_zh-CN.dll (32 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_es-419.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_cs.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_no.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sv.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_en-GB.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_es.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sl.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_vi.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_bn.dll (39 bytes)
%Program Files% (x86)\GUTBFA7.tmp (6 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fil.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ca.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_pt-BR.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateSetup.exe (6841 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_it.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdate.dll (2632 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_mr.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_zh-TW.dll (32 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdate.exe (217 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_hu.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateOnDemand.exe (52 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_gu.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_id.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ta.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_da.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_el.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_hr.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ro.dll (39 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,LetterÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ã‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ã‚Â¶40,40,2086,3220, 11,1480,2100,A5Ã‚Â¶39,39,1408,2020, 70,1050,1480,A6Ã‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ã‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ã‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ã‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ã‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ã‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ã‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ã‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃ‚Â¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process speedupmypc.exe:3448 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process speedupmypc.exe:3992 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process TrustedInstaller.exe:408 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\COMPONENTS\CanonicalData\Catalogs\333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"S1H" = "14 AA 6E 76 31 91 54 C4 03 11 34 8A 36 B3 FF AB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 0F 8E 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 5A 96 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 B9 C8 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90kor.dll" = "4D 00 46 00 43 00 39 00 30 00 4B 00 4F 00 52 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 00 F9 52 01 E0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll" = "41 54 4C 39 30 2E 64 6C 6C"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"CatalogThumbprint" = "fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"S256H" = "24 BE B9 75 C2 7B 1D 95 FD D4 FE 4E 13 54 0E 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 98 E5 52 01 68 13 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"S1H" = "38 09 81 95 0B 31 B2 00 22 13 37 FF CF FB FF 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"CT" = "36 00 64 00 63 00 31 00 62 00 39 00 63 00 33 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"S1H" = "FE 8C 92 2C 75 1D 5B CC FB 3B D3 CB 22 A9 B8 23"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 B0 52 01 C6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"S1H" = "AE 6F 51 9A C7 46 73 82 69 39 92 25 65 46 09 57"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll" = "4D 46 43 39 30 43 48 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90u.dll" = "6D 00 66 00 63 00 39 00 30 00 75 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"S1H" = "76 C9 DC 05 BC 6B 6B 4C A3 FA EB 6F 47 42 95 CE"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4e]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 A5 9E 52 01 3E 08 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"CatalogThumbprint" = "333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85eÃ¯Â¿â€¹ÃˆÅ "

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"S256H" = "26 93 44 15 5C 4C F6 E2 AE DE 35 F5 1F 79 11 C0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"CatalogThumbprint" = "cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322Ã¯Ë†Å’ÃˆÅ "

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 24 08 53 01 6C 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90enu.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 4E 00 55 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
"CatalogThumbprint" = "522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7RÃˆÅ "

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 59 D2 52 01 3F 13 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 42 89 52 01 CD 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"S1H" = "E4 EC 8B 0B 75 55 36 62 51 1D 04 0E 86 AD 97 AC"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Catalogs\fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90fra.dll" = "4D 00 46 00 43 00 39 00 30 00 46 00 52 00 41 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 CD 52 01 D2 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90rus.dll" = "4D 00 46 00 43 00 39 00 30 00 52 00 55 00 53 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 90 0D 53 01 8F 04 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 1F 12 53 01 D6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 74 84 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"S1H" = "EF 36 D4 10 E0 A9 EA 70 90 91 65 79 2A 07 E7 18"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 E3 A6 52 01 D4 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)]
"UtilizedSpace_MCP_c22d037d" = "F7 22 52 01 00 00 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"CT" = "64 00 32 00 63 00 61 00 38 00 66 00 33 00 35 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"S1H" = "83 EB 34 D7 CE D2 B9 DC 71 DB B8 49 AA 21 EA 78"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"S256H" = "69 55 F7 F5 CC 99 69 B8 69 B9 90 86 6D B9 02 DA"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll" = "4D 46 43 39 30 46 52 41 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"CT" = "30 00 32 00 34 00 34 00 65 00 61 00 63 00 36 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"CatalogThumbprint" = "95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"S1H" = "DD 16 14 4C C5 08 00 43 4F CC B2 B6 FE 9C 3F 5E"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"S1H" = "AA 99 E7 4A 4B C1 C0 3A D2 57 8D E2 4A 0B 3A 42"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
"S256H" = "6C E2 C2 01 E1 39 B8 B7 FD D6 B0 15 1A D0 20 DB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 B3 02 53 01 71 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"S1H" = "23 CA 6B 65 00 D5 28 6A FC B4 CD 40 F3 13 09 16"
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"S256H" = "34 66 B6 B0 1E 23 20 74 33 3A E8 90 DE BA 8F D9"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esn.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 4E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"f!atl90.dll" = "41 00 54 00 4C 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"CatalogThumbprint" = "4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343Ãˆâ€ "

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 9F 79 52 01 6B 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90.dll" = "6D 00 66 00 63 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"S1H" = "59 FC 44 3F E4 A9 36 69 AC E0 F5 9F A7 98 6B C9"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 FC BE 52 01 BD 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 B7 AB 52 01 D0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90enu.dll" = "4D 46 43 39 30 45 4E 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90jpn.dll" = "4D 00 46 00 43 00 39 00 30 00 4A 00 50 00 4E 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"CT" = "39 00 35 00 63 00 65 00 30 00 36 00 33 00 38 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90deu.dll" = "4D 00 46 00 43 00 39 00 30 00 44 00 45 00 55 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"CatalogThumbprint" = "6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4eÃˆâ€ "

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"S1H" = "4F C7 D7 36 AD BC B2 7C 10 86 7E 21 90 BD D1 34"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"CT" = "34 00 63 00 34 00 31 00 39 00 37 00 31 00 63 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"S1H" = "DA 6E 20 D5 AE 2F 76 AF 71 19 31 70 48 42 36 52"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll" = "4D 46 43 39 30 4B 4F 52 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"CT" = "61 00 38 00 30 00 39 00 35 00 65 00 66 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"CT" = "63 00 63 00 37 00 30 00 61 00 38 00 36 00 31 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PublisherPolicyChangeTime" = "Type: REG_QWORD, Length: 8"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 E0 FD 52 01 D3 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"S1H" = "E6 CA F0 F6 A2 0D C9 9F 62 27 42 55 D7 B2 1B 34"
"CT" = "66 00 65 00 30 00 66 00 61 00 63 00 34 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"CT" = "35 00 32 00 32 00 65 00 64 00 34 00 30 00 31 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcm90.dll" = "6D 00 73 00 76 00 63 00 6D 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2015/2/23:23:28:41.386 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"S1H" = "64 21 A7 13 7F 81 51 EC C9 C6 32 1F CB 89 4E ED"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"f!vcomp90.dll" = "76 00 63 00 6F 00 6D 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esp.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 50 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"CatalogThumbprint" = "a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"S1H" = "CC E5 48 A1 81 09 83 7C D5 26 1A F8 35 AB 54 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esp.dll" = "4D 46 43 39 30 45 53 50 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"S1H" = "74 EA A7 88 4B 21 D7 1F 33 34 94 89 89 7C 0A F6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90ita.dll" = "4D 00 46 00 43 00 39 00 30 00 49 00 54 00 41 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90cht.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 54 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll" = "4D 46 43 39 30 45 53 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcp90.dll" = "6D 00 73 00 76 00 63 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"S1H" = "80 93 28 44 A9 44 70 27 55 3E C3 07 5D F5 63 DF"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\9.0]
"9.0.30729.1" = "01"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS]
"StoreDirty" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"S1H" = "31 95 AA CA BF 6A 85 7B 8A 02 CC 29 B3 F8 BA 35"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 4D B5 52 01 AF 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"S256H" = "08 8C D1 14 A3 5A A0 03 0F 8A C8 09 40 2C 7C 22"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"CT" = "33 00 33 00 33 00 63 00 33 00 63 00 38 00 61 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"CatalogThumbprint" = "d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll" = "4D 46 43 39 30 4A 50 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"S256H" = "8D C0 05 84 25 4A F1 6C 47 CA 9C 96 C9 44 75 51"

[HKLM\COMPONENTS]
"ExecutionState" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 0A 7F 52 01 6A 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"S256H" = "FE AE 5D B0 21 40 AA 1D 6C CD 8E EF 81 27 94 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"S256H" = "EB E1 76 88 C7 DC EA 0B F8 87 58 62 C8 C7 2A 58"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll" = "4D 46 43 39 30 52 55 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll" = "4D 46 43 39 30 44 45 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcr90.dll" = "6D 00 73 00 76 00 63 00 72 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"S1H" = "9E 2C 9A 79 1D 8E C7 78 4A 73 08 8C 2E 1E AF C1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"S256H" = "0E DF 78 65 CB 6E 59 40 E6 8D 63 1A FE E7 83 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\CanonicalData\Catalogs\cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"S1H" = "E3 17 DA F8 C4 AE B9 52 16 AF B2 EE 85 45 57 D7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"CatalogThumbprint" = "0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bbaÃ§Å¾ËœÃˆÅ "

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90chs.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 53 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90u.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 75 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll" = "4D 46 43 39 30 43 48 54 2E 44 4C 4C"
"mfc90ita.dll" = "4D 46 43 39 30 49 54 41 2E 44 4C 4C"

The Malware deletes the following registry key(s):

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]

The Malware deletes the following value(s) in system registry:

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll"
"mfc90esp.dll"

[HKLM\COMPONENTS]
"PoqexecFailure"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll"
"mfc90enu.dll"

[HKLM\COMPONENTS]
"PendingXmlIdentifier"
"LastScavengeFlags"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll"
"msvcp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll"

[HKLM\COMPONENTS]
"RepairTransactionPended"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll"

[HKLM\COMPONENTS]
"LastScavengeCookie"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll"

[HKLM\COMPONENTS]
"ExecutionState"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS]
"StoreDirty"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90ita.dll"

The process sp-standalone-setup.tmp:2520 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"Inno Setup: Deselected Tasks" = ""
"Publisher" = "Uniblue Systems Limited"
"InstallDate" = "20150224"
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC"
"Comments" = "Uninstall SpeedUpMyPC"
"MajorVersion" = "6"
"Inno Setup: User" = "%CurrentUserName%"
"HelpLink" = "http://www.uniblue.com/support/manuals/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"EcommercePlatform" = "cleverbridge"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"Inno Setup: Language" = "en"
"EstimatedSize" = "61445"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe"
"InstallDate" = "2015-02-24"
"lang" = "en"
"PurchaseUrl" = "http://www.uniblue.com/cm/afterdownload/speedupmypc/de1/purchase/"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"UninstallString" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\"
"NoRepair" = "1"

[HKCR\speedupmypc]
"URL Protocol" = ""
"(Default)" = "URL:SpeedUpMyPC Protocol"

[HKCR\speedupmypc\DefaultIcon]
"(Default)" = "speedupmypc.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"DisplayName" = "SpeedUpMyPC"
"MinorVersion" = "0"
"URLUpdateInfo" = "http://uniblue.com/software/speedupmypc/updates/"
"Inno Setup: Setup Version" = "5.5.4 (u)"
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"

[HKCR\speedupmypc\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe --serial=%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E55B3271-7CA8-4D0C-AE06-69A24856E996}_is1]
"Inno Setup: Icon Group" = "Uniblue\SpeedUpMyPC"
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe /SILENT"
"URLInfoAbout" = "http://www.uniblue.com/support/"
"NoModify" = "1"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe"
"DisplayVersion" = "6.0.6.1"

The Malware deletes the following value(s) in system registry:

[HKCR\speedupmypc]
"URL Protocol"
"(Default)"

[HKCR\speedupmypc\DefaultIcon]
"(Default)"

[HKCR\speedupmypc\shell\open\command]
"(Default)"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"PurchaseUrl"
"InstalledLocation"

The process GoogleUpdate.exe:3776 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1424678421"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1424678421"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastCheckSuccess" = "1424734296"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1424678421"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1424678421"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"RollCallDayStartSec" = "1424678421"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1424678421"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked" = "1424734296"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"pv" = "35.0.1916.153"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"pv" = "35.0.1916.153"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "2975"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.11"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "2975"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
"StateValue" = "17"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "2975"
"DayOfLastRollCall" = "2975"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "2975"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"DayOfLastRollCall" = "2975"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "35.0.1916.153"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
[HKCU\Software\Classes\Local Settings\MuiCache\2A]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerResult"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

The process GoogleUpdate.exe:3924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.26.9"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"UninstallCmdLine" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
"Description" = "Google Update"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Path" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe"

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.26.9"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1424734330"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.15, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsSCM.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\, , \??\%Program Files% (x86)\Google\Update\1.3.25.11,"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.26.9"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files% (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.26.9"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1424734330"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Version" = "1.3.26.9"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
"Path" = "%Program Files% (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Google.Update3WebControl.3]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]

The Malware deletes the following value(s) in system registry:

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version"
"Description"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"ui"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"mi"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Vendor"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastCodeRedCheck"

The process GoogleUpdate.exe:2324 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3340 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-3000"

[HKCR\Wow6432Node\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\psmachine.dll"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-3000"

[HKCR\Wow6432Node\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\psmachine.dll"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\psmachine.dll"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\Wow6432Node\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3572 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Malware deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:4064 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "1"
"LastStartedAU" = "1424734260"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2064 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process CloudBackup9837.exe:108 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.15, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsSCM.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayName" = "MyPC Backup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"
"Publisher" = "JDi Backup Ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayIcon" = "%Program Files% (x86)\MyPC Backup\MyPC Backup.exe"
"UninstallString" = "%Program Files% (x86)\MyPC Backup\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup]
"(Default)" = "%Program Files% (x86)\MyPC Backup\BackupStack.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"HelpLink" = "http://support.mypcbackup.com"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process taskeng.exe:2348 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{AB6351CB-6DB4-46FF-8DCE-9743A7561B49}]
"data" = "4D 45 4F 57 01 00 00 00 E4 B7 BD 92 8B F2 A0 46"

The process MyPC Backup.exe:1848 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process GoogleUpdateComRegisterShell64.exe:3692 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\psmachine_64.dll"

[HKCR\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\psmachine_64.dll"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.26.9\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Malware deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32]
[HKCR\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}]

The process GoogleUpdateComRegisterShell64.exe:1276 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

The Malware deletes the following registry key(s):

The process GoogleUpdateComRegisterShell64.exe:1452 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

The Malware deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]

The process f0834957b00846ac1ff5ca65e22e2f24.tmp:3640 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "62 19 51 6B C0 4F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\SpeedUpMyPC]
"InstallerBuiltWithOffers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "62 19 51 6B C0 4F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "62 19 51 6B C0 4F D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
83bb030c71c9727dcfb2737005772c4e	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
323cfffdaf253ac65cd194a101be6231	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
e1b44a75947137f4143308d566889837	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdate.exe
4c02536f4ca35911fb3ea5715f300c57	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe
f3b6470da7ce34e559d3ba7365cc909c	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateComRegisterShell64.exe
fd98434b6a06fe31a35e4bfbc827b290	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe
7ca00a58aa808f4b9844c91845910377	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateSetup.exe
5f0a3aa68785c49454f56c9f2dda0237	c:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateWebPlugin.exe
5c2593649cf4fe6b9ed6f9a734dbf344	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdate.dll
7d81b54a30e726aaa71aa3623d73b3da	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_am.dll
6038701a5f26f5753e1b8732b2f330bf	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ar.dll
5cdb279660719f50b5fbbcc02d5960ab	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_bg.dll
971505410e9d0e478819cb0827c29003	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_bn.dll
6c74c327f8a83049694a61ff58e8bef1	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ca.dll
9eb5998e1281e7ee5d3790ed85dd2f56	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_cs.dll
5dacb582c8460937acec68dfb5b45bfb	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_da.dll
b58a0f9c6101df8ad5cef2676ffd50fd	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_de.dll
276f03206822ef47412678e845ff8767	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_el.dll
18d4bd259cc873e9b3ff4914da172907	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_en-GB.dll
0e16a89d13777ed360969f8064b83864	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_en.dll
249d0dd0b8604b8dc91eca65de5b6561	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_es-419.dll
989eb0563f1ff84edb2bb7f5d0caef3c	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_es.dll
8376de3f4ae6c65fe95329c363c9cdff	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_et.dll
0fc560f4d735c5ebdff0813c31755d60	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_fa.dll
4214765994eea6c441bcf3fbc21d00d7	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_fi.dll
6411443a52288be615738674cfa126ae	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_fil.dll
8e04db132c564e76971aaf8cfb9fce96	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_fr.dll
ce5b672b309103f47af1460f6565883e	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_gu.dll
60b8795924463ade303c092dc02be055	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_hi.dll
6887c86b15606714fa83f2de91d8c11e	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_hr.dll
1de96e0e4b45fc210d7c5b60416e4da4	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_hu.dll
c05c12fa8c0e3bbce8ae3869055f8ca7	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_id.dll
e51a34d003235192c93cc4e44775951a	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_is.dll
77f46c11174c4980789255f099402f51	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_it.dll
ce5c9ac64274aef565162bf1fc9e3242	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_iw.dll
d9f0eb11cb71e0911caf44b4ea0856be	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ja.dll
ea9c0aa9c317dec2054a3a6dcaad9398	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_kn.dll
a1a1bead7907c3058be9b9ff6fdf80d4	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ko.dll
0a2b929ffe5e40ade35478f459567130	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_lt.dll
42fc026314618e172ec96195a2cebef8	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_lv.dll
325750335f89997558aac37f039d7dba	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ml.dll
557b752a331ca5a6e6cca898c2ffe2ad	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_mr.dll
eaf0e2fce930bff40118584566d7ad04	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ms.dll
8129c53643b8012ae9252122d10f6eb0	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_nl.dll
a8298aec52704ece20c4457670af4d8e	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_no.dll
b65fadc80dad2f6ca1e0c4947e20390b	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_pl.dll
b21a176efe46c16a07e9c146544cc99f	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_pt-BR.dll
c00ac3b8058a4fc2fff4f64dee03532b	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_pt-PT.dll
1c433621eb86b4dee051b0fc25207d02	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ro.dll
53157ee06503b7204509571fa27a4a84	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ru.dll
d91d322bb70222be355d8846e66ee940	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_sk.dll
58ab869af216f5e722d37930e4937363	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_sl.dll
00dc6068355939ff8e028a906ef00458	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_sr.dll
73c6820a1943e7965084093f29f8f0e1	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_sv.dll
2ed4747202bd370ed9091297789f8112	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_sw.dll
12aa06d1d43cf2dc4bf9a440c03e9fb0	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ta.dll
92080b65bea279b768a595cc3f491994	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_te.dll
d6140d394b955117e5a331be3582477e	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_th.dll
21edce3e2260eab2a566b8c0af179457	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_tr.dll
4262e0322f37b3641d4c9d66e4bf12ab	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_uk.dll
199cd4d739119b4339bd7ee0777aa4be	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_ur.dll
89602c37901be0fc0111635742dcee63	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_vi.dll
49118a53f59666aa2f27af738830d767	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_zh-CN.dll
1dc933edeba5dac5e4275d655203a66b	c:\Program Files (x86)\Google\Update\1.3.26.9\goopdateres_zh-TW.dll
98137411b9c632095f919e2ce70b288a	c:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll
fff2c9ba6ab0c6f3a290cd3fbcbdf3c0	c:\Program Files (x86)\Google\Update\1.3.26.9\psmachine.dll
c51c9b677c0bf6651b4d0aee60e005a7	c:\Program Files (x86)\Google\Update\1.3.26.9\psmachine_64.dll
580930fd62744f10fcdd5375e201beea	c:\Program Files (x86)\Google\Update\1.3.26.9\psuser.dll
821cc209d61d0ed1f4c86abe0c8a1319	c:\Program Files (x86)\Google\Update\1.3.26.9\psuser_64.dll
7ca00a58aa808f4b9844c91845910377	c:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.26.9\GoogleUpdateSetup.exe
7ca00a58aa808f4b9844c91845910377	c:\Program Files (x86)\Google\Update\Install\{B8883498-A8EA-481A-ADFD-598CCBB0653A}\GoogleUpdateSetup.exe
96f6e497f8ce5bc21b9d3140965104aa	c:\Program Files (x86)\MyPC Backup\AlphaFS.dll
5bfc53c0daee82e70ef02b9cf7ae3042	c:\Program Files (x86)\MyPC Backup\AlphaVSS.51.x86.dll
ba1d420f7fa1b4eef8cc127bee74a023	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x64.dll
568754948b2aa5fcc41217fb28425cc5	c:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x86.dll
a3ef02398e089dcd9708cbc4e427d0f7	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x64.dll
057cf7fd20135899d616714534d0b7a8	c:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x86.dll
3116e40a8b9709917e1dc1db4e068152	c:\Program Files (x86)\MyPC Backup\AlphaVSS.Common.dll
a0a4dd8d711d55884c163a3784eac55e	c:\Program Files (x86)\MyPC Backup\BackupStack.exe
3c3cb9d58660b527d47e7d46d292940c	c:\Program Files (x86)\MyPC Backup\BackupStackUI.dll
d15d57943417ca58884e643da0ce2464	c:\Program Files (x86)\MyPC Backup\BplusDotNet.dll
f5b669bd36f27089b36323ccbf8ebcda	c:\Program Files (x86)\MyPC Backup\Configuration Updater.exe
76928476bdcf7ea4dbe8589d85793315	c:\Program Files (x86)\MyPC Backup\GetText.dll
c97cc489f20c67c3b2f36782ca139ce4	c:\Program Files (x86)\MyPC Backup\InstMgr.dll
6ded8fcbf5f1d9e422b327ca51625e24	c:\Program Files (x86)\MyPC Backup\Ionic.Zip.dll
e5cc3997457cd365e43c19f0f9110148	c:\Program Files (x86)\MyPC Backup\LinqBridge.dll
9b2ac62a9aab3369b253411c14b92fcb	c:\Program Files (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll
e4da474b2f2415664a286c07022222a0	c:\Program Files (x86)\MyPC Backup\MPCBClient.dll
dddf97700f9d4a951783b73d5971ce48	c:\Program Files (x86)\MyPC Backup\MPCBContextMenu.dll
24b83d9a02acf4b10c3fe0e9f7153eef	c:\Program Files (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll
01623e484d03fe777a733f3f6f28d673	c:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
f89e670f3f9de99e80b4d39436a27d9e	c:\Program Files (x86)\MyPC Backup\NativeHashWrapper.dll
16da92c91e58f6d8a22e493ae442edbf	c:\Program Files (x86)\MyPC Backup\Newtonsoft.Json.dll
6e0e7abd35565d70986eedc71f1a7bb5	c:\Program Files (x86)\MyPC Backup\ObjectListView.dll
6605874ea071ad6904aa8f67e75c18a1	c:\Program Files (x86)\MyPC Backup\PipeDiff.dll
4bb211393828d585cb5396a273008d94	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe
74a8c01b69adedd7f1330245cd994821	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe
bb830033c3e24a0b82caf23662918278	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe
a6a26e38b3596fa740f7039d98bd3a22	c:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe
0d8aa68059d0103b04ef5afdf755f779	c:\Program Files (x86)\MyPC Backup\Service Start.exe
6f5ab2bf45a14dedcb642e804480c9c7	c:\Program Files (x86)\MyPC Backup\Shared Stack.dll
9d0cc110ab0605885d98ae08377f6f66	c:\Program Files (x86)\MyPC Backup\Signup Wizard.exe
eeabc4815562083a50a666e2709c5998	c:\Program Files (x86)\MyPC Backup\SignupWizard.dll
0790e1d72901d1b98a9abfd43d1c592c	c:\Program Files (x86)\MyPC Backup\System.Data.SQLite.DLL
ba95c010731d3a1b20816242995e5a5a	c:\Program Files (x86)\MyPC Backup\UnRegisterExtensions.exe
da063ab4cd89efa829dbdce1fcb1cf70	c:\Program Files (x86)\MyPC Backup\Updater.exe
0cc8dad6c96bb0f2a833e0cb460d4191	c:\Program Files (x86)\MyPC Backup\Updater_.dll
53b9dfe8be74f29dc10d12df6b438f31	c:\Program Files (x86)\MyPC Backup\uninst.exe
1688cecb8af9cedde1b60163c98d1765	c:\Program Files (x86)\MyPC Backup\websocket-sharp.dll
fd666249228fb1be3f9fc9399aa70d3a	c:\Program Files (x86)\MyPC Backup\x64\SQLite.Interop.dll
f25a493607f771a033a3afe8ac26a505	c:\Program Files (x86)\MyPC Backup\x86\SQLite.Interop.dll
0fe58867051066e90c39fe9cf2021b8b	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\InstallerExtensions.dll
6de5c66e434a9c1729575763d891c6c2	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\msvcp90.dll
e7d91d008fe76423962b91c43c88e4eb	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\msvcr90.dll
5434e18b933e03f274d8da59fda4c676	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\icudt.dll
28888738b5521923a244fac763767db4	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\libcef.dll
afb2e85409ab139ec384f799825d8844	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe
f4f76946266cf9287ed858f4bf5cec43	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\thirdpartyinstaller.exe
3e03d408023fd7bff56c0a8e358b7647	c:\Program Files (x86)\Uniblue\SpeedUpMyPC\unins000.exe
256f360db3c119ab9e1b6eb4c8f66680	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\aff_setup[1].exe
c2f4c7ca8d9f133afb21a2cc173a39e4	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SpeedUpMyPC-standalone-setup[1].exe
bcba8747ab53932f8613c006444078e9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup9837.exe
256f360db3c119ab9e1b6eb4c8f66680	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe
0fe58867051066e90c39fe9cf2021b8b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\InstallerExtensions.dll
526426126ae5d326d0a24706c77d8c5c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\_isetup\_setup64.tmp
92dc6ef532fbb4a5c3201469a5b5eb63	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\_isetup\_shfoldr.dll
c2f4c7ca8d9f133afb21a2cc173a39e4	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\sp-standalone-setup.exe
62efa7b730eb0523a026ea4325403b77	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsSCM.dll
40395c175553cb14d2050888efccdf00	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe
c101f49f8fbdc203757ebf954d83af12	c:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8
45e475fa46d8f04a682eb5eed5476e08	c:\Windows\winsxs\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818\ATL90.dll
1e7ce519349ca4b49930ad843470a3f9	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcm90.dll
1f914c93052445e6629c37b81d421f7b	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcp90.dll
425d035880430fbed64dd6205c77f5b2	c:\Windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4\msvcr90.dll
e75de70a944462a9912c93e888b4106f	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90.dll
6962af1e97d8566e9c3496dc118fd3b7	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfc90u.dll
e6ffdd8f997366fd88a799743579d389	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90.dll
f668d2f0c2377cc3b1459506a00b0f0b	c:\Windows\winsxs\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9\mfcm90u.dll
deebddd75a0ecb8afd463bd3b2d9131a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHS.DLL
b0552cba0f603e1730762056add5eb9a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90CHT.DLL
2822498a5df669d223e6b093c00cb93a	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90DEU.DLL
91e5d7df820fb0fe7ead68c32bead0da	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ENU.DLL
85bdf40f2af1944f579a7a134bd08a34	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESN.DLL
390ab412debb2be22fcaca5a59c9a3c2	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ESP.DLL
598dcb951afd9a3d3d2e1abf7603de60	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90FRA.DLL
9e87f90e281ea1f41669920b349189c5	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90ITA.DLL
67695d68d782b48625a6c3ec08954216	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90JPN.DLL
91f1a8b875354dd5a1939e329af45656	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90KOR.DLL
32a4c8c6c2d09b98b14af92cd991a6d8	c:\Windows\winsxs\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb\MFC90RUS.DLL
63e472c8410a0e9ce25c35a0482bbbbf	c:\Windows\winsxs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633\vcomp90.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Uniblue Systems Limited
Product Name: SpeedUpMyPC
Product Version: 6.0.6.1
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.0.6.1
File Description: SpeedUpMyPC Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	61740	61952	4.43024	3a126e478661f20816f9d9285615f98e
.itext	69632	2884	3072	3.97317	ba48b9b17b3dd8b92da3bd93f20ddb34
.data	73728	3208	3584	1.55702	d7fd5f4b562d7961758f3d6a8c834fd0
.bss	77824	22196	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	102400	3536	3584	3.44625	93d91a2b90e60bd758fc0c4908856ae1
.tls	106496	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	110592	24	512	0.14174	3dffc444ccc131c9dcee18db49ee6403
.rsrc	114688	468268	468480	3.06948	1d0c19fa6ba3d034732ec6e10ff5a303

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 62
6055b96dbf2e3aa16fda1d990e211cf4
7fbe008276ab2d3920b0170560c846b1
9252272d53ab749d55b70d4a4efddc77
aaacdf65f0de19d6f10567be3b6fe264
83d775fee9f43007d4447ff8e6b93730
069afae39ad745a4aa56281d7d0af023
b48ae2ace170dea79eeba3241b02e3d1
caa785bc4d87140af0d34cd85a7d67df
25980d029ee2f1b2bea49260abe4a29c
70a42e10182889a90ad2a1821a2008b7
522536f97c7e971b25e5a8e8bbccc8d9
27a07a2fa44c8b80a6f888f84be719fb
475a901ab207dd024f2837639b725f0b
6dac1c166d3bbd28fcaf9d109b03a5de
d52c14e92b840227ea214214f654967a
0442b2389e55aa9ad09c1d451915ed78
251388b97a015274f61d7519ff1c7b98
dab4a8e50add0c45c0fc928de3f8a1df
bdc1b9b4f0eb35a627b00e6e8b39a285
cc6ff8e3998af657feda3b4995b9c823
d3325e14cebb1f6def1a6c78cd770ab5
e7e613ec4cb626301e1201af3edaeccf
11acd7770b3954de923ee24dfbaaae9f
4d6711da6c0e1f50ac74ec9debf1cbb9
610c4f48f6dd37a6b68f06822be99d6e

URLs

URL	IP
hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe
hxxp://d21bsqatndqkg8.cloudfront.net/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe	54.230.201.11
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/sp/version.txt?from=6.0.6.1
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track
hxxp://api.uniblue.net/v1/geo/country-code	176.34.100.249
hxxp://s3-1-w.amazonaws.com/latest_updates/application.txt
hxxp://track.mypcbackup.com/9bf5853a/D0wnloads-SpeedUpMyPC/MyPCBackup_Setup.exe	184.154.139.131
hxxp://uniblue.com/api/v1/geo/country-code	176.34.125.17
hxxp://uniblue-cdn-lb-eu-774953051.eu-west-1.elb.amazonaws.com/api/v1/geo/country-code
hxxp://mypcbackup.jdibackup.netdna-cdn.com/MyPCBackup_Setup.exe
hxxp://track.mypcbackup.com/aadebc4830c51c2794a960fe5a9e11df.php	184.154.139.131
hxxp://a767.dscms.akamai.net/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe
hxxp://184.154.139.137/install/win/1/live/net2
hxxp://backupgrid.jdibackup.netdna-cdn.com/mypcbackup.1.5.0.2.101.7z
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5273f67c02628d
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ab9ea1583eb9da57
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://redirector.c.pack.google.com/edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe
hxxp://r2.sn-3c27ln7y.c.pack.google.com/edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ab9ea1583eb9da57	88.221.132.207
hxxp://r2---sn-3c27ln7y.c.pack.google.com/edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1	173.194.48.241
hxxp://cdn.backupgrid.net/aff_setup.exe	94.31.29.237
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.166
hxxp://cdn.backupgrid.net/mypcbackup.1.5.0.2.101.7z	94.31.29.237
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.52.27.27
hxxp://sump.uniblue.com.s3.amazonaws.com/latest_updates/application.txt	54.231.9.1
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.52.27.27
hxxp://cache.pack.google.com/edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe	216.58.209.174
hxxp://tracking.uniblue.com/v1/collect	54.246.127.16
hxxp://cdn.mypcbackup.com/MyPCBackup_Setup.exe	94.31.29.238
hxxp://crl.verisign.com/pca3.crl	23.52.21.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.52.27.27
hxxp://www.uniblue.com/api/v1/geo/country-code	176.34.113.87
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.166
hxxp://download.microsoft.com/download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe	80.239.149.75
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.166
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.52.27.27
hxxp://tracking.uniblue.com/v1/track	54.246.127.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.52.27.27
hxxp://update.uniblue.com/sp/version.txt?from=6.0.6.1	23.23.138.196
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.166
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg=	93.184.220.29
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5273f67c02628d	88.221.132.207
hxxp://download.uniblue.com/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe	107.21.127.37
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.52.27.27
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w=	93.184.220.29
tools.google.com	173.194.113.196

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3
ET POLICY Python-urllib/ Suspicious User Agent
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: d21bsqatndqkg8.cloudfront.net


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 18779256

Connection: keep-alive

Date: Thu, 19 Feb 2015 12:21:36 GMT

Cache-Control: max-age=86400, public

Last-Modified: Tue, 27 Jan 2015 10:36:06 GMT

ETag: "c2f4c7ca8d9f133afb21a2cc173a39e4"

Accept-Ranges: bytes

Server: AmazonS3

Age: 66908

X-Cache: Hit from cloudfront

Via: 1.1 462cdb6020d941cbe166e3fece73ca6d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: QBVrx-9dxQzBXRmKSFKO1gtFRzUMurtT8CfUqWujEiPZ0E9DgA7GuA==

MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....WZR............
.........D............... ....@.......................................
.......@......................................,%...........r..........
......................................................................
...............text...,........................... ..`.itext..D.......
.................... ..`.data........ [email protected]..
...V...0...........................idata..............................
@....tls.....................................rdata....................
..........@[email protected]...,%.......&... ..............@..@................
....................@..@..............................................
......................................................................
[email protected]............
@...string([email protected]......@...............................@.....
.... 9@.([email protected]@[email protected]@[email protected]@..9@.,[email protected]@[email protected].%..A....%..A.
...%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..
A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%
h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A...
.%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A.
..S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....

<<< skipped >>>

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: VVV.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK

Cache-Control: max-age=7200

Content-Type: text/plain

Date: Mon, 23 Feb 2015 23:28:16 GMT

Server: ngx_openresty

Content-Length: 3

Connection: Close

UA...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=472764, public, no-transform, must-revalidate

Last-Modified: Sun, 22 Feb 2015 10:48:15 GMT

Expires: Sun, 1 Mar 2015 10:48:15 GMT

Date: Mon, 23 Feb 2015 23:32:41 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015022
2104815Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150222104815Z....20150301104815Z0...*.H........
......'6}.........^....L.c..WE.}..Q...J..f...t..P.....`F.F%..e....Cm..
...I..$..Ua..k...k.){t:..j55..d..tN8IX..~...S..0......;F.J$.y.....t...
.... ...P.#s....M..........A.K.,.g8.&n.o2PJ.\|DyBq....1.6..,.......&..
.....E.......}....*b.SW.~.;^.@Z#......Q$7....r..I......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=430723, public, no-transform, must-revalidate

Last-Modified: Sat, 21 Feb 2015 23:08:09 GMT

Expires: Sat, 28 Feb 2015 23:08:09 GMT

Date: Mon, 23 Feb 2015 23:32:41 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015022
1230809Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150221230809Z....20150228230809Z0...*.H........
......%.<....M.'M........K(........Q.X7.ycO#...N..t0..H.B$M.A......
....{...!6...k.[4......0...2_.HwbD...M.V.9.....^8.1.. .a.*..f.PXA..";.
.vL.3....K.....p.'l.=A4#..6..n..Bq.;........rA..n.1....f........E.....
...Y......B....e..Z|..d..X.n../.. ....k.a?..U............#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: download.uniblue.com

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Mon, 23 Feb 2015 23:28:05 GMT

Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/sp/6.0.6.1/SpeedUpMyPC-standalone-setup.exe

Server: openresty/1.5.8.1

Content-Length: 166

Connection: keep-alive
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>openresty/1.5.8.1&
lt;/center>..</body>..</html>..HTTP/1.1 302 Moved Tempo
rarily..Content-Type: text/html..Date: Mon, 23 Feb 2015 23:28:05 GMT..
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/sp/6.0.6.1/Spee
dUpMyPC-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Lengt
h: 166..Connection: keep-alive..<html>..<head><title>
;302 Found</title></head>..<body bgcolor="white">..&
lt;center><h1>302 Found</h1></center>..<hr>
<center>openresty/1.5.8.1</center>..</body>..</ht
ml>....

GET /aff_setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: cdn.backupgrid.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 23 Feb 2015 23:28:03 GMT

Content-Type: application/octet-stream

Transfer-Encoding: chunked

Connection: keep-alive

x-amz-id-2: eKR/rDoheBwGM1Q3eTdvBeEFZMMwHNb8VDwr4FmqxcGfugUU6bTRTFxtHZg8GNyT

x-amz-request-id: 40161F28034B590E

Last-Modified: Mon, 06 Oct 2014 10:15:06 GMT

ETag: W/"256f360db3c119ab9e1b6eb4c8f66680"

Server: NetDNA-cache/2.2

X-Cache: HIT

Content-Encoding: gzip
900a.............}.\TU...f.......mR,..YHIh..E.D.Gf..$..&..{M[.a.>.x
...V[m..j..[....2......d.Vd..i..4D%....;.....g..~_.?>.z=...<.9.y
..<..K.m... .....B......?....C.xm....w.l..}.....ZKuM......e...U..N.
.F...WZr..- ..\.....#M__.x.<4\...G.X~...Y....Q/...y..G.....K.*..\P.
.Mu...DA.........M..L...8A(F.^....7 l.TS)..........#T.* [email protected].?/
<(Q.\ ./..^p.....}..l.\...!..(....$..ZB.........d..Y.a....R.T......
).NK..~V.d.VL8...k#2........BpRe.`...5.^*WS[..E4.........Yy....7....EJ
....W.h...o."&.I..T...n.)...6U6.r.*...C.U...g..Jf....f'. ..,........q-
-.iJ]...#(#.V....3.......az..)../`..[.;....N..... ..I....../`.V.-...B.
....6...Y......M/..w..S6.A........._L.i.$.)f ........Yu....UU}.-R%..j.
...Z.A.....D.....7..v...PS.(..Z.TS.)$' ...p.....-(g....I3....{LD>..
t.HR..;.d.o...,(s.....f..>{..T,5.SY.c...#.....P.3..];Sy.|...ruF....
#.g.G....A.{...H.....,.V>.......C.j^,..Z.y..%..4....B............@.
..I....$T..[b..Y..R\....<cv.G"W.Y..H.M5.f.......-`O...5..z[..^..{[u
R,.aD..c....f[F....i.|u..t.W.'Hq.yFk..e....:.....1....82z}g,.S.8)VM...
N%fK.|I.:......K.D]8&..?&.~..1.x..m....f.V.......f..L'..b.".e..J.n...V
T2...6.2.wg.<N...A 8.QA....g...c..]...1.J R....)..U..;...-.S)....}.
..R.;E..c6.Jn..1X7...`.).v%..(d.....t(R.1.Q..$3P. ..o.M.I.6...N...IE6.
[email protected].........*..1.nUJOUS.paco....%..jr]
.;.NI":......#.............U0Q}.fH.f..`%..../.....{3..|Z..*E]J.r..D...
.......7.3........`(8.k=.;.c...d ...<.*.m....Z....g.}V.^S.....)K.w.
.a..z^U.Qz7.....mc}7..6.3C. ..t...1....k5.{...^5e.5..b.]1Y%...J.R.<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.5

VTag: 279245755100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Mon, 23 Feb 2015 23:28:50 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{[email protected].|7z
.. ......>..Q...([email protected]\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.0

VTag: 279876544500000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Mon, 23 Feb 2015 23:28:50 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 43863145100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Mon, 23 Feb 2015 23:28:50 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modifie
d: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d
511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 43863145100000000..P3P: C
P="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SA
Mo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Conten
t-Length: 550..Cache-Control: max-age=900..Date: Mon, 23 Feb 2015 23:2
8:50 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U.
...US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpo
ration1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600
Z._0]0...U.#..0...#[email protected].. ..5..0... .....7.......0...U......10.
.. .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....
F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D...
......-.>...(...g.0.S.[?...T4q>[email protected].('..e..
.Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d<<< skipped >>>

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.sp-6_0_6_1.web", "event": "prod.sp.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:29 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT

Accept-Ranges: bytes

ETag: "75565c7ac03ad01:0"

Server: Microsoft-IIS/8.5

VTag: 438743915800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Mon, 23 Feb 2015 23:32:47 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Y0... .....7......150427174215Z0.
..*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e
.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...
0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp
[email protected]..@.. ...M....z....Q...{u. .W....

GET /MyPCBackup_Setup.exe HTTP/1.0

Host: cdn.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Mon, 23 Feb 2015 23:28:05 GMT

Content-Type: application/octet-stream

Content-Length: 297672

Connection: close

x-amz-id-2: ITSfTeTXt7nuSaLoUJg24XmzZcO6StHVwLM5wJapi75duw8Sx8YDdBsZh0xfQyneSKJD7WgytLk=

x-amz-request-id: 3805B55A5D27E049

Last-Modified: Mon, 24 Nov 2014 22:28:10 GMT

ETag: "bcba8747ab53932f8613c006444078e9"

Server: NetDNA-cache/2.2

X-Cache: HIT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.........c..................................................(m........
..hx..`...............................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected]...(m.......n....
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....<<< skipped >>>

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 301 Moved Permanently

Content-Type: text/html

Date: Mon, 23 Feb 2015 23:28:16 GMT

Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code

Server: ngx_openresty

Content-Length: 178

Connection: Close
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW+VUAg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=510186

Content-Type: application/ocsp-response

Date: Mon, 23 Feb 2015 23:28:23 GMT

Etag: "54eb7b86-1d7"

Expires: Mon, 02 Mar 2015 11:28:23 GMT

Last-Modified: Mon, 23 Feb 2015 19:12:06 GMT

Server: ECS (frf/87DB)

X-Cache: HIT

Content-Length: 471

0..........0..... .....0......0...0......E.......1-Q...!..m....2015022
2200000Z0s0q0I0... [email protected]=?..Mn8...Q..E.......1-Q...!..m...
....._..fuSC.o.P.....20150222200000Z....20150301200000Z0...*.H........
.....$D.@Adm..%[email protected]`LT-.B.-....25T_H.p..1...-
rb.].!...w....Wj... .........O.h&5....<s..N........ZU..x....QD...w.
;....[k.d.y2$...xr....z.t..nrt..;...Z..%J.. .F.v ......c.....X6.*...i.
....]...M..V..y.....m..u.J.]...0...nw:2pv?.|9W.-&.k.......

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt+lGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAyvGbEyaFTw/abLEQ3zC1w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=511510

Content-Type: application/ocsp-response

Date: Mon, 23 Feb 2015 23:28:23 GMT

Etag: "54eb8336-1d7"

Expires: Mon, 02 Mar 2015 11:28:23 GMT

Last-Modified: Mon, 23 Feb 2015 19:44:54 GMT

Server: ECS (frf/87CA)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......Z..{*....q..`.-.eu.X..2015022
3193000Z0s0q0I0... .........G.h...#......Vm.Q....Z..{*....q..`.-.eu.X.
.....2hT........\....20150223193000Z....20150302194500Z0...*.H........
.....$'....Y.A'jb.A.<.#..s.~..,O.ZT^%f.P v........)....|.....[.s..i
s..e.52Pf.dN..m.\.S.^....~H............5.-...NV.{...C.$.........6.>
.Z.^.."...As.....>G.....a........EC......ZR........lO.. ...5.....4.
nh.2...L<...Lg..yf.,....Q=...<].Sh(...x.QDH.........V...v.(.HTTP
/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=511510..Cont
ent-Type: application/ocsp-response..Date: Mon, 23 Feb 2015 23:28:23 G
MT..Etag: "54eb8336-1d7"..Expires: Mon, 02 Mar 2015 11:28:23 GMT..Last
-Modified: Mon, 23 Feb 2015 19:44:54 GMT..Server: ECS (frf/87CA)..X-Ca
che: HIT..Content-Length: 471..0..........0..... .....0......0...0....
..Z..{*....q..`.-.eu.X..20150223193000Z0s0q0I0... .........G.h...#....
..Vm.Q....Z..{*....q..`.-.eu.X......2hT........\....20150223193000Z...
.20150302194500Z0...*.H.............$'....Y.A'jb.A.<.#..s.~..,O.ZT^
%f.P v........)....|.....[.s..is..e.52Pf.dN..m.\.S.^....~H............
5.-...NV.{...C.$.........6.>.Z.^.."...As.....>G.....a........EC.
.....ZR........lO.. ...5.....4.nh.2...L<...Lg..yf.,....Q=...<].S
h(...x.QDH.........V...v.(...<<< skipped >>>

GET /aadebc4830c51c2794a960fe5a9e11df.php HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Mon, 23 Feb 2015 23:28:17 GMT

Server: Apache

Set-Cookie: SESSID=0ilk6hkgr5oqpsvvinkahqlph3; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Thu, 05-Mar-2015 23:28:17 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 05-Mar-2015 23:28:17 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Thu, 05-Mar-2015 23:28:17 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 05-Mar-2015 23:28:17 GMT; path=/; domain=.mypcbackup.com

Content-Length: 8

Connection: close

Content-Type: text/html; charset=UTF-8
Complete..

HEAD /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: cache.pack.google.com


HTTP/1.1 302 Found

Date: Mon, 23 Feb 2015 23:31:18 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r2---sn-3c27ln7y.c.pack.google.com/edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 599

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.08
HTTP/1.1 302 Found..Date: Mon, 23 Feb 2015 23:31:18 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r2---sn-3c27ln7y.c.pack.google.com/e
dgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1
424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&
pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass
&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D676760959
7F1B7E07D12BA1EF51FB55&key=cms1..Content-Type: text/html; charset=UTF-
8..Server: ClientMapServer..Content-Length: 599..X-XSS-Protection: 1; 
mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p
=0.08..

GET /9bf5853a/D0wnloads-SpeedUpMyPC/MyPCBackup_Setup.exe HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 301 Moved Permanently

Date: Mon, 23 Feb 2015 23:28:16 GMT

Server: Apache

Set-Cookie: SESSID=31g715sqlatu02tosq13u2f7v0; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Thu, 05-Mar-2015 23:28:16 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 05-Mar-2015 23:28:16 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Thu, 05-Mar-2015 23:28:16 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Thu, 05-Mar-2015 23:28:16 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: 748a7624422584634822bd3a2bf604ae=af8514d81ff45d9deb8c7a9bbdf41603; expires=Tue, 23-Jun-2015 23:28:16 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: intc=1; expires=Tue, 24-Feb-2015 23:28:16 GMT; path=/; domain=.mypcbackup.com

P3P: CP="We do not have a P3P policy"

location: hXXp://cdn.mypcbackup.com/MyPCBackup_Setup.exe

Set-Cookie: aff_id=67333; expires=Tue, 24-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_name=MaxiDisk1; expires=Tue, 24-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_id=97175; expires=Tue, 24-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hash=c4f8375c6fd29bc0d9cb79f940ecd4c4; expires=Tue, 24-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: tid=D0wnloads-SpeedUpMyPC; expires=Tue, 24-Mar-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: 9bf5853aunique=true; expires=Sun, 24-May-2015 23:28:16 GMT; path=/; domain=mypcbackup.com

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8
<<< skipped >>>

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.sp-6_0_6_1.web", "event": "prod.sp.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:26 GMT

Server: ngx_openresty

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=530753, public, no-transform, must-revalidate

Last-Modified: Mon, 23 Feb 2015 02:58:16 GMT

Expires: Mon, 2 Mar 2015 02:58:16 GMT

Date: Mon, 23 Feb 2015 23:32:42 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150223025816Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201502
23025816Z....20150302025816Z0...*[email protected]......
..a..'d..1$...l7...S.>n.%....|3....,/=H...N.o.G6i.......'j.....[@..
|<\...".~......|..w.T......u5^.F`.c..=l.....j.......3..}.."...l....
..EC$..}.."j#.?[Q..P8.....0. Ho`.JD.../.'....1'.-...h...Z.G.......?...
W {Z/.. ..G.....gs.....Y...rx5....0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....][email protected]. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........<<< skipped >>>

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com


HTTP/1.1 200 OK

Server: Apache

ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"

Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT

Date: Mon, 23 Feb 2015 23:32:42 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Mon, 23 Feb 2015 23:32:42 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.

<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_included","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:28:52 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:28:52 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 125

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:03 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:03 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 129

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.third_party_offer_accepted","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:08 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:08 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}HTTP/1.1 
200 OK..Content-Type: application/json..Date: Mon, 23 Feb 2015 23:29:1
3 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: 
keep-alive..{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: applica
tion/json..Date: Mon, 23 Feb 2015 23:29:13 GMT..Server: ngx_openresty/
1.2.6.6..Content-Length: 20..Connection: keep-alive..{.  "status": "OK
".}....

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5273f67c02628d HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Mon, 23 Feb 2015 23:28:19 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Mon, 23 Feb 2015 23:28:19 GMT..Conn
ection: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=568838, public, no-transform, must-revalidate

Last-Modified: Mon, 23 Feb 2015 13:33:26 GMT

Expires: Mon, 2 Mar 2015 13:33:26 GMT

Date: Mon, 23 Feb 2015 23:32:48 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015022
3133326Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150223133326Z....20150302133326Z0...*.H........
.....k................X.....#s'....wLe...c.b.....=.......}.......L..s.
4.....m.&.K.L.:.G.,.h.....S..!4f.taa.`..._.k.By|.7.......T..i.....t`..
.r....q..&.c<f......F..=v.Om.:.....[.jP..5..v.....:..iX'w..m.TM....
.$^.}(.~4..:.l7OM.pR5..Q..YH.....Z.c_w..m.[t...cR...Bk...#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 119

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_launched","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:28:56 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:28:56 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 126

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.third_party_offer_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:07 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:07 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 118

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:13 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:13 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 138

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.install_standalone_download_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:16 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}....


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 138

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:26 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:26 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /download/2/d/6/2d61c766-107b-409d-8fba-c39e61ca08e8/vcredist_x64.exe HTTP/1.0

Host: download.microsoft.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.0 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 08 Aug 2008 21:48:10 GMT

Accept-Ranges: bytes

ETag: "df115773a0f9c81:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Content-Length: 4961800

Date: Mon, 23 Feb 2015 23:28:18 GMT

Connection: close

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........K...K...
K.......D...K... ......._.......J.......J...RichK...........PE..L...{.
.B.................z..........rY... ........... ......................
........9.L.......... [email protected].........
....K..$...........!............................................... ..
.............................text....x... ...z.................. ..`.d
[email protected].............
....@..@..............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................t...Z.............
......&...<...L............................................... ...:
...J...V...^...x.......................................&...<...J...
^...t.......................................(...:...R...b...p.........
..........................&...N...b...|...............r.......\...L...
:...,...........................................~...f.................
......z...............................&...0...D...:...............:...
........$...................{..B.............&..................Z.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=604768, public, no-transform, must-revalidate

Last-Modified: Mon, 23 Feb 2015 23:28:32 GMT

Expires: Mon, 2 Mar 2015 23:28:32 GMT

Date: Mon, 23 Feb 2015 23:32:48 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015022
3232832Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150223232832Z....20150302232832Z0...*.H.....
........Y....y....,N...q..40........5.y_...1.3Y.."0.d3.....G..h.."F.f5
*Y.1......T.....krk.t....0........}..?..U"p.Sg;a...O.........)m$9.^...
M....?&dRQ.\.f.]...[.. ..v../..oAR.{..v.#4.g.E..&.......B7P0.....NR ..
Qi.,&P.n.w..g.z.......j.rvQY.}Z.*.j.......[(B........$....0...0...0...
........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign
, Inc. - For a..

GET /v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: api.uniblue.net

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Mon, 23 Feb 2015 23:29:22 GMT

Location: hXXp://uniblue.com/api/v1/geo/country-code

Server: nginx/1.1.19

Content-Length: 161

Connection: Close
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.1.19</c
enter>..</body>..</html>....

GET /sp/version.txt?from=6.0.6.1 HTTP/1.1

Accept-Encoding: identity

Host: update.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 302 Found

Cache-Control: max-age=600

Content-Type: text/plain

Date: Mon, 23 Feb 2015 23:28:15 GMT

Location: hXXp://sump.uniblue.com.s3.amazonaws.com/latest_updates/application.txt

Server: openresty/1.5.8.1

Content-Length: 71

Connection: Close

hXXp://sump.uniblue.com.s3.amazonaws.com/latest_updates/application.tx
t..

HEAD /aff_setup.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: cdn.backupgrid.net


HTTP/1.1 200 OK

Date: Mon, 23 Feb 2015 23:27:33 GMT

Content-Type: application/octet-stream

Content-Length: 263224

Connection: keep-alive

x-amz-id-2: eKR/rDoheBwGM1Q3eTdvBeEFZMMwHNb8VDwr4FmqxcGfugUU6bTRTFxtHZg8GNyT

x-amz-request-id: 40161F28034B590E

Last-Modified: Mon, 06 Oct 2014 10:15:06 GMT

ETag: "256f360db3c119ab9e1b6eb4c8f66680"

Server: NetDNA-cache/2.2

X-Cache: HIT

HTTP/1.1 200 OK..Date: Mon, 23 Feb 2015 23:27:33 GMT..Content-Type: ap
plication/octet-stream..Content-Length: 263224..Connection: keep-alive
..x-amz-id-2: eKR/rDoheBwGM1Q3eTdvBeEFZMMwHNb8VDwr4FmqxcGfugUU6bTRTFxt
HZg8GNyT..x-amz-request-id: 40161F28034B590E..Last-Modified: Mon, 06 O
ct 2014 10:15:06 GMT..ETag: "256f360db3c119ab9e1b6eb4c8f66680"..Server
: NetDNA-cache/2.2..X-Cache: HIT..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=436974, public, no-transform, must-revalidate

Last-Modified: Sun, 22 Feb 2015 00:52:54 GMT

Expires: Sun, 1 Mar 2015 00:52:54 GMT

Date: Mon, 23 Feb 2015 23:32:44 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015022
2005254Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150222005254Z....20150301005254Z0...*.H........
.....Z....(.D9m..x.B.yx.I.^.../.}..<..<..&*......5..2.;:./..J..&
lt;....S.1"..s...=w.....{$$....q.^..8^-.V.......[SY..%.c6;s.4b..R\....
2....V~..l..=Z...P..........I..#.b..5_..D...e<....J...-.ZH..R,.U..P
F<.j..E[pTqP...N{p}v\.MY..J<P;j......gK...._.\ .....?qed....m'..
..#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....
US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...
2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign
 Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0.
..U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;0
9..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U..
.3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H......
.......0.........{(..t....2.Vf.....&;6).i*[email protected]._p.E.
6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.
'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......
PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E......
....0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........http
s://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSig
n's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... ..
.....0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 126

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.install_launched","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:15 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:15 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 127

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.install_completed","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:20 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:20 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /latest_updates/application.txt HTTP/1.1

Accept-Encoding: identity

Host: sump.uniblue.com.s3.amazonaws.com

Connection: close

User-Agent: Python-urllib/2.7


HTTP/1.1 200 OK

x-amz-id-2: RJ9 s3qhC2WWfSK7GP2yfAx8s7/wc5RyH9Fa9Z5VEbnKr5zug4m6q6iKhgAngi87PvbdP 3ZONY=

x-amz-request-id: 244622A598428C9C

Date: Mon, 23 Feb 2015 23:28:17 GMT

Cache-Control: max-age=86400, public

Last-Modified: Mon, 02 Feb 2015 10:06:08 GMT

ETag: "ee43fe28aafb80da3828de4c55a54451"

Accept-Ranges: bytes

Content-Type: text/plain

Content-Length: 7

Server: AmazonS3

6.0.6.1..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 128

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.mypcbackup_offer_accepted","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:13 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:13 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 139

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.web","client_id":"","event":"prod.sp.third_party_offer_download_initiated","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:26 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:26 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?ab9ea1583eb9da57 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT

Accept-Ranges: bytes

ETag: "803565fb436d01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 57591

Date: Mon, 23 Feb 2015 23:28:23 GMT

Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.
k..........{=/....{g.~...............'....6..N....w......(.$.>.7...
........'.....`.bx....^..$.'.^.K.C......<[email protected]
.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m..
....  .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4..
...*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s
...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.
=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.
u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%.
.G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]
H. .....A.O.Xg..B...#[email protected]..*.....T...}o._./S..h@$
[email protected]..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w
.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R.
 [email protected].....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^.
...1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|I
C.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._
q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p
..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Ic
z......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[
...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..
2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 137

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.third_party_offer_not_shown","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:09 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:09 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 125

Host: tracking.uniblue.com

{"recipient":"uniblue.sp-6_0_6_1.standalone","client_id":"","event":"prod.sp.install_started","buildtest_id":"","unit_id":""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Mon, 23 Feb 2015 23:29:11 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive

{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Mon, 23 Feb 2015 23:29:11 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

HEAD /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 880208

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01

HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 880208..Content
-Type: application/x-msdos-program..Etag: "4eb1b"..Server: downloads..
Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN.
.X-Xss-Protection: 1; mode=block..Date: Fri, 13 Feb 2015 07:10:26 GMT.
.Alternate-Protocol: 80:quic,p=0.08..Last-Modified: Wed, 28 Jan 2015 2
1:47:00 GMT..Connection: keep-alive..Alternate-Protocol: 80:quic,p=0.0
1......

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=0-8292

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 8293

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 0-8292/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......{..5?.|f?.|f
?.|f$..f0.|f$..fa.|f$..f..|f$..f9.|f6..f4.|f?.}fO.|f$..f>.|f?..f..|
f$..f>.|fRich?.|f........PE..L...`M.T.....................X.......S
[email protected]....@.................
................4...x....`...............2..P<...`.................
.........................@............................................
text...!........................... ..`.rdata...1.......2.............
.....@[email protected]....,[email protected]........`.......
...............@[email protected].......`[email protected]...........
......................................................................
......................................................................
......................................................................
......................................................................
.....................................................U..3..}.....j....
[email protected],...t ...t..."[email protected].
.....][email protected]..([email protected]%[email protected].;.s.N...
.|O.u.;.r.3..........#._^][email protected][email protected].].P.u..E..{...
YY].U..QSVW3...JA.S........E......<..u>[email protected][email protected].
P.E.V.1.....YY..u..u.........E.....u.3._^[.......H........J........P.R
[email protected][email protected][email protected][email protected]....
.......;u.r.hW...........P..b..Y;E.s.......P.u.S..b..P.<....M..<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=8293-20644

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 12352

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 8293-20644/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
[email protected].........._^.U..QV....u.......vW.}...u.hW....U...
...H. .S.M........;}.w....Q.M...xQ...I...QP..l...}......I..<.W.u...
QP.8........x...;X....X...3.f..._^....V......W.P..V..:.|.;.u.3...@....
.5..j..v.........u..Y....F..G..F..D..P...VP.G.P.........._^.U...}..}.h
W....}.....3.A H..@. E...}..E..........]...h.....Q....V..W.....H.;.~..
..x..~.WV.2....-.@.;.}&.......@~.......... .....;.}......i..._^.U..Q.E
.SV.0.N..^...W.]..P...j..u.........u..u....E.;.}....D..PVP._.S......E.
.G.....F.......E._^..[...........9P.}...~.W.9j.RP.W._..u............V.
.W.....H.;.~....x..~.WV.2....-.@.;.}&.......@~.......... .....;.}.....
.f..._^.U..Q.E.SV.0.N..^...W.]..P...j..u.........u.......E.;.}...@PVP.
_.S......E..G.....F.......E._^..[...........9P.}...~.W.9j.RP.W._..u..&
gt;.........U...U..E.P.....][email protected]....
V.E..7...Y..t.SWVP.......YY..t....S.u..x..............u.W....@.@PWSV..
...P.0........x..u.;^....^.3.f..^_[9F.u.hW....u....E..E..E.PV.u.......
e...F......^..U..........3A.3..E.SVW.}.............u.hW........j...d.@
[email protected][email protected][email protected].................
Y......;H....H...3.f..H.M._^3.[[email protected].][email protected]
[email protected]...<.@._^[.
...U....\..SVW.........p.jD3..E.SP.u..nU..3..}[email protected]....
[email protected].~..v..E.P.Y....u..E.P.E.PSSh....SSSVS..@[email protected][email protected]....
F..x..._^..[[email protected]][email protected][email protected]....]
...U..V........E..t.V.mg..Y..^]...V......A......^.U.....VW.......3<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=20645-33938

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 13294

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 20645-33938/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
[email protected][email protected].|...Y3.W..d.@._..^..
.V.........u.j......Y..^.j.h..A.......u..........F$..t.P./...Y.F,..t.P
.!...Y.F4..t.P.....Y.F<[email protected]..
t.P.....Y.F\[email protected][email protected].....
Y.E......W...j..L...Y.E......~l..t#W.{...Y;=.:A.t....9A.t..?.u.W.....Y
.E..........V.E...Y.........u.j......Y..u.j......Y...Wh..@[email protected]
[email protected][email protected][email protected][email protected][email protected]....=.EA.
[email protected][email protected]..\[email protected]..`@..5.EA...E
[email protected][email protected]..
[email protected]@..5.EA......H0A....
tDh....j........YY..t0V.5H0A..5.EA.......t.j.V.,[email protected].@..
.....3.^[email protected]@.d.5.....D$..l$..l$. .SVW.
.3A.1E.3.P.e..u..E..E......E..E.d.......M.d......Y__^[..]Q..........U.
....S.].V.s.35.3A.W...E...E......{....t..N...3.8......N..F...3.8......
[email protected]..[..E..M....t_.I...[.L...D...E....E...t....D....E
[email protected]..}..t$.....t..N...3.8......N..V...3.:.z....E._^[..].
.E........M..9csm.u).=.[A..t h.[A...........t..U.j.R...[A.....M..U....
...E.9X.t.h.3A.W..........E..M..H......t..N...3.8......N..V...3.:.....
.E..H....z........9S...O...h.3A.W..............U.......3A..e...e..SW.N
.@......;[email protected][email protected][email protected][email protected]
..|[email protected].;[email protected].^_[..j.h..A..j.
[email protected][email protected]@[email protected]....<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=33939-54952

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 21014

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 33939-54952/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
[email protected]..... ..
..,.....$....!.....(..........,..........0..........4..........8......
....<[email protected][email protected]....
......T..........X..........\..........`....y......^]...U..V.u...tY..;
..:A.t.P.V...Y.F.;..:A.t.P.D...Y.F.;..:A.t.P.2...Y.F0;..:A.t.P. ...Y.v
4;5.:A.t.V.....Y^]...U..V.u..........F.;..:A.t.P.....Y.F.;..:A.t.P....
.Y.F.;..:A.t.P.....Y.F.;..:A.t.P.....Y.F.;..:A.t.P.....Y.F ;..:A.t.P..
...Y.F$;..:A.t.P.|...Y.F8;..:A.t.P.j...Y.F<;..:A.t.P.X...Y.F@;..:A.
t.P.F...Y.FD;..:A.t.P.4...Y.FH;..:A.t.P."...Y.vL;5.:A.t.V.....Y^]..U..
[email protected]...]_^[..]..L$..A..........t2.D$..H.3......U.h..P(R.
P$R........].D$..T$.........SVW.D$.UPj.h [email protected]$.d......
D$(.X..p....t:.|$,.t.;t$,v-.4v....L$..H..|...u.h.....D...I....D..._...
...L$.d........._^[.3.d.......y. [email protected]..;A...SQ..;A
..L$..K..C..k.UQPXY]Y[......W.....................te........f.o.f.oN.f
.oV f.o^0f...f..O.f..W [email protected]`[email protected]`f...p..
..........Ju...tI.......t.......f.o.f....v....Ju....t$.....t......v...
.Iu......t.....FGIu.X^_]...... . .Q.......t.....FGIu....t......v....Hu
.Y.....j.....@...[A.3........Q.L$. ..........Y.....Q.L$. ..........Y..
...f...QS.......u.........t7..$....f...f..A.f..A [email protected]`f
..Ap......Hu...t7.....t....I.f....I.Hu....t...3....t....I.Ju....t...AH
u.[X........ .3.R.....t...AJu....t....I.Ku.Z.U.............Q.L$. .....
#...%....;.r...Y.....$.-..........%[email protected]......&.Y.f...f<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=54953-75971

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 21019

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 54953-75971/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.r.:.w...:.u....u.3.:.t......r.....[^_....U..V.u.WV.....Y...tP..[A....
[email protected];[email protected].@...
..3.V.1............[A.......Y.D0....t.W.....Y.....3._^].j.h..A.......]
....u....... ......................x.;..[A.r....... ..................
.......<..[A.............D0....t.S.w...Y.e.....D0..t.S.....Y.E....0
..........M...E...........E........].S.....Y...U..V.u..F...t...t..v...
....f.....3.Y...F..F.^]................D$..L$....L$.u..D$......S.....D
$..d$....D$.....[[email protected][email protected][email protected]...
[email protected]........ ;A.D.A.....KA.`.A...KA.
.v....................................................................
......................................................................
......................................................................
..................X...j.......................................&...<
...V...l.......................................([email protected]......
.............................4...D...`...t............................
..................."[email protected].... ... ... .........................
..... ...,...>...P...`...n...z.................................... 
... ..2 ..B ..T ..d ..z ... ... ... ... .......!..........x...........
z!..h!..N!..\!.......!...!............@...@[email protected]@..|@.:[email protected].
@..S@...........@...@.............................`M.T........(.......
....CorExitProcess..m.s.c.o.r.e.e...d.l.l...r.u.n.t.i.m.e. .e.r.r.o.r.
......R.6.0.1.9.....-. .u.n.a.b.l.e. .t.o. .o.p.e.n. .c.o.n.s.o.l.<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=75972-120112

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 44141

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 75972-120112/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.............,.[%..0.[.JC..[];....(W.1........o...L.........z.:-.U....
C~k.....Lw..h6..a...j....d..g2u~..|S..!.j.X....2.Y\|...}.<.....b..v
...`.....v5..m....Y.?. ........!\,..].\..[@.m5..%....C..6L..J.....J,..
.p.k.m.r'...Qi.LM....V~..i....CO.X.7..F.>$#f.!.YZWH....o%...~x....:
.y"...........G......J..;.]6r[...h>........,s?../.T...?r@.&..~..~..
.l(........0.xx..w8...'>.Jv...s..0I<.....^.'H...f..L([email protected].
S}X.!tY.3.Du...T.....(..C......`"...0DfO........4E>...18dErI.3..,..
`.t.@:........v...].&........u...~...aF..(.g.:.38..&.e.0.XB.$H.'@....E
.XA`v..r..$%G.....>.....x........."!..!....X...j.....8.p...G....&7b
M........g......}..jIp..u..0....df.o...j41.wW.N......<..d'.....8.1'
c./%&.. ..@....=....&.....@.}.p....K...J.....q.2m...M.,..~.... =.m....
. ..7..R.t. M..........\O'..fXo8.`..#)....v.1.....Hb......ni.7._....[$
o"..*R...0....b...T.w.......}G.9...Dc.4...|..G..;y...X*..............`
.......,.......#....|..?(...hJdY...}1..p.>....s.e...y.(..8......-./
.>)...0...K.#)..AzI..............qH...9.H.H,..........W.... .4.c...
....."2.`h>.l1...P..T..f.3.Q-S.....=..".Z...5.W.`cEu...Y....!..f.hh
.....6... I)W.2..t.\...]@. 5.Q..[.`.....\.naRUt6...>.oo(..zCI..pD.V
o..vA.v.u....KC.......W.....NT........9..l0...P.&.~...i..:x.,G.....uh.
...0..#.G..>?.zg...a......jA..5.......E.V.PPTQ.8.W.!A.oB.....0..H.7
.....^..5...'.'..........`.g.gF.:.... .y*[email protected].~ 8....dF`....yAw
.{.M.=....f..s..7.;~..j....9.C.N.[.....a.=T. ........jQ...SG.R\/.,A...
,q.us........]o.([email protected]....>..jVK.s..[.nvW...<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=120113-210261

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 90149

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 120113-210261/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
mV..W{..P....._n9G..F.P\[email protected]../j..0.....m...Uo.2WiJ.
...x\\..-...3....e....^.. w...M..n.6'....7B...AM..nt..2[ .Y.E.b..c../g
.9....`........W........",....'..........`...R..6........t....~S..G...
..7E=p ...G..{.....L....O ..X~.|.......fd.L.v..... .....q..p.....s d..
T,;.?......&E......J0.t[.....0.....u.Tl4b..r.a%H.,....e......H.P.....x
.....20Yi...B.rLZ.....n.~.4....".........j........6...."\.3..j{..w.kWv
.G.P....B.H..I.7.D.u4..>..l.U.a<OS......]E...}.R\.....v?......C.
......O...L.;.wMN9qkK..<.h............4.y.k.G.......>....#.?/...
........v...!r... < ..../No.K)g<^......=..T... D....w.@..,....4$
""._..f:$[..kW..#..2.a.fsq.bk._l....s....;S..&..!........`.8eT...](P.?
.p...(..e.Spnd?....#.8.....*.R.<>.;..!...$s.S.......X...f....V..
..u.....<.2'..;D........Wwcx...K..py...."G...3 S............(....].
.!......f..5]....2h..A....Cm....R....,@...Imec.[..U...4Q.3.t<...#.e
 p~.2...M61...%..?.|q..<..Y...q,m.W.%.:...:.7..z....D..>hjv..%..
.f`S...S.l.^,._.k... .Jy.q..1. ....K. .O_.ix`..Y....;.T....r....G> 
.8...E....e.....a0..^}- .k...H..n/.....c......ZX.G.h..p..M......3....b
.........O:......b.V...e9>.........^.2....p.*72K.JQRy}......h...._.
P..t...h9#.o.xB.e.....*;..8.6=k..{.....O8...][...Q.2}4.r&9V"..!?...}..
...fg=.R.g**.>U...;(.<.g.*.......$y..B......4...%..C.^...{E..h.N
...DB..$./.].......][email protected]!9.{K\.....&
gt;...s...D ...).....\..}[email protected]\..... @..!O....1...........e..OW g.o5..
.4a..H.......p..A...v..,.....c......le....?OY..j.2...Pd.@*5.U.jK..<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=210262-392150

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 181889

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 210262-392150/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
F.i.....|..1X..w.1../7{Ce~.im*...>[email protected](...S.2=........W....
..cN..wk..p% ......Q.Ns.O...J.h.J....B~5>.H..e..... ..p.......#.).G
..atp..Z@}H...X.....UL..Z-..:i...NO..zEN...5..p.....4..P....#.........
.k......xT.~..h.noU$..>:`<&.\...:..P.... .....`.B.KM.`.J..JI.^.#
.T~\>...*.....\oI..'.D.k."..]..Qn.V"AB.............,@..eb..<..D 
...y.Q...U.....W.........b....X.....9..Hr*j..9].................u.5.sO
D..J....J).T].....xh}...."9.-C.,.=P............j....}....n........T.|*
....J.F..&....hf.gRe.........ew....F..5BF..q=..7...A7<.........q..v
.Kp.PtD.....a)..f.....-KY5hE\A..3..0..l!r.....:j..._a?...l)..K. ...35.
LoR.s.m.Z...x.\... 1......R).....h...!,......q.(...l..,. .#....6....%8
.....h...{bH....~......../.........$.\y.T....I7<.Y.n..sW.p.H/.$..g.
.B].R........1.\.=r.7k U.;.V...N.....P.....O...l..V......F<1[....0 
.......[.15...=..-.=.n8F....I._.....1xW..R.[.....z.>....w~.. `Q..h.
....P.4..'vO..4......v/R#...g.....2....K.=..X..#....U...S....i..9wj...
>..\ .|x8......)r.bn!..T..c.et....MG.=h..G...........E^,.....O...2y
.!r^i.4.W........6...[. ........O..Q.........8...%UL....M0=c2...z.U3..
.../.wpv..`a......~s.- ...7T.t.7.qEI.R......A..%f......o..Id.c..L}....
.p6.r....._R...k.....\X......j}..y[......../.f.U:.....X...\.c*~.d.a...
[email protected].[.g;.)..P.>....X.Y."d1.....4Y.
....S0U.=.l.G..,.d...pA....y.........]k.(......[.A.!......$..q...]..)(
g:e.?.^.a.9.m...%.......m .K..$.T....n...3..!.kV....... .3......%.....
2.....LL:5..D...y.....u.NJ..h.Z...t.j.g#.....J....<..,........_<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=392151-754903

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 362753

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 392151-754903/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
..[..QFt....p....~57....P>-.Y..=.......\........t..aY..Z..M....f1..
g.~(V..l.<r....=......].dy...oe..D.....A'...a@..=.|...B........G._8
...E.)..q.p!S....VU....Hp..:.. bP.}'. 8.W....Z.G%.W{...k.......[./....
.T.......]..fi..t.IU...b.$..>.P..'%....qmn...(.B(..\{......7<K..
m.U....i.........Ov.{...5dd.P..2*.X8[.=..,..!..6tRL'...!m} f......0.@.
....q1...NK.. ..lw.R..C....v.N.9...1.c..G.F.........$......O....$c....
..E:..n.....zOA._9?k.5o.E.......r\.]Q..nEx~5...M....\...i.=.$/.Nz.!..V
u0W.......e.]....Mq..x...}...f.v.....'.P.1.d..>..mw.;$/..c....N....
H,~.;..........w.Jq.R......M..-B9.n..2......0&Y*.....s.K. ...7Lw....{.
......Ym.=..g^.jEd....!..k|.e..-.3Ej....l..A.6s.3.`..~j...\%. ..W\7..g
..aq.UT..n..sr..l O {.E.:..:.P..9......R..^).d...F'2.......D...;..]..v
.g...w-.....Z......b...Z.`P8%.o.P.K..95.4....-.#..7(&...hX...I..]...L.
6.D.,./.)...h#_y....'.......;6.9...K.......-....~.St......r...A...x^W.
...Y......{S}.....*IuV,j...Au.=....../.i.. `.x..?^.,{fx.....z....%..~.
..d!...T....I}...54H.yc...qA..t.r2@;........e..../.2.#I..S. ..@L......
.Kc.iK......m[..A......*.....].-...../..u......ke.>.k.....$....2^.d
..mT.....#..Iq7.<:.............s?^n...k1`.....}..!.2..Lr]e..Wh....3
k?8..v.-..[..E.f&=vg..r.....J..y].....W..S\W.....[Q.7h2.."............
....6.......tfQ/.:.c~&.....\_..?..V.L...,.d..E...i..I....!...|..rs...z
..x. n...\..<..[.)=d.4...).GI...?..g.. X"..k;.F.}A..y..:.o.....|.d.
..kx..........!.].i.D.....\.Y@i .!_....g...p......F..9.W..B..H.T..[Tr&
lt;.. b.c..Q\..*`S..w...".J..W...*.........R...&......'.~~...*..5.<<< skipped >>>

GET /edgedl/update2/1.3.26.9/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1424748678&ip=193.138.244.231&ipbits=0&mm=28&ms=nvh&mt=1424734035&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,pl,shardbypass&signature=0B4D8E2CEA035F38DFC8B54D72AA61F4A763A10E.17C83EE4D6767609597F1B7E07D12BA1EF51FB55&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 28 Jan 2015 21:47:00 GMT

Range: bytes=754904-880207

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r2---sn-3c27ln7y.c.pack.google.com


HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 125304

Content-Type: application/x-msdos-program

Etag: "4eb1b"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Fri, 13 Feb 2015 07:10:26 GMT

Alternate-Protocol: 80:quic,p=0.08

Last-Modified: Wed, 28 Jan 2015 21:47:00 GMT

Content-Range: bytes 754904-880207/880208

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.......NL...IE]......)........A..........gng..K ]>....[....P..\:..d
1Y.#......s:..7...".B.h..>...*Y....Qp1.e.E.7.J. .kZ..n....{pQ....@.
s..).....)..w......I..(.0..k..JF.......".-/{.?.=V[G........{x...ZN.F.*
[email protected];G .......m.
C.2.A..G$g"V..x.YR...../ ....lU..7TlfY...^....7#x.....Z..^.pz.......}:
....].`.G.4.v ..{../9...)Z..wL n.%X`..zB.A-C....@5'.p<..&.L..c.2...
:Z.4...|R..d........RM...9Z.<....g..;.F...Z.<.........e...Y...-$
..u..0.......?5..6.$.]...-/...Zv......2_...%.....Oo...678T#&...K=em...
.............._%.![.Y..........O..>M........n....b.D......N48...We:
...\}u.Z.....1p.p......,....X..{FX..P....zz...zvs..../.}.st.x..3......
H.....FL!....9.n.:..nI..$.N....-...\..3..Q...q&.......Ut....Q.y/..9_J&
gt;.....>b.......)P.G..a?.....V....n.`Vf.&.Q/.Y..N.W>..j."j...!p
Hz=.....K*kT[:N.............<...c".~o......6...l$Y.~...2...3M.M..P.
F......\j......vdY.TN^..-;...f@.%.y.,.A....y.`7.T...A.9N-.VQ.3"...&]..
...9.E.U.q......BA....R7.$.W..'<#..(V.t....!..k]..0....I..o.d..JV_.
4."C|....N..oR...c&....!.w....z....L^..ZH.."...&.E.X........A-.c8...,u
H......`Q .....*!..4.I.V.....C.....)o..2.[t.*....\..s...-.../..=.z....
.y.....K..'\..!.o.^?.. ......H..2E...0....4-s.W.A..V.\..go........1.O.
..N 0..{.{..e..m...N....'.....J..Op...D..q....W.F..X/.......[jY..N.P.8
...{z..z..q`...Q...M.0...~...Qa...Ttq.....y.g0. k....4.?.;Qeh...{x..H.
Q.v.;|rm../.e.e...~.&Z.#.F?..#...t.Z.&..UU.R.....).V..su....om..:.....
g.4d..gb J.V..?.d^[email protected].?$Q.b...J.....k/E....`:,...<<< skipped >>>

GET /mypcbackup.1.5.0.2.101.7z HTTP/1.0

Host: cdn.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Mon, 23 Feb 2015 23:28:07 GMT

Content-Type: application/octet-stream

Content-Length: 4072385

Connection: close

x-amz-id-2: rvBWQNQJ7KuIjwhUSPUlIXTt7nKUzff/Kv0cQizPgVKT2P74TGod8ZsgCOmuw63l

x-amz-request-id: 049436D880C30265

Last-Modified: Tue, 25 Nov 2014 19:49:29 GMT

ETag: "dea41132628ea08c816693a67102fd48"

Server: NetDNA-cache/2.2

X-Cache: HIT
7z..'.....p.|#>.....%........8l...`...\..I.})R...M.....f=o}.hcJ..7.
/.3..._....A.._-.PJE$..Y[f.j/..S.o;.r7J........E..."..j.....nb....I...
:....bal...?.....[.....S}....[. -...jG..U..y....8.....Q..,l........r..
.........W2]o.f....2..6.B....~.....#-..U)a.\.....q..!.../...A..6.A.p..
..P..7Vf....zki..Tx.h.B.6.u..x.txXD.)..k..U....Co...B..........q......
..C.\[email protected]*6...L.mni...dj....t.(..!.....'.
....Q.Q.|Rx............A...D......$....~...';.bU...\.<?#.X.....yu$.
...Y..t..BBh...M.........p...{_c..$Z.I..#b..Hd-6.....#&4=..v...5..i...
.........ouZ]K.^D.UK...b...Gu\.........i....f..I.w.....V.H.V.J&....W.h
O.......F..{S...W.(.....f..<.......Dg.d....{..$zkV..X...oc..... .!.
k.i..b. .Q(..p..w......&C.X..D.M.Y...PI...Ol.C ...M.wO...K.......lk...
.w..O.)...a`2.H..b:....w 7.WU@(8-....V....G.;......|.....q?|4.j....%..
.......Rg;.ZgN..~.............w*3...0.^.IySd...F_..6.".!..c.3...N:.kc.
._.R...[....o^..\..FmH....Q...T..T.O8....x\.>k'......<.^.\3NL1..
...v.n~O.=.F....Hp...,-GhuA..L.?......-.w.........J.R...<.......y.g
.......&.....J}..W...4...r..A...............R.R.m...yB....47.....5.!..
.....3.v.q.9]....S...(.3.!.iX........)...v...!G.#.]4....w..I4.?...`..E
..._.An.0........._..H... .q......h...W!....|..(...G[@.[..5Te..l..~.&g
t; ...|v..\.......K..........7ho..v4.ZHn. .. @.#.I. C`E.5....jx.....o.
).'{._.J.....t.c..........H,.7..d....`..J...........(..Q.5.)....8.).m.
N...;.......S."....a..:........?..~.....So(=....?5o.=...s<....6..&.
B......zD...%...'Pg7....'.>.~...h...2....S..".2......L..|r"?...<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

speedupmypc.exe_3992:

.text

`.rdata

@.data

.rsrc

tCPV

USER32.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

KERNEL32.dll

windows_exe

%s\%s

PYTHON27.DLL

zlib.pyd

ZLIB.PYD

<zlib.pyd>

Not enough space for new sys.path

no mem for late sys.path

PY2EXE_VERBOSE

PyImport_ImportModule

PyExc_ImportError

PyImport_AddModule

undefined symbol %s -> exit(-1)

Importer which can load extension modules from memory

s#sss:import_module

MemoryLoadLibrary failed loading %s

Could not find function %s

import_module

import_module(code, initfunc, dllname[, finder]) -> module

_memimporter

%Program Files% (x86)\Uniblue\SpeedUpMyPC\library.dat

%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe

%Program Files% (x86)\Uniblue\SpeedUpMyPC

speedupmypc.exe

library.dat

windows_exet

.logc

The logfile '%s' could not be opened:

See the logfile '%s' for details(

C:\jenkins\jobs\sp\workspace\env\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR

C:\jenkins\jobs\sp\workspace\env\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt

zipextimportert

<install zipextimporter>R$

library.dats

app.main(

joint

__import__t

bootstrap_main.pyR$

sS.vX6y]<z^?{_>{^<|Z2zU({P

mS2udP{rf

{`.sP

333333330

3333333333330

3333333333333333

3333333333333333330

333333333337

333333333333

3333333333

33333333

333333333333330

33333333333333330

3333333338

33333333333

<asmv3:windowsSettings

xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

<assemblyIdentity type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />

<!--Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

6.0.6.1

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

TPAutoConnSvc.exe:1776
aff_setup.exe:2016
speedupmypc.exe:3448
install.exe:3508
thirdpartyinstaller.exe:2284
TrustedInstaller.exe:408
sp-standalone-setup.exe:2044
sp-standalone-setup.tmp:2520
%original file name%.exe:2944
GoogleUpdate.exe:3776
GoogleUpdate.exe:3924
GoogleUpdate.exe:2324
GoogleUpdate.exe:3340
GoogleUpdate.exe:3572
GoogleUpdate.exe:4064
GoogleUpdate.exe:2064
makecab.exe:3068
CloudBackup9837.exe:108
vcredist_x64.exe:3552
taskeng.exe:2348
MyPC Backup.exe:1848
GoogleUpdateComRegisterShell64.exe:3692
GoogleUpdateComRegisterShell64.exe:1276
GoogleUpdateComRegisterShell64.exe:1452
f0834957b00846ac1ff5ca65e22e2f24.tmp:3640
GoogleUpdateSetup.exe:3772
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj9D0B.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse9CEB.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup9837.exe (18611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)
C:\Windows\Tasks\SpeedUpMyPC Subscription.job (702 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\SpeedUpMyPC\error.log (5943 bytes)
C:\Windows\Tasks\SpeedUpMyPC Maintenance.job (702 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\libcef.dll (10562 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\icudt.dll (2183 bytes)
C:\Windows\Tasks\SpeedUpMyPC Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI4520.txt (122198 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWLB902.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI4520.txt (210781 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (266 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\installer_mypcbackup.log (853 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19520 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a\fe7f2076c04fd001470000009801dc0a_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001130000009801dc0a_msvcm90.dll (1526 bytes)
C:\Windows\System32\config\SOFTWARE (50992 bytes)
C:\Windows\winsxs\Temp\97fde475c04fd001280000009801dc0a (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\53aac375c04fd001230000009801dc0a_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\5cd60f76c04fd0013f0000009801dc0a (4 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001330000009801dc0a_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001120000009801dc0a_msvcp90.dll (7701 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd0013b0000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001340000009801dc0a_mfc90deu.dll (670 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001320000009801dc0a_mfc90esn.dll (130 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001100000009801dc0a_manifest (5 bytes)
C:\Windows\winsxs\Temp\81103d76c04fd0014c0000009801dc0a\81103d76c04fd0014e0000009801dc0a_catalog (22 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\f348c175c04fd001210000009801dc0a_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\519fb075c04fd001180000009801dc0a\519fb075c04fd001190000009801dc0a_manifest (760 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\53aac375c04fd001240000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001370000009801dc0a_mfc90ita.dll (129 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\5cd60f76c04fd0013f0000009801dc0a\5cd60f76c04fd001400000009801dc0a_manifest (766 bytes)
C:\Windows\Logs\CBS\CBS.log (87580 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001140000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\8cc68575c04fd001090000009801dc0a (4 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (51344 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001310000009801dc0a_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\519fb075c04fd001180000009801dc0a\519fb075c04fd0011a0000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\97fde475c04fd001280000009801dc0a\97fde475c04fd0012a0000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\97fde475c04fd001280000009801dc0a\97fde475c04fd001290000009801dc0a_manifest (760 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd0012f0000009801dc0a_manifest (13 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (78601 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\5cd60f76c04fd0013f0000009801dc0a\5cd60f76c04fd001410000009801dc0a_catalog (21 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\f348c175c04fd001200000009801dc0a_mfcm90.dll (670 bytes)
C:\Windows\winsxs\Temp\81103d76c04fd0014c0000009801dc0a\81103d76c04fd0014d0000009801dc0a_manifest (676 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001300000009801dc0a_mfc90chs.dll (78 bytes)
C:\Windows\winsxs\Temp\8cc68575c04fd001090000009801dc0a\8cc68575c04fd0010b0000009801dc0a_catalog (21 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\f348c175c04fd001220000009801dc0a_mfc90.dll (38780 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a\072b5675c04fd001050000009801dc0a_catalog (21 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (8790 bytes)
C:\Windows\winsxs\Temp\93e7be75c04fd0011e0000009801dc0a\93e7be75c04fd0011f0000009801dc0a_manifest (6 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15608 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001350000009801dc0a_mfc90enu.dll (113 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001360000009801dc0a_mfc90fra.dll (670 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (191164 bytes)
C:\Windows\winsxs\Temp\8cc68575c04fd001090000009801dc0a\8cc68575c04fd0010a0000009801dc0a_manifest (760 bytes)
C:\Windows\winsxs\Temp\8ed19875c04fd0010f0000009801dc0a\8ed19875c04fd001110000009801dc0a_msvcr90.dll (4811 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd0013a0000009801dc0a_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a\fe7f2076c04fd001460000009801dc0a_manifest (864 bytes)
C:\Windows\winsxs\Temp\fe7f2076c04fd001450000009801dc0a\fe7f2076c04fd001480000009801dc0a_catalog (22 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001390000009801dc0a_mfc90kor.dll (95 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a\072b5675c04fd001040000009801dc0a_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\a6c95375c04fd001020000009801dc0a\072b5675c04fd001030000009801dc0a_manifest (859 bytes)
C:\Windows\winsxs\Temp\d945f375c04fd0012e0000009801dc0a\d945f375c04fd001380000009801dc0a_mfc90jpn.dll (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-QKMEI.tmp\sp-standalone-setup.tmp (50 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-2CNU2.tmp (13 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-7VP56.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-98ML1.tmp (2105 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-DNRNQ.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\de\LC_MESSAGES\is-PVP1A.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\es\LC_MESSAGES\is-45FV2.tmp (60 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fr\LC_MESSAGES\is-BVL58.tmp (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-F5EQA.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-R82NO.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-N9L1N.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-HSD82.tmp (1281 bytes)
C:\Users\Public\Desktop\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-C7UCQ.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-6LJC3.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-KKVOT.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-07D74.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-1HFBF.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-5A7P3.tmp (18934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\speedupmypc.exe (291 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-E63OK.tmp (11 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-052F4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-Q6TH3.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Microsoft.VC90.CRT\is-744GK.tmp (524 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-E2I70.tmp (10 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\is-D9M5I.tmp (53 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locales\is-GHQB1.tmp (4 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-9U1A9.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\license.en.rtf (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-I0JU8.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-JAR7P.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\fi\LC_MESSAGES\is-MG1JN.tmp (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ru\LC_MESSAGES\is-FJL3C.tmp (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-BSNOI.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-RJDBT.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\no\LC_MESSAGES\is-8RL8M.tmp (56 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\pt_BR\LC_MESSAGES\is-97D8E.tmp (58 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\da\LC_MESSAGES\is-JSA8A.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\notcertified.bmp (45 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-HRTP4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\ja\LC_MESSAGES\is-USU79.tmp (62 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-J99TD.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\it\LC_MESSAGES\is-267G7.tmp (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-2NSF5.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\fonts\is-BQTD6.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-2B3E6.tmp (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\sv\LC_MESSAGES\is-MCJNB.tmp (56 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\SpeedUpMyPC.lnk (1 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\Third-party Terms\is-R23LK.tmp (112 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\locale\nl\LC_MESSAGES\is-I3URQ.tmp (57 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-6CBIV.tmp (30490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-24 #002.txt (456415 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-BNB3O.tmp (42037 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\is-QPFHH.tmp (107054 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\SpeedUpMyPC\Uninstall SpeedUpMyPC.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GG5JD.tmp\f0834957b00846ac1ff5ca65e22e2f24.tmp (50 bytes)
%Program Files% (x86)\Google\Update\Install\{B8883498-A8EA-481A-ADFD-598CCBB0653A}\GoogleUpdateSetup.exe (7721 bytes)
%Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.26.9\GoogleUpdateSetup.exe (6841 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_et.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_iw.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ro.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (12490 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_da.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_el.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_bn.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_mr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sr.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_te.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_cs.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psuser.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psmachine_64.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ko.dll (70 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_zh-CN.dll (64 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ms.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ar.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_th.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_vi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_tr.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_de.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe (105 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe (4210 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fi.dll (78 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_en.dll (40 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_lv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_pl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdate.dll (32380 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateWebPlugin.exe (105 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ta.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdate.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psuser_64.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\psmachine.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_id.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_nl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_kn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sv.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_pt-PT.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_it.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_lt.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fa.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_is.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_no.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.25.11 (28 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ml.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_es-419.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateSetup.exe (20458 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sw.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (105 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_uk.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_hi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ca.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_es.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_pt-BR.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_fil.dll (79 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdate.dll (49 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_zh-TW.dll (64 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_gu.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_bg.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ur.dll (78 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_am.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateHelper.msi (56 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_hr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ja.dll (71 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sk.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_hu.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_ru.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_en.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_en-GB.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\goopdateres_sl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9\GoogleUpdateComRegisterShell64.exe (1738 bytes)
C:\Windows\Logs\CBS\CbsPersist_20150223232840.cab (11744 bytes)
C:\Windows\Temp\cab_3068_6 (8 bytes)
C:\Windows\Temp\cab_3068_5 (76 bytes)
C:\Windows\Temp\cab_3068_4 (564989 bytes)
C:\Windows\Temp\cab_3068_3 (76 bytes)
C:\Windows\Temp\cab_3068_2 (564989 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EA.tmp (16365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjA1EB.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (327593 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (276767 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1042.txt (650 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.3082.txt (12 bytes)
C:\6ab8995d4d9ae8d59ce668\vc_red.msi (3176 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1042.dll (1988 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\6ab8995d4d9ae8d59ce668\globdata.ini (1 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1028.txt (3 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1028.dll (1130 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1041.dll (1126 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1031.dll (1160 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1049.dll (1720 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1036.dll (1355 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.1040.dll (2110 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.2052.txt (3 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.3082.dll (989 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1036.txt (12 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\6ab8995d4d9ae8d59ce668\install.ini (844 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1033.txt (10 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1031.txt (229 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\6ab8995d4d9ae8d59ce668\vcredist.bmp (5 bytes)
C:\6ab8995d4d9ae8d59ce668\$shtdwn$.req (788 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1040.txt (657 bytes)
C:\6ab8995d4d9ae8d59ce668\install.exe (13918 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\6ab8995d4d9ae8d59ce668\install.res.2052.dll (1632 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1049.txt (13 bytes)
C:\6ab8995d4d9ae8d59ce668\vc_red.cab (65618 bytes)
C:\6ab8995d4d9ae8d59ce668\eula.1041.txt (5 bytes)
C:\6ab8995d4d9ae8d59ce668\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB8F2.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB8F3.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\notcertified.bmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\aff_setup[1].exe (35858 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\sp_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\backupmypc_check_mark.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-02-24 #001.txt (24403 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\license.en.rtf (601 bytes)
%Program Files% (x86)\Uniblue\SpeedUpMyPC\thirdpartyinstaller.exe (339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\sp-standalone-setup.exe (104952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-F9MF8.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SpeedUpMyPC-standalone-setup[1].exe (1604115 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateBroker.exe (52 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psuser.dll (165 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ru.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateWebPlugin.exe (52 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ms.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_te.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_pl.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_nl.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_et.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_bg.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_hi.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fr.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ja.dll (35 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ko.dll (34 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_de.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sk.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ml.dll (41 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sw.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sr.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_kn.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_is.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_lt.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateComRegisterShell64.exe (115 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_lv.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psmachine.dll (165 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fa.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleCrashHandler.exe (232 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ur.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psuser_64.dll (188 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fi.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_th.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ar.dll (36 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_pt-PT.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\psmachine_64.dll (188 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_am.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateHelper.msi (28 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_tr.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_uk.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_iw.dll (36 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_zh-CN.dll (32 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_es-419.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_cs.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_no.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sv.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_en-GB.dll (37 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_es.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_sl.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_vi.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_bn.dll (39 bytes)
%Program Files% (x86)\GUTBFA7.tmp (6 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_fil.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ca.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_pt-BR.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateSetup.exe (6841 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_it.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_mr.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_zh-TW.dll (32 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdate.exe (217 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_hu.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\GoogleUpdateOnDemand.exe (52 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_gu.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_id.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ta.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_da.dll (38 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_el.dll (40 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_hr.dll (39 bytes)
%Program Files% (x86)\GUMBFA6.tmp\goopdateres_ro.dll (39 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Sample_f0834957b0

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Sample_f0834957b0

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet