SearchProtectToolbar_pcap_5bd032c3d5

by malwarelabrobot on April 27th, 2015 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5bd032c3d5d4a28f624dbf49476077e6
SHA1: 977c2a4999c1383a56ede8d9db2444b81af01949
SHA256: 790b55bb7bb1bcdb0630c045acd0879dab965b25841c2fb5873519f2558605a3
SSDeep: 6144:FQqTbUzFxusbxMsk09N0cxtN60UD7ZqXJgN8/p6wIqnlPpKLVW uE9CTqM oUmb:P4z3usbxZltL3UhqXJg /p6clkhHmqMJ
Size: 356408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:41
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

pcspeedup.exe:3936
install.exe:2612
PCSUService.exe:604
PCSUService.exe:3100
PCSUService.exe:3444
cvs_mystartsearch.exe:948
BaofengUpdate.exe:3384
BaofengUpdate.exe:2892
nssCF71.tmp:3176
ProtectWindowsManager.exe:3500
ProtectWindowsManager.exe:3460
PCSUSD.exe:4000
ProtectService.exe:3668
ProtectService.exe:3684
wpm_v20.0.0.2227.exe:3440
MSI106D.tmp:3272
pcspeedup.tmp:3952
VOPackage.exe:1780
XTab_Setup2253.exe:3544
HPNotify.exe:3756
coregen.exe:3664
coregen.exe:3576
coregen.exe:3472
coregen.exe:3460
coregen.exe:1132
coregen.exe:3624
coregen.exe:336
coregen.exe:3440
coregen.exe:3208
coregen.exe:3392
coregen.exe:3144
coregen.exe:1244
coregen.exe:2060
coregen.exe:3080
coregen.exe:1108
SpeedCheckerService.exe:3264
cmdshell.exe:3740
%original file name%.exe:2192
PCSUSpeedTest.exe:3468
regsvr32.exe:4004
regsvr32.exe:1072
nssCF72.tmp:3656
Skyhook.exe:912
Silverlight.exe:3240
PCSUNotifier.exe:3972

The Trojan injects its code into the following process(es):

MsiExec.exe:2188
DTLite4461-0327.exe:3840
SpeedCheckerService.exe:2188
nsissetup.exe:2868

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process pcspeedup.exe:3936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-PAARG.tmp\pcspeedup.tmp (50 bytes)

The process install.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SilverlightMSI.log (90000 bytes)
C:\135c1e3ab58ad80afdd7f364\install.res.dll (397 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Silverlight0.log (6780 bytes)
C:\135c1e3ab58ad80afdd7f364\Silverlight.msp (3692 bytes)

The process PCSUService.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (13980 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService.log (1858 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService-Timer.log (99 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (3898 bytes)

The process PCSUService.exe:3100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSUService.log (521 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (27960 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (7797 bytes)

The process PCSUService.exe:3444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSUService.log (4961 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (20970 bytes)
%Program Files% (x86)\PC Speed Up\PCSUSpeedTest.exe (16 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (9551 bytes)

The process cvs_mystartsearch.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_1.ipk (37339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\quick_searchff#5.4.10.xpi (1209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe (19594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\2[1].zip (291497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\UninstallManager.exe (15958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BaofengUpdate.exe (1206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg.png (1209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\sweetsearch!1.0.0.1031.xpi (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tCE1709AA862C234DD936mp.tmp (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\DataBase (7769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\conf (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\428.json (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_2.ipk (28823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\428.db (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\1[1].zip (195558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe (3249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\scrollbar.bmp (37 bytes)

The process BaofengUpdate.exe:3384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\428.db (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe (86 bytes)

The process BaofengUpdate.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\googlelogo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\restoreprefs.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\properties.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\default_logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A987.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es-419\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en-US\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\last_tab.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\common.js (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\misc.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\search.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg.png (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pl\locale.properties (1 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\icon.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\google_trends.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\tr\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome.manifest (1 bytes)
%Program Files% (x86)\Mozilla Firefox\browser\searchplugins\mystartsearch.xml (565 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\scrollbar.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\style.css (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\stat.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\addonmanager.js (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\newtab.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\preferences.js (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\js.js (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\ga.js (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A998.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\vi\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\remoterequest.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\settings.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\misc.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\428.json (520 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\aes.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.xul (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\speed_dial.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe (14022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\simple.css (4 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\fvd.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code2.jpg (4 bytes)

The process nssCF71.tmp:3176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\0[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84C9.tmp (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B6Z6HGT4.txt (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\0[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp (43 bytes)

The process ProtectWindowsManager.exe:3500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)

The process PCSUSD.exe:4000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\PC SpeedUp Service Deactivator.job (336 bytes)
%Program Files% (x86)\PC Speed Up\Sqlite3.dll (585 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (6990 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (8187 bytes)

The process ProtectService.exe:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (876 bytes)

The process ProtectService.exe:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\IHProtectUpDate\update\conf (5 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (32 bytes)

The process wpm_v20.0.0.2227.exe:3440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)

The process MSI106D.tmp:3272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coregen.exe (69 bytes)

The process pcspeedup.tmp:3952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\unins000.exe (49 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (1 bytes)
%Program Files% (x86)\PC Speed Up\is-SBV4J.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Silverlight.exe (1738736 bytes)
%Program Files% (x86)\PC Speed Up\is-0OS0F.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SNE55.tmp (20 bytes)
%Program Files% (x86)\PC Speed Up\is-29LNJ.tmp (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SG3HV.tmp (54589 bytes)
%Program Files% (x86)\PC Speed Up\is-F2546.tmp (31891 bytes)
%Program Files% (x86)\PC Speed Up\is-8PBKC.tmp (673 bytes)
%Program Files% (x86)\PC Speed Up\is-6KBMV.tmp (48 bytes)
%Program Files% (x86)\PC Speed Up\unins000.msg (864 bytes)
%Program Files% (x86)\PC Speed Up\is-3GVGP.tmp (3361 bytes)
%Program Files% (x86)\PC Speed Up\PCSULauncher.exe (81 bytes)
%Program Files% (x86)\PC Speed Up\is-IPS4T.tmp (23 bytes)
%Program Files% (x86)\PC Speed Up\is-8FSMN.tmp (2321 bytes)
%Program Files% (x86)\PC Speed Up\is-65J6L.tmp (1 bytes)
%Program Files% (x86)\PC Speed Up\is-PB612.tmp (601 bytes)
%Program Files% (x86)\PC Speed Up\is-RIIRJ.tmp (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PCSUNotifier.exe (2465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PopupNotification.dll (2321 bytes)
%Program Files% (x86)\PC Speed Up\is-V7JN2.tmp (6841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Sqlite3.dll (3361 bytes)
%Program Files% (x86)\PC Speed Up\SpeedCheckerService.exe (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\PC Speed Up\App.config (3718 bytes)
%Program Files% (x86)\PC Speed Up\is-S2DD8.tmp (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\PC Speed Up\is-V94DR.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-S7P3F.tmp (28 bytes)
%Program Files% (x86)\PC Speed Up\is-BSQHS.tmp (2321 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService.conf (605 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-JF5OQ.tmp (1 bytes)
%Program Files% (x86)\PC Speed Up\is-EKJKL.tmp (265 bytes)
%Program Files% (x86)\PC Speed Up\is-QCKKO.tmp (889 bytes)
%Program Files% (x86)\PC Speed Up\is-3GHQ8.tmp (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\delete_me_reportInstall.txt (2 bytes)
%Program Files% (x86)\PC Speed Up\is-1IA04.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-26 #001.txt (585081 bytes)
%Program Files% (x86)\PC Speed Up\is-A5LBU.tmp (2105 bytes)
%Program Files% (x86)\PC Speed Up\uninstaller.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\WebBrowser.dll (2763 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-55LAA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-C42T5.tmp (7 bytes)
%Program Files% (x86)\PC Speed Up\is-50NHH.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\Desktop\PC Speed Up.lnk (1 bytes)
%Program Files% (x86)\PC Speed Up\is-QOQI6.tmp (47 bytes)
%Program Files% (x86)\PC Speed Up\unins000.dat (53168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BA2BP.tmp (601 bytes)
%Program Files% (x86)\PC Speed Up\PCSUSD.exe (405 bytes)
%Program Files% (x86)\PC Speed Up\is-95IRN.tmp (601 bytes)
%Program Files% (x86)\PC Speed Up\is-0OSRR.tmp (7726 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService.exe (446 bytes)
%Program Files% (x86)\PC Speed Up\is-MBUJ4.tmp (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MNGUG.tmp (4 bytes)
%Program Files% (x86)\PC Speed Up\is-LMJL1.tmp (12 bytes)
%Program Files% (x86)\PC Speed Up\is-1MP8Q.tmp (601 bytes)

The process VOPackage.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF41B.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD83B.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF611.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn8ABB.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEEDA.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy87EC.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp (3656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD53D.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF778.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\WmiInspector.dll (2840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd8944.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF2E2.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoFA58.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiD28C.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst900B.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8646.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst9192.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8480.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage\Configure.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\stats[1].htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD907.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD134.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\IpConfig.dll (3440 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD6E3.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\vnstF593.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy92EA.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd9442.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoD3E5.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEDA1.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\heu39T.nss (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\VOPackage.exe (1748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF1B9.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe (1336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF8D1.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd95C9.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\Uninstall.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\count_vn[1].htm (2888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF080.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyCD6E.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8E45.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\count_vc[1].htm (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp (7288 bytes)

The process MsiExec.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\SLMSPRBootstrap.dll (618 bytes)
%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll (65 bytes)

The process DTLite4461-0327.exe:3840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ELL.dll (3406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\favicon.bmp (894 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHT.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupHelper.exe (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChrome.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LTH.dll (3722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageTrialInfo.ini (796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\RUS.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\License.rtf (814 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-header.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PTB.dll (5114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-wizard.bmp (7192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SLV.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PLK.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageEmail.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ReinstPage.ini (478 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BIH.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\InstallOptions.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.bmp (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SVE.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll (165851 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SKY.dll (3410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ESN.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChromeIcon.bmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ITA.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ENU.dll (3722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HEB.dll (3402 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HRV.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ARA.dll (3402 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy51F.tmp (316027 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\AFK.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NLB.dll (3718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LVI.dll (1913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DAN.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ioSpecial.ini (8566 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\JPN.dll (2461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KOR.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FRA.dll (5123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\OCSetupHlp.dll (27504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DAEMON_Chrome.bmp (7192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHS.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\MountSpace.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPagePaidInfo.ini (7109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CAT.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\translate-icon.bmp (894 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gcapi_dll.dll (16424 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\share-icon.bmp (838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupWaitPage.bmp (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DEU.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Toolbar.exe (20624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FIN.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HUN.dll (3402 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gtapi.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\IND.dll (3722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ROM.dll (3406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\license.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CSY.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\TRK.dll (2465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KAT.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\moutspace-bg.bmp (22552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NOR.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Chrome.exe (20624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DTSetupHelper.exe (6532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\GLC.dll (1917 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BGR.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\WaitPage.ini (642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\UKR.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SRL.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\System.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageType.ini (9662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HYE.dll (3402 bytes)

The process XTab_Setup2253.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
%Program Files% (x86)\XTab\skin\btn.png (2 bytes)
%Program Files% (x86)\XTab\install.data (68 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
%Program Files% (x86)\XTab\conf (1638 bytes)
%Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
%Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
%Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\ver.txt (47 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
%Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
%Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
%Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (29 bytes)
%Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
%Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
%Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\main.xml (4 bytes)
%Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
%Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (21280 bytes)
%Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
%Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
%Program Files% (x86)\XTab\web\js\js.js (18 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\logo.png (5 bytes)
%Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
%Program Files% (x86)\XTab\web\main.css (19 bytes)
%Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\close.png (3 bytes)
%Program Files% (x86)\XTab\web\data.html (20 bytes)
%Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
%Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
%Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files% (x86)\XTab\skin\about.png (4 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxE3BA.tmp\System.dll (23 bytes)
%Program Files% (x86)\XTab\skin\settings.png (5 bytes)
%Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
%Program Files% (x86)\XTab\web\js\common.js (2 bytes)
%Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
%Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files% (x86)\XTab\msvcp110.dll (16990 bytes)
%Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)

The process HPNotify.exe:3756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\conf (1498 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (24 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (24 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (24 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (49 bytes)

The process coregen.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.ni.dll (8729 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.dll (32 bytes)

The process coregen.exe:3576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll (932 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.dll (49 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.ni.dll (13798 bytes)

The process coregen.exe:3472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll (17751 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.dll (49 bytes)

The process coregen.exe:3460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll (940 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll (5844 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.dll (24 bytes)

The process coregen.exe:1132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll (94223 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.dll (323 bytes)

The process coregen.exe:3624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.ni.dll (123677 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.dll (520 bytes)

The process coregen.exe:336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll (413065 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.dll (49 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll (612 bytes)

The process coregen.exe:3440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll (652 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll (20039 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.dll (65 bytes)

The process coregen.exe:3208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll (17059 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.dll (73 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll (922 bytes)

The process coregen.exe:3392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll (460 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.dll (131 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.ni.dll (40448 bytes)

The process coregen.exe:3144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll (616960 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coreclr.dll (291 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorrc.dll (12 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.dll (49 bytes)

The process coregen.exe:1244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.dll (229 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll (70955 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll (579 bytes)

The process coregen.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll (224946 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.dll (561 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll (900 bytes)

The process coregen.exe:3080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\system.dll (241 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll (544 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll (71603 bytes)

The process coregen.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll (1548 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.dll (438 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll (106612 bytes)

The process SpeedCheckerService.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6B84D30E5F69CEB3278532D063D4504 (25 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (704 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
%Program Files% (x86)\PC Speed Up\Speedchecker.log (4481 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
%Program Files% (x86)\PC Speed Up\agsXMPP.dll (540 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6B84D30E5F69CEB3278532D063D4504 (324 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)

The process SpeedCheckerService.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallState (196 bytes)
%Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallLog (720 bytes)
C:\Windows\System32\config\SYSTEM (3355 bytes)
%Program Files% (x86)\PC Speed Up\InstallUtil.InstallLog (684 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4619 bytes)
%Program Files% (x86)\PC Speed Up\Speedchecker.log (50 bytes)
C:\$Directory (768 bytes)

The process cmdshell.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\HPNotify.exe (675 bytes)

The process %original file name%.exe:2192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe (12626 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll (30 bytes)

The process PCSUSpeedTest.exe:3468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\ManagedWifi.dll (36 bytes)
%Program Files% (x86)\PC Speed Up\SharpBrake.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)
%Program Files% (x86)\PC Speed Up\Skyhook.exe (184 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (848 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
C:\Windows\System32\config\SOFTWARE (116274 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
%Program Files% (x86)\PC Speed Up\Speedchecker.log (73491 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (848 bytes)
C:\Windows\System32\config (5376 bytes)
C:\$Directory (3840 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (160036 bytes)
%Program Files% (x86)\PC Speed Up\SpeedChecker.dll (94 bytes)

The process nsissetup.exe:2868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part (5654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\index.html (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\dad4890a8fda856f77d8f153dc13db68\VOPackage.exe.part (20091 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\uifile.zip.part (1968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\index.html (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\progress.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\index.html (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe.part (903094 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\index.html (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\css\style.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\last.zip.part (1968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe.part (421975 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo.png50x50[1].jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\uifile.zip.part (2937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\noconnection.html (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\uifile.zip.part (2933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\uifile.zip.part (2933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\base.zip.part (1964 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\css\style.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress-bar.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\262bebb37d687dabfd48d85e0de76564\cvs_mystartsearch.exe.part (45604 bytes)

The process regsvr32.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSUHelper.dll (286 bytes)

The process nssCF72.tmp:3656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QGQ329ST.txt (106 bytes)

The process Skyhook.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\wpsapi.dll (49 bytes)

The process Silverlight.exe:3240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\135c1e3ab58ad80afdd7f364\silverlight.7z (100007 bytes)
C:\135c1e3ab58ad80afdd7f364\$shtdwn$.req (788 bytes)
C:\135c1e3ab58ad80afdd7f364\install.res.dll (6178 bytes)
C:\135c1e3ab58ad80afdd7f364\silverlight.msi (364 bytes)
C:\135c1e3ab58ad80afdd7f364 (4 bytes)
C:\135c1e3ab58ad80afdd7f364\install.exe (3678 bytes)

The process PCSUNotifier.exe:3972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PopupNotification.dll (442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Sqlite3.dll (585 bytes)

Registry activity

The process install.exe:2612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework]
"DbgPackShimPath"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cvs_mystartsearch.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "64 D4 4F 80 CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "7B 16 12 A0 CE 7F D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BaofengUpdate.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process BaofengUpdate.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Mozilla\Extends]
"AppID" = "[email protected]"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%windir%\System32]
"ie4uinit.exe"",-738" = "Start Internet Explorer without ActiveX controls or browser extensions."

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Search Page" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Search_URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"DisplayName" = "mystartsearch uninstall케猩u"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "mystartsearch"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Mozilla\Extends]
"UID" = "535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Start Page" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%systemroot%\system32\windowspowershell\v1.0]
"powershell.exe"",-111" = "Performs object-based (command-line) functions"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Page_URL" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe -ptid=cvsï¼€u"

[HKLM\SOFTWARE\Wow6432Node\mystartsearchSoftware\mystartsearchhp]
"Time" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files% (x86)\Google\Chrome\Application\chrome.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\mystartsearchSoftware\mystartsearchhp]
"oem" = "cvs"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"
"Search Page" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"Publisher" = "mystartsearch"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"
"DisplayName" = "mystartsearch"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKCU\Software\Mozilla\Extends]
"ptid" = "cvs"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe"

[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"[email protected]" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\[email protected]"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "mystartsearch"

The process nssCF71.tmp:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA C0 4D CF CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "EB 6E 2B EB CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process ProtectWindowsManager.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "20 E9 C3 CC CE 7F D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "20 E9 C3 CC CE 7F D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process ProtectWindowsManager.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]
"EventMessageFile" = "C:\ProgramData\WindowsMangerProê—“}"
"TypesSupported" = "7"

The process ProtectService.exe:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\IHProtect]
"ptid" = "cvs"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process ProtectService.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"

The process wpm_v20.0.0.2227.exe:3440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\supWindowsMangerProtect]
"ptid" = "cvs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process MSI106D.tmp:3272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pcspeedup.tmp:3952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Icon Group" = "PC Speed Up"
"MajorVersion" = "3"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"affid" = "2380"

[HKLM\System\CurrentControlSet\services\kbdhid\Parameters]
"CrashOnCtrlScroll" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"UninstallString" = "%Program Files% (x86)\PC Speed Up\unins000.exe"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"UniqueID" = "BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"QuietUninstallString" = "%Program Files% (x86)\PC Speed Up\unins000.exe /SILENT"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"UniqueID" = "BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayIcon" = "%Program Files% (x86)\PC Speed Up\Icon.ico"
"Inno Setup: App Path" = "%Program Files% (x86)\PC Speed Up"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"AVList" = "&av=301"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayName" = "PC Speed Up"
"InstallLocation" = "%Program Files% (x86)\PC Speed Up\"
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Speedchecker Limited\PC Speed Up]
"UniqueID" = "BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"InstallDate" = "20150426"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"SpeedTest" = "RUN"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"InstallDate" = "20150426"
"CountryCode" = "uk"

"Uninstaller" = "%Program Files% (x86)\PC Speed Up\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"MinorVersion" = "9"
"Inno Setup: Language" = "uk"
"NoModify" = "1"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CampaignID" = "ppi_2380_installer"

[HKLM\System\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Publisher" = "Speedchecker Limited"
"EstimatedSize" = "15320"

[HKLM\System\CurrentControlSet\services\PCSUService]
"Group" = "UIGroup"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"RequestID" = ""

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ConfigCountryCode" = "UA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayVersion" = "3.9.8.0"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "1"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"keyword" = ""
"ApplicationPath" = "%Program Files% (x86)\PC Speed Up"
"CrashDumpEnabled" = "2"
"Installer" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"URLInfoAbout" = "http://www.pcspeedup.com"

[HKLM\System\CurrentControlSet\Control]
"ServicesPipeTimeout" = "60000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Setup Version" = "5.4.3 (u)"
"NoRepair" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files% (x86)\PC Speed Up\PCSUNotifier.exe"

The process VOPackage.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "CA C0 4D CF CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"source" = "CO18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "7B 16 12 A0 CE 7F D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe"
"Publisher" = "CMI Limited"
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"stats" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"DisplayName" = "Remote Desktop Access (VuuPC)"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process MsiExec.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

[HKLM\SOFTWARE\Microsoft\PlayReady]
"DataPath" = "C:\ProgramData\Microsoft\PlayReady"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

The process DTLite4461-0327.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\DT Soft\DAEMON Tools Pro\View]
"Language" = "1033"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\DT Soft\DAEMON Tools Pro\Data]
"google_chrome_time"
"(Default)"
"google_chrome_res"
"google_toolbar_res"

The process XTab_Setup2253.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\XTab"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = "1"

[HKLM\SOFTWARE\Wow6432Node\supTab]
"ptid" = "cvs"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = ""

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"

[HKLM\SOFTWARE\Wow6432Node\SupDp]
"dir" = "%Program Files% (x86)\XTab"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"TopResultURL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"CheckedValue" = "PMIL"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"DefaultValue" = "PMIL"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process SpeedCheckerService.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKU\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 F5 AD 0B CC"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"FileTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates]
"F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"

The process SpeedCheckerService.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"AutoBackupLogFiles" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\services\eventlog\Application\SCService]
"EventMessageFile" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

The process %original file name%.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe -- %original file name%.exe 890 00000208 00000210 {3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}]

The process PCSUSpeedTest.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Progress" = "5"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_CountryCode" = "CH"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Ping" = "54"
"ST_Domain" = "151.236.26.173"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_TimeStamp" = "2015-04-26 03:12:24"

[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 F5 AD 0B CC"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Download" = "16618.204"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Status" = "Started"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_AvailableServers" = "SE;Stockholm;46.246.126.220|CH;Zurich;151.236.26.173|IT;Milano 1;149.154.157.241|"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Upload" = "27110.400"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Server" = "Zurich"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Ping"

[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates]
"F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Status"
"ST_TimeStamp"
"ST_Progress"
"ST_AvailableServers"
"SpeedTest"
"ST_Download"
"ST_Upload"
"ST_Server"

The process nsissetup.exe:2868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"fdwSupport" = "1"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 02 00 00 00 32 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "64 D4 4F 80 CE 7F D0 01"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFormatTags" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"fdwSupport" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"cFormatTags" = "2"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 31 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 11 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"fdwSupport" = "1"
"cFormatTags" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 06 00 00 00 12 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process regsvr32.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\ProgID]
"(Default)" = "PCSU.SysUtils.1"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry]
"(Default)" = "RegistryHelper Class"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}]
"(Default)" = "SysUtils Class"

[HKCR\PCSU.SysUtils.1\CLSID]
"(Default)" = "{B89F5C49-51DB-4974-AB5A-E25901AA339C}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\PC Speed Up"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\ProgID]
"(Default)" = "PCSU.Registry.1"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\PC Speed Up\PCSUHelper.dll"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}]
"(Default)" = "RegistryHelper Class"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0]
"(Default)" = "PCSUHelperLib"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"(Default)" = "%Program Files% (x86)\PC Speed Up\PCSUHelper.dll"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\VersionIndependentProgID]
"(Default)" = "PCSU.SysUtils"

[HKCR\PCSU.SysUtils.1]
"(Default)" = "SysUtils Class"

[HKCR\PCSU.SysUtils]
"(Default)" = "SysUtils Class"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"

[HKCR\PCSU.Registry\CurVer]
"(Default)" = "PCSU.Registry.1"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.SysUtils\CurVer]
"(Default)" = "PCSU.SysUtils.1"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PCSU.Registry.1\CLSID]
"(Default)" = "{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\PC Speed Up\PCSUHelper.dll"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\VersionIndependentProgID]
"(Default)" = "PCSU.Registry"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry.1]
"(Default)" = "RegistryHelper Class"

The process nssCF72.tmp:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA C0 4D CF CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "A9 26 1D EB CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
44a7a613955e6346114916eb3c117f3f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.VisualBasic.dll
2d30a65d2152d72a610f0fe655d01b3a c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.dll
d2e99a5ce4a6efa6bd95204f7ae1b823 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll
83b3db8c65d6c7652ddf49bf1c4d8c81 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.dll
8b89c45532b7b07cf713a7c0a3c883ba c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll
48b41e220f21695c167fc14d3955588e c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.dll
62847c2c65e237ebbe43a996c5789778 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll
4924780102d2b69938c03068b7c0434c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\SLMSPRBootstrap.dll
c10d58e141182bc336b2f14e384a32d7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Silverlight.Configuration.exe
85559ad0709874a7549642e8e0f86b28 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Silverlight.ConfigurationUI.dll
56c8a1037f2375349c1fbb901b851426 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.dll
276241c60d7362b1155b8883bad57504 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll
6c6de2aabcda5387f6aa7d54f3f73fef c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.dll
e5e29b8cdaa45c68fd4fd28982433b73 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll
ee74def85ed6a7481af475a5dc65d7c9 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.dll
d544ce7b48c5c48d205dfee0f8e9815b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll
2f012e35c12e683e913a50a59b8aedd8 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.dll
708454805d9182e135f3ab4642baa24a c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll
5e06acd3f66dd01700c89b61df135aa4 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.dll
c630e411a1c9a991c0e8543200f44656 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.ni.dll
eabad6b4b57655c9c8bb25970f32a964 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.dll
f5f5034e67d00fce80bd3f5c9df494dc c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.ni.dll
c9409e4b4c35f5720a572f4963471c0e c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.dll
a3f8a97c0b0efabc8213ddebc9230323 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.ni.dll
342288601aa90e1b270419249ec6e43b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.dll
e9eef35471cbef94e520a62d20efdd73 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.ni.dll
a937f6473a8db558ca1e2ba5351938c6 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.dll
d48ccdf3f666c7562029aa96628857a2 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll
15e78e524918f73f22b9a798eace9ae3 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.dll
3e947c88a7f04e4896928b58fd896af7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll
53d9b6167e73d48c94dd30d8d114ecde c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll
4ee7f6e2852c7afa7fbc95bc6d1da5ce c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\agcore.dll
4315c405baf5bf92f92cf478dffc9ca5 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\agcp.exe
aead1b166e25e4794d47778e6af76dff c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\Microsoft.VisualBasic.resources.dll
4491868178049c94979fe1b92ce0e425 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\mscorlib.resources.dll
345e2d39fbfe27b8828b8ac42abe2435 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\mscorrc.dll
2faefe792fa8bb78d6f5ef20443bd673 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\system.resources.dll
18e30e5d7e9385a22881a9b21b67f1f6 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\Microsoft.VisualBasic.resources.dll
5f41f2f7487fd53388b522e798a27dda c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\mscorlib.resources.dll
a46bc4c044564141ae33dd6f531602b0 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\mscorrc.dll
264927cd33c64e23a84eaaa14b572655 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\system.resources.dll
841d35b03c37cfaba9c079003a5afd92 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\Microsoft.VisualBasic.resources.dll
ac67be81d31b85f3d6296ad5ad7a6a0f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\mscorlib.resources.dll
4127e7f310e9e33027a53cf7ff8d461f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\mscorrc.dll
55e4488dd13515c21e808797e7dc2ecf c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\system.resources.dll
f769a78b415031fb8c62b64a4df70402 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\coreclr.dll
a6eb1d987243861267101e7a07a94cd6 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\coregen.exe
3f4e34200e3062cbad41d672e96b58be c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\Microsoft.VisualBasic.resources.dll
f1fbfd6acfcfa2ea15493f45ca6e8359 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\mscorlib.resources.dll
23ba8ffaac071f05bdb95c651122dd14 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\mscorrc.dll
8b5929a2e8f6f2f2f8dd14400bc6f15f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\system.resources.dll
f31c8c869f1a5709da849bb658da7c1b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\Microsoft.VisualBasic.resources.dll
73708f057fddf619d99cfd8a0c29eed4 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\mscorlib.resources.dll
4f044fe5f71a79eb50be78c314216dec c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\mscorrc.dll
bd2af65cfb0e30301dffecc06dfa03e7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\system.resources.dll
2319c9029c693d636ff96a47f327b624 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\Microsoft.VisualBasic.resources.dll
588858360fc177afea606f569b90e502 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\mscorlib.resources.dll
795da5b7057c9c268030690ee253e288 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\mscorrc.dll
784f0445fdda500cb8b834d67f5e175a c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\system.resources.dll
180c41dedde5bcdfdb3b817b76ed6803 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\Microsoft.VisualBasic.resources.dll
e9f11e43483e0dde9fa3f81f9bcf95e1 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\mscorlib.resources.dll
70cde4f000da32fe0ef5e629aaf64e84 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\mscorrc.dll
70a17515b2680d7f4494589c0313a939 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\system.resources.dll
09df8b997b28f189436064a26be6d992 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\Microsoft.VisualBasic.resources.dll
fe3dafda9a7f64fb55edfa5dc9db5763 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\mscorlib.resources.dll
5d17519c98e3667247d94ad450ade2fe c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\mscorrc.dll
3474490c9110675524110d76ebff5388 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\system.resources.dll
e9294d118f6f7f901bdcad6ca413eb65 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\Microsoft.VisualBasic.resources.dll
10ed5feb6cdfc797446b4343e0e678ba c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\mscorlib.resources.dll
447180e743e96e61726a2935bb6320ac c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\mscorrc.dll
b90f99d3bd937b2d013939a353d033fe c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\system.resources.dll
ac0608c0d022738f5bd28d9556309d5c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\Microsoft.VisualBasic.resources.dll
c55916d87f40793d84088365b9989326 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\mscorlib.resources.dll
96f9a1fa5ac8fab13401bda693dd87ba c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\mscorrc.dll
f548d99f60c55eb0cb3ae769a1b5b0d7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\system.resources.dll
a8318822f2b610798015442411be8219 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\Microsoft.VisualBasic.resources.dll
9361a64298ee0d54390afcbecd004bff c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\mscorlib.resources.dll
254757711a62fb942c331beba8b80a47 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\mscorrc.dll
0a3ebba35f4796a45a529e97810abdc4 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\system.resources.dll
4821acd9b8bfd6e7e8594e7d272bca9f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\Microsoft.VisualBasic.resources.dll
c09c612d1c02d171de368b4fcb3a1132 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\mscorlib.resources.dll
1fed4926c3f3f0a0a15ba69dc7132bb9 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\mscorrc.dll
0b5ed90dc3901e881a9d445e28bd0b54 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\system.resources.dll
bea69ced18cfebf0f67007d0769d55f2 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\Microsoft.VisualBasic.resources.dll
18860994ab1d09ff10c059804bf02a2f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\mscorlib.resources.dll
2c589401d3fd26878caa33cb1d8b0400 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\mscorrc.dll
0a77717b4ec2f62b6d0f1aa9f20d563c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\system.resources.dll
28d60dc96ce0a9d22d0718a3b65b876c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\Microsoft.VisualBasic.resources.dll
549ff0dd051b70c441bd54691e4cc739 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\mscorlib.resources.dll
f0cc18d981ce20108d2c8f1a06c886c7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\mscorrc.dll
75e304bc278fe41f9bc3f90a2a000811 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\system.resources.dll
14e68af2041d601dc928f74ae9e36f6c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\Microsoft.VisualBasic.resources.dll
34489de23d4bfbf02f7381caa6eec6ec c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\mscorlib.resources.dll
4f86a4f6dfe5c6eca2a26604e0f5e1ad c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\mscorrc.dll
4a47045e3db6b295792c03b91ce3cf60 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\system.resources.dll
820edb415ccdc654b2202a1cc3d369f8 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\Microsoft.VisualBasic.resources.dll
a11cb549a8acbdaf5a9e25daf319c157 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\mscorlib.resources.dll
0ad56078008c35ea46e70e4753c9ba55 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\mscorrc.dll
9f899aec8f7d21c4ef05a1e40fcfb13f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\system.resources.dll
137677a2e5623b754ac4306589d7df52 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\Microsoft.VisualBasic.resources.dll
8c34a24d9d358cdec09438389ff74940 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\mscorlib.resources.dll
ff66d398dfff7b706661cacd91eb1d7c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\mscorrc.dll
bfb50b8c5d4673ec46003a5cf2e22ba7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\system.resources.dll
4016a5ae3fedc51a6e5b4f71a31ff476 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\Microsoft.VisualBasic.resources.dll
fc92e1abcf9a37c07d1f56a9d14a131e c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\mscorlib.resources.dll
6d4ef84a43957ed53e17076b49c25a49 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\mscorrc.dll
1014172ed25c43f771e370a272d89605 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\system.resources.dll
7cd93f2d2462d65e92eb75c5065662d5 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\Microsoft.VisualBasic.resources.dll
d3eec38f0735ea0546adf199f9a42d42 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\mscorlib.resources.dll
4c518a6e2967ef659e352a6c834bdc89 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\mscorrc.dll
20ff98ad45e7b1082295ff4d3655d7f3 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\system.resources.dll
fb1715aa866cab7db7e1fa6a75718e82 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\Microsoft.VisualBasic.resources.dll
7d3c2857974ff7043088b0b8d32243e7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\mscorlib.resources.dll
360b0cd903015fd1a443bce16d06d983 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\mscorrc.dll
351e338b52777247c7e62a2880de6a5b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\system.resources.dll
289aec20f98defd43fe7b16eea402fed c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\Microsoft.VisualBasic.resources.dll
3fc989186d7ed0da90f7da49e9baa874 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\mscorlib.resources.dll
16fc0902a1a7af7c76a8ddfa84f8ff57 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\mscorrc.dll
5ac55d999c52c254c5329b5347d297e9 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\system.resources.dll
f458ff1a4c2d48254b24f44e3950c250 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\Microsoft.VisualBasic.resources.dll
b5680243f335b28af8473c1328c31584 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\mscorlib.resources.dll
ca502c22de889a9f28a29caacb9545d6 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\mscorrc.dll
1b45a994c693ba7d388d4b64050c63df c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\system.resources.dll
1cb16e581e2355fbb86c78cde60ff3e3 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.dll
03a718e09ea1e561c261e1dd0ffd4afc c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll
756cfae0b81be30f903fde796267e368 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\mscorrc.dll
16e0ae792ed1b7814ad52c37587323bb c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\Microsoft.VisualBasic.resources.dll
54e38ff06897fc4bc27630a73a971e0b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\mscorlib.resources.dll
80268fbe25edb57486bfca9773cbb79c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\mscorrc.dll
dd90d0551aeea77ee44dcde76fe1715a c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\system.resources.dll
87a905bafa19225e970d032971a5bb3c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\Microsoft.VisualBasic.resources.dll
df4bd2a6ad2f73b5015d93c6c3c228d5 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\mscorlib.resources.dll
7d0c626e2dc8f0376f13ce2d42608322 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\mscorrc.dll
d88b57a1b3e5da5ee33258721b1b16d5 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\system.resources.dll
893bf7d2261c56c24f813405d9d018e0 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll
8da2ed6b04ea33f2eae8ba883f903729 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
8162e6043daba4971f6b8bdf47968de3 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\Microsoft.VisualBasic.resources.dll
971562b310cf55a0405b811c57c06f7f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\mscorlib.resources.dll
10741b4b1d22fa77c2c77f2ca7d599bc c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\mscorrc.dll
facf9822ff983e641934fd0a12cfdaba c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\system.resources.dll
ca29c362b39e008913aee94492410f69 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\Microsoft.VisualBasic.resources.dll
36ff74cc03c17b353413e51716f53cc5 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\mscorlib.resources.dll
8402aa257ae8c85544aedce3ca94e550 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\mscorrc.dll
7d6c1223a1b36af1091ece13e37e2c79 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\system.resources.dll
dcfe976a4e2b277820b1cd8118fbbce4 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\Microsoft.VisualBasic.resources.dll
792af39f32f13ea2eafc8e1415ce9af0 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\mscorlib.resources.dll
c0c215cdf31ba724d72a575dcfcd1cba c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\mscorrc.dll
e5fca8e93c103c44fce9e3782d33de81 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\system.resources.dll
87517a204f53f92cbaede953464c2c44 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\Microsoft.VisualBasic.resources.dll
52f469cdf0c02fae4afc0efd433569a3 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\mscorlib.resources.dll
c687cf1bfba5c29100c7badfb70d6bae c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\mscorrc.dll
fe910815fe7b7dfd59e2aa14492ca109 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\system.resources.dll
2b2eafc59ea959cfc4c3f0c5d11a43cd c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\Microsoft.VisualBasic.resources.dll
a11a0a637a17cbbc7ff7b194aeba1c72 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\mscorlib.resources.dll
3b504eba88b956c14279151f803b4a85 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\mscorrc.dll
809625ef867dfdfe8d3b7e0d1d27234b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\system.resources.dll
8d1494e7e8a2f83e4d962f87259d22b8 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\Microsoft.VisualBasic.resources.dll
ee3a2d02aa33bd8e2ded883c870a71bc c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\mscorlib.resources.dll
3cd628af65cf85f0a02fab784c31595f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\mscorrc.dll
fabd9bf37e4471343b188ebfb5820f18 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\system.resources.dll
f47733116d55209cce9f9da10402ffa0 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\Microsoft.VisualBasic.resources.dll
a092710a007cbe654f8c987a8338201b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\mscorlib.resources.dll
dae6994e8ba5c665b72bd1adf0288db9 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\mscorrc.dll
28dd0107ed3238180063f3a3f41d11ee c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\system.resources.dll
41b91f0782e500cf8b63ded7fbcd812f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\Microsoft.VisualBasic.resources.dll
2d0d3475f078db74be9eabb9ec1c6ac1 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\mscorlib.resources.dll
c9e6c96c732306cc9d871dcbcb357c93 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\mscorrc.dll
839e7abcdb6a058bbb1cce9161265f81 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\system.resources.dll
37b3eacf8145fafa57af5278378ce21f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\Microsoft.VisualBasic.resources.dll
39cc6097739bf44c14ef036cf1f310cc c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\mscorlib.resources.dll
f74ea592c35fc8ec9eaa4ed7897cf879 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\mscorrc.dll
40f8462e48da5dd64037a9107c634ea1 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\system.resources.dll
419c5c54cfcf5af26d7dd5ce8321309e c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\Microsoft.VisualBasic.resources.dll
da25d839a93068d7ef2bf78e4b986519 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\mscorlib.resources.dll
4b82085a57061df5f4e5505d3c76880a c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\mscorrc.dll
516d1dc039a784e67f73c679416e8cc1 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\system.resources.dll
9c641e70ad7f26f6ef006d0bc22875be c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\system.dll
073b16bd67f4b43a7736f6a728ce5b25 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\Microsoft.VisualBasic.resources.dll
75db1e8393968bfb2c86207f8eaf604a c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\mscorlib.resources.dll
e125316ed76cf593cedadddcc3e077d9 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\mscorrc.dll
c94daf3826915f9c67f889e2f938d19f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\system.resources.dll
3a5a482e5735c0cc0612f6ec585d1aab c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\Microsoft.VisualBasic.resources.dll
f1d96b7609c5a295d768a09a26ccca01 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\mscorlib.resources.dll
905d9bf18ea3365fbc18938cf9916551 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\mscorrc.dll
83da04138530cce3c46e8586445996b7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\system.resources.dll
d9f7b2f82160cd2c77fee6a6b544e93b c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\Microsoft.VisualBasic.resources.dll
8edd44b943235871a720bd52baae189c c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\mscorlib.resources.dll
93ad5c3edd47fe400154ab70fe2f1029 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\mscorrc.dll
f5c3130a6532d8b620e428f2a61753dc c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\system.resources.dll
73bf154dc7ec08897aeac36f768e62d2 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\Microsoft.VisualBasic.resources.dll
a258474d2b4ef33ac3fe2e26c7727adb c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\mscorlib.resources.dll
bb90c2f8c1ed522b924169f0e131884f c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\mscorrc.dll
255dcdf47229587046a8597d4e8af5af c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\system.resources.dll
044312764bb4a8b842bb192c4f4216b4 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\Microsoft.VisualBasic.resources.dll
27e68fa359d4940aff22708fd10fbc2d c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\mscorlib.resources.dll
34dda034e940f6adf325a430bd7cf5b7 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\mscorrc.dll
d499f0165528a2d08fa299ffd2792c63 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\system.resources.dll
edb4930390c4995447bebe75b5ae19de c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\Microsoft.VisualBasic.resources.dll
7e9597fb7f0b7d15ef698601981da6ba c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\mscorlib.resources.dll
8e71d73c5dd196346fe580864c354231 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\mscorrc.dll
eddaf9f8b76b6c2355e24eab0825b057 c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\system.resources.dll
be0de0030a07c0e2adcb2d00c2b5bb1c c:\Program Files (x86)\Microsoft Silverlight\sllauncher.exe
cfbe6ac308ddcbcef06658a5a1b82948 c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll
0ecc954ab71b850e438d0b8526db9e01 c:\Program Files (x86)\PC Speed Up\Common.Logging.dll
b42ca2d572854bb967800bba8b6e2e6b c:\Program Files (x86)\PC Speed Up\FileUploader.exe
49ca5298b7ffbe3e7a6310461dd146da c:\Program Files (x86)\PC Speed Up\ManagedWifi.dll
a0e65e9c544769db4f93fc5218360d00 c:\Program Files (x86)\PC Speed Up\PCSUHelper.dll
265eeda920d608d7858a37a519b6e212 c:\Program Files (x86)\PC Speed Up\PCSULauncher.exe
d909405a1af3faefec58113fb89a8fb4 c:\Program Files (x86)\PC Speed Up\PCSUNotifier.exe
7d3cc1e5a02079da66a28dc636dcfd64 c:\Program Files (x86)\PC Speed Up\PCSUQuickScan.exe
f45785ae72c6fa7e645597542e33cb19 c:\Program Files (x86)\PC Speed Up\PCSUSD.exe
e6bd031b2eaf9c5e966d0535569e4f4a c:\Program Files (x86)\PC Speed Up\PCSUService.exe
3ceda9c3318d4e5aa13d64572bdfa09b c:\Program Files (x86)\PC Speed Up\PCSUSpeedTest.exe
a5d866d482a18d324492e7d1de9b57ca c:\Program Files (x86)\PC Speed Up\PCSUUCC.exe
0744c4851a307a9258b6750fe8fd5872 c:\Program Files (x86)\PC Speed Up\PCSpeedUp.sys
6f41ef91f5744f70a0bc59f6c0edff98 c:\Program Files (x86)\PC Speed Up\PopupNotification.dll
4925c74a98afbaf271d6513599be7155 c:\Program Files (x86)\PC Speed Up\SharpBrake.dll
94794cb85a65beca0c153528faa27bdf c:\Program Files (x86)\PC Speed Up\Skyhook.exe
b84604b780b136e5b81345b06d4d0551 c:\Program Files (x86)\PC Speed Up\SpeedChecker.dll
7c8c94cb80a9a83f6dc04894d6e843c6 c:\Program Files (x86)\PC Speed Up\SpeedCheckerService.exe
24d9f00e1604db8ff49f599dea248fac c:\Program Files (x86)\PC Speed Up\Sqlite3.dll
0fbe91d8b0bb7f5784a31bd5c2875aa2 c:\Program Files (x86)\PC Speed Up\agsXMPP.dll
a1e59cd38160bcdfc61f383741ba7ade c:\Program Files (x86)\PC Speed Up\qs64.dll
6b2b214c4bc2dad2e86b1cc41f42ab92 c:\Program Files (x86)\PC Speed Up\unins000.exe
916672bbbecfb618456cd1b99eb4399c c:\Program Files (x86)\PC Speed Up\wpsapi.dll
0183c88583bbf1c99d67acce017c9beb c:\Program Files (x86)\XTab\BrowerWatchCH.dll
fd0b82d24d162e240931cfd5540d3021 c:\Program Files (x86)\XTab\BrowerWatchFF.dll
5785680870eff9ba7b4f58c726552013 c:\Program Files (x86)\XTab\BrowserAction.dll
b124f96efd0010e4f7e262f08519e9e4 c:\Program Files (x86)\XTab\CmdShell.exe
77ccf1c943665ececf9a5ce699560500 c:\Program Files (x86)\XTab\HPNotify.exe
4a345a11cc64ab72cb09ff391611dad0 c:\Program Files (x86)\XTab\IeWatchDog.dll
cc709fa63d5a536a2f8275c0cea39070 c:\Program Files (x86)\XTab\ProtectService.exe
efa257c845943b84922117758c955434 c:\Program Files (x86)\XTab\SupTab.dll
3e29914113ec4b968ba5eb1f6d194a0a c:\Program Files (x86)\XTab\msvcp110.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6 c:\Program Files (x86)\XTab\msvcr110.dll
e29708f3781e5790424ca59a0fbb1bd3 c:\Program Files (x86)\XTab\uninstall.exe
8a8f5ebe2fd9c2e6325723209b9cdf32 c:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
8a8f5ebe2fd9c2e6325723209b9cdf32 c:\Users\All Users\WindowsMangerProtect\ProtectWindowsManager.exe
b3113668f356c345dd1efae531e257f8 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\count_vc[1].htm
f99ba617f06b2dfd62cd23ae7c9484fd c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\count_vn[1].htm
08caec472db03f5ea68e2b097fdfb502 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe
beb43f12e33b63594c924db62cfe7c3c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe
148bdbdcbac38fbf0b4d3c145e9b0199 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\262bebb37d687dabfd48d85e0de76564\cvs_mystartsearch.exe
64caebfbdca2ef8ec782c7ad90e20360 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\dad4890a8fda856f77d8f153dc13db68\VOPackage.exe
f02155fa3e59a8fc48a74a236b2bb42e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll
4f88bef9204d347c0d1c99d7be7baae8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DTSetupHelper.exe
67d8f4d5acdb722e9cb7a99570b3ded1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\InstallOptions.dll
7062b63645101a612ce0f69e7453abbb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Chrome.exe
35798a34ca30a4a4a37b635318d8c959 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Toolbar.exe
d932447f25f3a284fcf7191231867e55 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\AFK.dll
a41dbfb0724d40810e97726ba2bbb7ca c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ARA.dll
587017cdee10b1899638489737c04c0b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BGR.dll
dc0b79c33d48466f5260ea87421b23ca c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BIH.dll
9d364f08d8d0a0271ece8dd3b26efd82 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CAT.dll
23b0a273336d3e55daf1bee481569dac c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHS.dll
56c05b61e6d34f64a86dd938746f0fe6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHT.dll
13c02b3862d5f4df0a6d97fb04c192f6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CSY.dll
780175961ed15067d17e2ca33102e040 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DAN.dll
9ccefd9de90dba00f2e87acb15f28257 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DEU.dll
31d21a47452ad4054de43ea84bf086a5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ELL.dll
64353d862197de70e813ea385c71cd70 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ENU.dll
425420280f09987b6354dcdaa70acbda c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ESN.dll
903a1ba5bb47b9e70818d565004d14c7 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FIN.dll
3a5a4ac2f9d8b76fcaa0fcf477d66feb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FRA.dll
07c509d1d4298a59f3fc1f84bcc0adbd c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\GLC.dll
ed58d1766f15770175a94af2fdacfcff c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HEB.dll
219d08d6af054298d19d2f40ec7b57f0 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HRV.dll
85069620b785602b5721842bf4245dd8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HUN.dll
50d93fbb149d210ce5132f6bec8dbd8f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HYE.dll
ecdf1900557afaea53a458b21d826b41 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\IND.dll
10ca143d83a7655994af434cb19bb0d6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ITA.dll
78f48e394542c0b5160f2c584672a3bb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\JPN.dll
c443e20a057a8bfb968d05c99d2d5f14 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KAT.dll
8146c0f238fb5ea36e495cba62f9e83b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KOR.dll
5991794939c6019129934beabb2df27a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LTH.dll
1bef1cce3a582cfdd7eee57d7cc4caef c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LVI.dll
45896e78ae455c17a9538b1cc8a8394d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NLB.dll
225b686f7985c10f529418a236ea7151 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NOR.dll
02172c552b7fac544f302a69c9d94655 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PLK.dll
4c4d4741f7499eecc4e73b925f8bbe82 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PTB.dll
4e2aefb336983043faf5a7434761fcc5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ROM.dll
096b3d2003c36b823f2185fd80f7c08f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\RUS.dll
38acaf5e059d114d767468842d893ab2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SKY.dll
5c8b4989bb0f17084916a0f7fc658fc3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SLV.dll
3a3fb7287719e29415e1666c91c1c873 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SRL.dll
3499a25e08dd7ad84d699202e7f0fa21 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SVE.dll
adeeeecb5603b5ed7ba7a87926b5b510 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\TRK.dll
77c025ed15ff18b5f964008d238ffed5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\UKR.dll
243e820e072b7a0a8be07e736445408f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\OCSetupHlp.dll
1323d01fc1b3ec2ac91365a37dc0be0c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupHelper.exe
959ea64598b9a3e494c00e8fa793be7e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\System.dll
fc5b2ac8d68459ec61f653676d8bcd5d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gcapi_dll.dll
61bc40d1fad9e0faa9a07219b90ba0e4 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gtapi.dll
f7b92b78f1a00a872c8a38f40afa7d65 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\nsDialogs.dll
ad010a6d16dc872b9df1ae719d4255db c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll
f99ba617f06b2dfd62cd23ae7c9484fd c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp
b3113668f356c345dd1efae531e257f8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp
8b8a54e9f3416ba5f4f63fd210b9df40 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe
0d2c31cb2284ab5804e63b486aedf027 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll
3a30d6a48390fa807156aa161f6a8189 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll
e02f396387f8aa59fa7cc942638d67ee c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BaofengUpdate.exe
a5bfd6a87161d5dfa81cb5c2c6d29488 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\UninstallManager.exe
a96619564071df84cc892752df062a6d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe
e7b4b146a101093e11ce45d203dd907b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe
8a8f5ebe2fd9c2e6325723209b9cdf32 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe
c12e34c6137b6ae3cc141e81dccf0f84 c:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\Uninstall.exe
64caebfbdca2ef8ec782c7ad90e20360 c:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\vnstF593.tmp
c12e34c6137b6ae3cc141e81dccf0f84 c:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe
64caebfbdca2ef8ec782c7ad90e20360 c:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\VOPackage.exe
a5bfd6a87161d5dfa81cb5c2c6d29488 c:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe
086bf9f68879020f08e62f33807f5842 c:\Windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIconDll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22738 23040 4.45908 c69726ed422d3dcfdec9731986daa752
.rdata 28672 4496 4608 3.59034 a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data 36864 110456 1024 3.20082 e59cdcb732e4bfbc84cc61dd68354f78
.ndata 147456 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 180224 15944 16384 4.37926 ea72fff0d02b00b8667f1681d6590832

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dlg-configs-weu.cloudapp.net/
hxxp://dlg-configs-weu.cloudapp.net/config-from-production
hxxp://dlg-messages-weu.cloudapp.net/1/dg/3
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/base.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/progress.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/vuupc-single-text-en-us.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/last.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/websearches-single-text-en-us.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/pcspeedup-single-text-en-us.zip
hxxp://www.soft-ware.net/media/e5/65/4fd8d03e8d89a93218c9e565/images/resized/logo.png50x50.jpg 148.251.96.144
hxxp://d2drfrdurj6mvo.cloudfront.net/liyan/cvs_mystartsearch.exe 54.239.168.138
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=cvs.visit.mystartsearch&update1=ref,cvs&update2=identifier,installer&update3=version,6.3.7602.2124&update4=nation,us&update5=language,en 65.255.35.150
hxxp://dzqx32c9j9ub.cloudfront.net/3493/1 54.239.168.165
hxxp://dlrkbt247pbk6.cloudfront.net/3493_bd05aad78249b1c64e2595545bff63b4/1.zip 54.230.201.145
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.dlzip1.mystartsearch.finish,1 65.255.35.150
hxxp://log.very911.com/install.gif?bundle=mystartsearch&ptid=cvs&uid=535559167_198339_B48A115F 184.173.191.224
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ds 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.hp 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.regok 65.255.35.150
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US
hxxp://www.google.com/ 173.194.113.208
hxxp://www.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF 173.194.113.216
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.nt.ff.tab 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.finish 65.255.35.150
hxxp://dzqx32c9j9ub.cloudfront.net/3493/2 54.239.168.165
hxxp://dlrkbt247pbk6.cloudfront.net/3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip 54.230.201.145
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.wpm 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ient 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.RegWrite 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,cvs 65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action1=install.cvs 65.255.35.150
hxxp://p-rumo00.kxcdn.com/partners/pcspeedup.exe
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.cvs&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 65.255.35.150
hxxp://pcspeeduplog.com/log?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://a767.dscms.akamai.net/download/F/8/C/F8C0EACB-92D0-4722-9B18-965DD2A681E9/30514.00/Silverlight.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1
hxxp://a1284.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
hxxp://safedownloadapi.cloudapp.net/featurelimit.aspx?productID=1&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&requestID=&version=3.9.8.0&language=&campaignID=&QuickScan=0
hxxp://crt.comodoca.com/COMODORSAAddTrustCA.crt 178.255.83.2
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= 178.255.83.1
hxxp://safedownloadapi.cloudapp.net/reportInstall.aspx?productID=1&version=3.9.8.0&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&affID=2380&keyword=installer&campaignID=ppi_2380_installer&requestID=
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8= 178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8= 178.255.83.1
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8d62786b8a611e50
hxxp://broadbandspeedchecker.cloudapp.net/Servers.svc
hxxp://a1284.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://151.236.26.173/random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=9T635656147234101936
hxxp://151.236.26.173/random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=8T635656147234101936
hxxp://151.236.26.173/random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=7T635656147234101936
hxxp://crt.comodoca.com/COMODORSACodeSigningCA.crl 178.255.83.2
hxxp://151.236.26.173/upload.php
hxxp://54.235.117.243/
hxxp://23.97.200.175/SessionBot.svc/LogIn?uniqueID=bc8dd994-fd51-4d87-b86e-7bf4aab4fdc1&[email protected]/ua|1.0.14.0|bc8dd994-fd51-4d87-b86e-7bf4aab4fdc1|0|null&version=1.0.14.0&countryCode=ua
hxxp://95.211.189.17/SysInfo/count_vn.php?ch=test
hxxp://broadbandspeedchecker.cloudapp.net/TakenTests.svc
hxxp://pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=speedtest
hxxp://95.211.189.17/SysInfo/count_vc.php?ch=test
hxxp://95.211.189.17/SysInfo/glob.php?ch=test&sof=4
hxxp://ec2-54-235-117-243.compute-1.amazonaws.com/
hxxp://sstatic1.histats.com/0.gif?2920545&101 208.43.241.181
hxxp://sstatic1.histats.com/0.gif?2920516&101 208.43.241.181
hxxp://www.theviilage.com/searchprotect/up?ptid=cvs&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=0 50.97.33.37
hxxp://95.211.189.17/vuupc/stats.php
hxxp://www.soft-ware.net/media/e5/65/4fd8d03e8d89a93218c9e565/download/b 148.251.96.144
hxxp://dt.web-search-home.com/getsettings?query=nS4a1/oVbU6Q99uIRNKVE+/vPOOkGCX04WBXR7pdK/UKcGWB+Rqy0NTAeyD4Sb/ziarEhWj7HN5nXXj2qWaNwxVXn6EikLycAMKB/i3j0PQE9RFK9YaMPY1tOXp7CoA5I0G8etbIuG9ofZP1IeMKZP4ShkeXaNCevjkr0AZe+vo= 50.7.244.109
hxxp://a767.dscms.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a767.dscms.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?fb2283c00361ac01
hxxp://crl.globalsign.net/root-r3.crl 108.162.232.196
hxxp://crl.globalsign.net/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== 108.162.232.196
hxxp://crl.globalsign.net/root.crl 108.162.232.196
hxxp://crl.globalsign.net/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== 108.162.232.196
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQD+rJ0jfxxchg== 72.167.239.239
hxxp://crl.globalsign.net/gs/gscodesigng2.crl 108.162.232.196
hxxp://sstatic1.histats.com/0.gif?2920547&101 208.43.241.181
hxxp://sstatic1.histats.com/0.gif?2920520&101 208.43.241.181
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://www.pcspeeduplog.com/log?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer 212.71.248.160
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/vuupc-single-text-en-us.zip 68.232.34.200
hxxp://crl.comodoca.com/COMODORSACodeSigningCA.crl
hxxp://pcspeedup-7ff.kxcdn.com/partners/pcspeedup.exe 194.63.141.18
hxxp://livestatscounter.com/SysInfo/count_vc.php?ch=test
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.51.123.27
hxxp://clients1.google.com/ocsp 216.58.209.174
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= 23.51.123.27
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8= 178.255.83.1
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/websearches-single-text-en-us.zip 68.232.34.200
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar 87.245.216.26
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/base.zip 68.232.34.200
hxxp://dlg-configs.buzzrin.de/config-from-production
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=speedtest 212.71.248.160
hxxp://download.microsoft.com/download/F/8/C/F8C0EACB-92D0-4722-9B18-965DD2A681E9/30514.00/Silverlight.exe 87.245.216.35
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= 23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?fb2283c00361ac01 87.245.216.19
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service 212.71.248.160
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.51.123.27
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US 63.245.217.36
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.216.33
hxxp://www.speedcheckerapi.com/TakenTests.svc 137.116.198.61
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer 212.71.248.160
hxxp://ocsp2.globalsign.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== 108.162.232.204
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.216.33
hxxp://www.speedcheckerapi.com/Servers.svc 137.116.198.61
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.216.33
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1 87.245.216.19
hxxp://livestatscounter.com/SysInfo/count_vn.php?ch=test
hxxp://dlg-configs.buzzrin.de/
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8= 178.255.83.1
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= 23.51.123.27
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip 68.232.34.200
hxxp://livestatscounter.com/vuupc/stats.php
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.51.123.27
hxxp://livestatscounter.com/SysInfo/glob.php?ch=test&sof=4
hxxp://www.pcsuapi.com/featurelimit.aspx?productID=1&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&requestID=&version=3.9.8.0&language=&campaignID=&QuickScan=0 168.63.102.240
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/progress.zip 68.232.34.200
hxxp://crl.globalsign.com/gs/gscodesigng2.crl 108.162.232.196
hxxp://dlg-messages.buzzrin.de/1/dg/3
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/last.zip 68.232.34.200
hxxp://ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== 108.162.232.204
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQD+rJ0jfxxchg== 72.167.239.239
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/pcspeedup-single-text-en-us.zip 68.232.34.200
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8d62786b8a611e50 87.245.216.19
hxxp://www.pcsuapi.com/reportInstall.aspx?productID=1&version=3.9.8.0&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&affID=2380&keyword=installer&campaignID=ppi_2380_installer&requestID= 168.63.102.240
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.51.123.27
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 72.167.239.239
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.51.123.27
www.gstatic.com 216.58.209.195
ssl.gstatic.com 216.58.209.163
apis.google.com 216.58.209.174
performancetests.pcspeedup.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
SURICATA STREAM ESTABLISHED packet out of window
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
SURICATA STREAM SHUTDOWN RST invalid ack

Traffic

POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 403
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:33 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:32 GMT
Connection: close
Content-Length: 0



GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sun, 26 Apr 2015 03:11:25 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Sun, 26 Apr 2015 03:11:25 GMT..Conn
ection: keep-alive..



GET /gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:14:44 GMT
Content-Type: application/ocsp-response
Content-Length: 1474
Connection: keep-alive
Set-Cookie: __cfduid=d04b4fc2a5b979841552e18e098c02af51430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.com; HttpOnly
X-Powered-By: Servlet/3.0; JBossAS-6
ETag: 1db1d660627ce015fa77de973e5530ef2b8acbda
Expires: Sun, 26 Apr 2015 14:51:50 GMT
Last-Modified: Sun, 26 Apr 2015 02:51:50 GMT
Cache-Control: max-age=180, public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1dcf1e84624501b1-FRA
0..........0..... .....0......0...0......6.K....Z....a.B&Y.....2015042
6025150Z0u0s0K0... ........k..vY.d..X.R*.....C....n......>..t]..../
Pz...!..5..,.....}*..4....20150426025150Z....20150426145150Z0...*.H...
.........(...}...PZ..[G.b..y......7...M.\.........@2.^..#1z.k......_..
.....>.....`o0..3.....*,..g..i...'...Fj.*N.y...0.8..F......<..".
..?>......<7.......a.j4.....c..lp?2_.M=........w....:.......e..-
..:.......q{..M.;.....X.s...E.!.=M.).,..R..........8.....5A.[56..'....
0...0...0...........!:.D.....3...7..(0...*.H........0Q1.0...U....BE1.0
...U....GlobalSign nv-sa1'0%..U....GlobalSign CodeSigning CA - G20...1
50303092435Z..150603082435Z0}1.0...U....BE1.0...U....GlobalSign nv-sa1
:08..U...1GlobalSign CodeSigning CA - G2 OCSP responder - 21.0...U....
201503031024000.."0...*.H.............0...........z..N#.)I{6&_.f.. ..*
.-W....Z....."......(.u:..9...ET...}.._Z.sr);:.....~.t..&4.~....d....-
 ...p{..7.E}......:C.. R../.J.w...Q.-.c....Y!.r:.."..X...V............
&&z,K..Z...sg.PN.:C.....0f...o..(..w.s.6..%.}.ktU..HmK........!1hy`..(
.w.`a......=s..,cYt6).-........0..0...U....0.0...U...........0...U.%..
0... .......0... .....0......0...U......6.K....Z....a.B&Y...0...U.#..0
....n......>..t]..../Pz0...*.H..............."...Y...f.=...d.......
...Q.n.S.....=..5[.F..F..=*.S..;....6.j...VNR|#.h.=..' ..T..PD.J......
.k....3..h....s...y.'.?....m...k.....V.^..uynl....6....<.[....x..#.
Q..9.P%s)-.I...m.?.j*.2..?;.P..X7w.........$.*.t.....5.p....4U.....R..
Dc..q....'.e#uA*.FG].xz~...
<<< skipped >>>


GET /searchprotect/up?ptid=cvs&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=0 HTTP/1.1
Host: VVV.theviilage.com
User-Agent: Mozilla/4.0
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:13:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14p1
1..0..0..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=458926, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 10:39:56 GMT
Expires: Fri, 1 May 2015 10:39:56 GMT
Date: Sun, 26 Apr 2015 03:14:53 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015042
4103956Z0s0q0I0... ...................F....0.yV......{&.K......&......
.c.. ..T.............20150424103956Z....20150501103956Z0...*.H........
......n..)........bWh...hI..W.j.&...{..{W.8...H........a.....z...r.I..
.#.E.e....PIgJ,..m..%".O ...............%....X..Hr..fIm..qQ......GR.$.
....gl_.UI..f.T..C.T.e...Ir.^......./..B.q.yB..9.a.U.>..Z..([......
.!m\.M.3.......f..JVm.B.m.y.......{..t.I.op..._ LCs.......0...0...0...
.........F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....
VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Cla
ss 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0........
.q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../j
I.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/..
 ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o.
.o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U...
.0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign
.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. 
by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U......
..0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H........
......-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>


POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: WinHttpClient
Content-Length: 104
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceConnected":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:44 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



POST /ocsp HTTP/1.1
Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 107
Content-Type: application/ocsp-request
Connection: keep-alive

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./...1o..2. ..0.0... .....0...
0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Sun, 26 Apr 2015 03:11:06 GMT
Expires: Thu, 30 Apr 2015 03:11:06 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
0..........0..... .....0......0...0......J......h.v....b..Z./..2015042
5191119Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
..1o..2. ....20150425191119Z....20150502191119Z0...*.H.............},.
{.....Gj...;..C...0.......V.C.._.j}.:..8r...>....h8F.........h?W...
....p..>@Bc.M...Sw_.d...,..#..R........Pv..yjv..gX|L:..b.T...<..
..5..7'R,..x,VU).S..tI*.-$p....e..oD.?.pM..U:e....;.c..O.!.....(.xTcE_
......."R....&_..C{E.kS}ML.....a.....X0..*[.........HTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Sun, 26 Apr 2015 03:11:0
6 GMT..Expires: Thu, 30 Apr 2015 03:11:06 GMT..Cache-Control: public, 
max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Pro
tection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protoco
l: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v...
.b..Z./..20150425191119Z0k0i0A0... ..........j.....p.I.#z...(~d..J....
..h.v....b..Z./...1o..2. ....20150425191119Z....20150502191119Z0...*.H
.............},.{.....Gj...;..C...0.......V.C.._.j}.:..8r...>....h8
F.........h?W.......p..>@Bc.M...Sw_.d...,..#..R........Pv..yjv..gX|
L:..b.T...<....5..7'R,..x,VU).S..tI*.-$p....e..oD.?.pM..U:e....;.c.
.O.!.....(.xTcE_......."R....&_..C{E.kS}ML.....a.....X0..*[.........font>....
<<< skipped >>>

POST /ocsp HTTP/1.1


Host: clients1.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 107
Content-Type: application/ocsp-request
Connection: keep-alive

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..Tj!.T.w...0.0... .....0...
0... .....0..
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Sun, 26 Apr 2015 03:11:07 GMT
Expires: Thu, 30 Apr 2015 03:11:07 GMT
Cache-Control: public, max-age=345600
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
0..........0..... .....0......0...0......J......h.v....b..Z./..2015042
5191657Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.Tj!.T.w.....20150425191657Z....20150502191657Z0...*.H...............Z
.Y......W.V....H..h..36....WmO;r..[.....}..8...3..t.;r........i."...|_
|..2?e^5.;b.d..'9..`gS...O..a..so.u...8=....H..Y|.s.......)=.Zgw...(..
e....L.....|.,.]....v..f.W...@..'...9.Y...-....|..K.;.....9..(..H.....
...(t.......b.j..[.'.u[$&:...!.....[F....HTHTTP/1.1 200 OK..Content-Ty
pe: application/ocsp-response..Date: Sun, 26 Apr 2015 03:11:07 GMT..Ex
pires: Thu, 30 Apr 2015 03:11:07 GMT..Cache-Control: public, max-age=3
45600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 
1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:qui
c,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..
20150425191657Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....
b..Z./..Tj!.T.w.....20150425191657Z....20150502191657Z0...*.H.........
......Z.Y......W.V....H..h..36....WmO;r..[.....}..8...3..t.;r........i
."...|_|..2?e^5.;b.d..'9..`gS...O..a..so.u...8=....H..Y|.s.......)=.Zg
w...(..e....L.....|.,.]....v..f.W...@..'...9.Y...-....|..K.;.....9..(.
.H........(t.......b.j..[.'.u[$&:...!.....[F....HT..
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 417
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 388
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:07 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"LoadingPrerequisitesCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:10 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/vuupc-single-text-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: h9NMolU10veq9lx9L2PUxg==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:09 GMT
Etag: 0x8D218DF91E231F0
Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 4731d885-0001-0032-38ce-7f3de0000000
x-ms-version: 2009-09-19
Content-Length: 43261
Connection: close
PK......../I.D"G..I....L......index.html.\.o#7v.y.......|...4I..m.k Y.
..a..[.EA.P..3C....;,p.A...%}_...4.:.....4C.=....H...W....w#.,........
 .......L.K]f......^....B.:V?Uz}..4E...x.]..H..Y.T?.'H..H..:U.=L.?.../
...Q.0..O....... ..rK...XZ5?....z:.Q'.2..zU.g...Gw...J......../.....].
...`...........").).G.....ZZa.se..8..].f3...-d6....W..R....P.ee-l..g..
....i..N_..........8.`...pn....^w.L2.<F,z._<..Z...d...a..J..r...
=.mR.R].e.Pio ...i.........2..Yi .)p.ki.V&...?Q d.`m.."I..$>z.A...H
G:pK...1,|?.^.-.T.h.........,. .....u17.N...U..D...!s.K....|.&.M.s.l.i
..[? ...$3Na..k.K.K[r.....8.s....P=......".Y.b.t.......h....7..R..=.l6
xP.8......Nu.LUv0......O.....y..W/_.|.D$E......2Ds?.sL....Sx..:(......
... k.*)..`...g._2_..d....."...._....Ge..\..Cl.x|$..=../..!b.kO:......
..Y`l.ei.=.?.......V....8V<.|B\t.z% 1....3.....o.]5s.....r ^}{$..D.
G....../..,2PU....._..h..z.U.@$..7."U?.D...}.4^..Z.z..L..r.......$...C
.'...q....{...k.....U....)..6OHgg..6g..UD.-.u..f7.~.. ....r..k..6.k...
.....W.S..wr.'..g..,DF.K..nD^.2.h.O.z...1J1ae6.(....._?;*..2<.....I
...Ne*)AM..T.......=x.Z.8......\...[.*S..I&.;.m,.^...%&.!...B..W..h ..
:=.....RZ..z.|.U...eI......J.u.....,1.:....Ng...H.......qW`/.......W.*
..:=..w%..lgw..ki.4 V..w..2<...9...~L..].~n.lL..............*.9.5..
...*......*...hb....aA.D....yD..t>*R..`.k.(.pq....PK.3....i.......t
|9..[.0....z..'........w..ft}.^\....x3..... .~.....n.C!.|.........X\\^
...=?...._.........1..L/..q8.........o...0};.......@u >.>.......
.]..l.......?......g......an..}....... 1...o.........[..,.....P...
<<< skipped >>>


GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/last.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: fgXouqoJyZc91T1FRhXKXg==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:09 GMT
Etag: 0x8D218DF91AACE40
Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: f58d6015-0001-0021-28ce-7f0801000000
x-ms-version: 2009-09-19
Content-Length: 37851
Connection: close
PK........(h&F._.a....W.......index.html..]o.6.....8..d...b..E2...S..u
.a..u..H.JRN...}GJ..G..v2`Q...}1......?...........M..2`i...V..f..~...X
..l9./.X.t...i'7..(..WL-<...pEx.....y.~..m3...#...|n.%.......d...L.
2......aM.l.....h..[3..R..L.....7a!dxk(.R.!.h..........%.1y.[.5.DW..,I
L.,7pU....... '....p.xe..U'.....D4.FbI.F...A...5....Z.....;H.x..ht/d..
C..Z.<de.....F...$[..SaJfy..m..9..*.....<W..k...i<[email protected]...
.....5e-K..........&..^..jG.M....d...\6....._..z....5{......{E.._7....
G.z...j.P..V..C..h.,.d.J{)...0)A...J.}5W)<us.....Lwv}e.X....OB.....
.....,0H.>U.%h."d.."..N..B.2m..]......3.1....Ui\........1...}w(3.D=
.3.i .OT.....p....vwF?."....R......0.y_..vQ|f....Q...4.Yu<....|3yVI
.E...o..u..1.=..Z.8.d.X...GVo....W.w.....w...?v....... 0m.1Q...Q.@....
...l..i....f.>..e.l..:..CD*.......kt....X..h....D...c$...".....V..f
1..'[email protected]..].Gr.`e....7.\..%..aQ....Gx.q."..#JfsU.9X.....1...........x
...(.....QT.....8Y2y.....!.4...)..........=.......V7..^.Z.W..".Ui.....
<%.3$...;.<..O.>uN.9w.-f..]RY..........J..r}J.J..="!...6...#h
1.;..{.YW.V........5..p..K..%.....3...^t.Hs ..v5..{2.X.....F......ow..
.PK.........`=FX..8............css\style.css.V...0.}N....Q.....&M.[...
..Xq.e.M...{.7.u....RX{....1)._..j..)x..t&M.K...v..?h.o..(.7.....R.Z..
g,KZ'(<".......Z.Y-WK..3..L.:4.3U....d\bE9`..&.iR.."=......d.c....x
.%l..7.....,.....*B.J%....& ..&..yN....J,.....j.q.pvQ..r.........F..~u
...TJ.~...?/J..........H..!.....}....%[.Eq.&....g(,..b.9Z.P..7..g..i#.
~M..u.....t.;.....aE..o/.} ..b{f....}...<.d..g.......... ..{..4
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 383
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:37 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductDownloadCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:13:37 GMT
Connection: close
Content-Length: 0



GET /random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=9T635656147234101936 HTTP/1.1
Host: 151.236.26.173
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 26 Apr 2015 03:12:03 GMT
Content-Type: image/jpeg
Content-Length: 100101963
Last-Modified: Thu, 11 Sep 2014 08:52:17 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type
raw-nginx-upload: 1
Accept-Ranges: bytes
.....MExif..MM.*.............................b...........j.(..........
.1..... ...r.2...........i....................'.......'.Adobe Photosho
p CS6 (Macintosh).2013:03:22 14:39:08............................ ....
....... ..............................."...........*.(................
.....2...................H.......H.........XICC_PROFILE......HLino....
mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP
  ................................................cprt...P...3desc....
...lwtpt........bkpt........rXYZ........gXYZ...,[email protected]..
.T...pdmdd........vued...L....view.......$lumi........meas.......$tech
...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright
 (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1......
......sRGB IEC61966-2.1...............................................
...XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ...
...b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch....
........IEC hXXp://VVV.iec.ch.........................................
.....desc........IEC 61966-2.1 Default RGB colour space - sRGB........
....IEC 61966-2.1 Default RGB colour space - sRGB.....................
.desc.......,Reference Viewing Condition in IEC61966-2.1...........,Re
ference Viewing Condition in IEC61966-2.1..........................vie
w.........._...............\.....XYZ .....L.V.P...W..meas.............
...................sig ....CRT curv.......................#.(.-.2.7.;.
@.E.J.O.T.Y.^.c.h.m.r.w.|.........................................
<<< skipped >>>


GET /0.gif?2920547&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Cache-Control: no-cache
Cookie: CountUid=5447eecb-9eym-433b-b267-e4aef67e236e


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:15:09 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..



GET /reportInstall.aspx?productID=1&version=3.9.8.0&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&affID=2380&keyword=installer&campaignID=ppi_2380_installer&requestID= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: PCSUInstaller
Host: VVV.pcsuapi.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
Set-Cookie: ASP.NET_SessionId=rlmbshgtjzbsoaxrlrwnriuy; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:11:45 GMT
Content-Length: 2
UAHTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; ch
arset=utf-8..Server: Microsoft-IIS/8.0..Set-Cookie: ASP.NET_SessionId=
rlmbshgtjzbsoaxrlrwnriuy; path=/; HttpOnly..X-AspNet-Version: 4.0.3031
9..X-Powered-By: ASP.NET..Date: Sun, 26 Apr 2015 03:11:45 GMT..Content
-Length: 2..UA..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 406
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:59 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:58 GMT
Connection: close
Content-Length: 0



GET /install.gif?bundle=mystartsearch&ptid=cvs&uid=535559167_198339_B48A115F HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: log.very911.com


HTTP/1.1 404 Not Found
Server: Tengine/1.2.2
Date: Sun, 26 Apr 2015 03:11:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 671
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>404 Not Found</title></head>..&
lt;body bgcolor="white">..<h1>404 Not Found</h1>..<p
>The requested URL was not found on this server. Sorry for the inco
nvenience.<br/>..Please report this message and include the foll
owing information to us.<br/>..Thank you very much!</p>..&
lt;table>..<tr>..<td>URL:</td>..<td>hXXp://
log.very911.com:8080/install.gif?bundle=mystartsearch&ptid=cvs&
;uid=535559167_198339_B48A115F</td>..</tr>..<tr>..&l
t;td>Server:</td>..<td>us-pub00.v9.com</td>..<
/tr>..<tr>..<td>Date:</td>..<td>2015/04/25 
22:11:05</td>..</tr>..</table>..<hr/>Powered b
y Tengine/1.2.2..</body>..</html>..HTTP/1.1 404 Not Found.
.Server: Tengine/1.2.2..Date: Sun, 26 Apr 2015 03:11:05 GMT..Content-T
ype: text/html; charset=utf-8..Content-Length: 671..Connection: keep-a
live..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<ht
ml>..<head><title>404 Not Found</title></head&
gt;..<body bgcolor="white">..<h1>404 Not Found</h1>.
.<p>The requested URL was not found on this server. Sorry for th
e inconvenience.<br/>..Please report this message and include th
e following information to us.<br/>..Thank you very much!</p&
gt;..<table>..<tr>..<td>URL:</td>..<td&
<<< skipped >>>


GET /media/e5/65/4fd8d03e8d89a93218c9e565/images/resized/logo.png50x50.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.soft-ware.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:09:51 GMT
Content-Type: image/jpeg
Content-Length: 5887
Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT
Connection: keep-alive
ETag: "530494e7-16ff"
Expires: Tue, 26 May 2015 03:09:51 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...2...2......]......IDATx..Yg.U...<_4.........K,..
...(..4. `.BD,..A...,.4.: E:.u.af....rn9......}..........?w..g.{......
....q....Q.-....B).S.U...Cv..|....2..X...\.2.....B..,.?...A.B.@.@.".l.
.0.....@.............,...=...........xP .@i~z....K.......#..m.8..K...4
b....._.}....e<.......D.H.....O.6..\...[....|[email protected]_".;...
.c.....AK^..pC>{.."..)j.m.r.Wb./..>I.^Pq...7..z..M....-c.f....g3
...=.2!...0.].2.0D.A..UX.?..~Z.'l.....}..6....'.U.....b.J...X....f..o.
.G.D.....Z..S..w......}....#f.;V.$C..[3.eY.......z....e..._.E....lC2..
.}.._....2..2>..cT....9<..]Q...j..[..h.Zg-9-?. .. .Y..yEs.....G.
.].u..3?.....&..L....g.G.x..xH._..(....S.n.s.......g4. ..u.tH.i...Cy9?
.......#.L..G.....#..<........C7........&.t....?...-^.Ht..3Yd.e...k
....o..a../.....fM..M...J.dk..-..!.r..Ek....b&4.....2.lZ..............
.i...`...A3r&.v..Us {<^...r.....~.h._.v...?J$P."..m..MHD...U.mQ..}.
....)^..V....La........B^!...K..-MG..~.[t8u...s.~.....b.....[.....2..c
...d.4J..;......%ks#:[email protected]`l.T.BP..,F..F..FN........~8w*..n.1......._.
.o4w6g..W....C.-.5'............{&.D..M..8....)?.r.ui.....Y'..5..y....R
..|...i...#...P.PC%.......~.....r.,.v7..J.w.....P".T..u...Ve..\.....).
.5..Fn...&...../...BJ.......3,..t8.BU...6.%z.....J..c.,....$.4&Ri.j..V
...#J.Q.....O.8...><..;.\\...3^..YV./?!...(..Q.\..ZU..J.%iR.W...
|/..19....`yJ.l<..$./.V....FS...O?<..WJ01...X..NR..B...'4..e.I..
..l.=.>...n.......].....{....g.(...a.Y=-.x..-B..I.*)....m.W.......8
...z$....9.3,...9[........%~*......*.j*)r.e.....JQ..mY..l5..u...s.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=435192, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 04:05:12 GMT
Expires: Fri, 1 May 2015 04:05:12 GMT
Date: Sun, 26 Apr 2015 03:14:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015042
4040512Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150424040512Z....20150501040512Z0...*.H........
........UJN.z...%sp.&.Wp..WX.W..D.R..Y..`.*A..4%....|,.8z.8.R.,....@..
OJ.....zMp.$!..a..L......~^.y.. YB h..L.",.......7....3|......3L..M.F.
........C. a.!{.&.T.....5..E.!vc.%j.....*)..01...fd..........67.....|.
0w* ..9."...........b[..C.........m..K......v..........0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=493277, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 20:15:13 GMT
Expires: Fri, 1 May 2015 20:15:13 GMT
Date: Sun, 26 Apr 2015 03:14:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
4201513Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150424201513Z....20150501201513Z0...*.H........
........'..n..........0.Z-([email protected]*K..z..._>...M......
h...:Z.....t?.1..`..@".9j.....G.p /1.l bH...Q3{."..j....Z.M.....l..}..
.M?.; H......3..<..].......J..W....j.......J..{.........X.v..y...Zl
`f.D&[.oT....f..=.m^.,...6}k...(......6.....1Uu..%.X.x./....#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 415
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:21 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:11:20 GMT
Connection: close
Content-Length: 0



GET /pki/crl/products/WinPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 438569342300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Sun, 26 Apr 2015 03:14:15 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......40... .....7......15060
4224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL..
"k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA
.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3..
.v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<
;~..v.w....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.5
VTag: 438481415700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Sun, 26 Apr 2015 03:14:15 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......20... .....7......150602222607Z0...*.
H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..)......
...._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j
...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<
.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P
.#..



GET /liyan/cvs_mystartsearch.exe HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: d2drfrdurj6mvo.cloudfront.net
Connection: Close


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 722528
Connection: close
Date: Fri, 24 Apr 2015 12:38:00 GMT
Last-Modified: Tue, 21 Apr 2015 02:41:57 GMT
ETag: "148bdbdcbac38fbf0b4d3c145e9b0199"
Accept-Ranges: bytes
Server: AmazonS3
Age: 52329
X-Cache: Hit from cloudfront
Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 5zwCg7nBKh-WABgusRJwcU7TYRxpKHnlkCxpN_qwzVzJiT9_qMBDGw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......|...8...8...
8...^a$.&...^a9....../0.?....I:......I8.v....I9.....1.d. ...8.......^a
8.5...^a>.9...8.`.9...^a;.9...Rich8...........PE..L...~..U.........
.................................@[email protected].
[email protected]........ ..................`....
0..lV......8...........................P([email protected]..........
..................text...G........................... ..`.rdata.......
.......................@[email protected][email protected][email protected]
rc........ ......................@[email protected]...................
[email protected]...............................................................
......................................................................
......................................................................
......................................................................
.................................~...F.r.......3.f..Aj\3.j..M..E......
U.f.E...&..j.j..E.P...E......t*...}..r..u...o......M.d......Y^.M.3.. |
....]..........Vj.QhD.H....P&.....u/.~...F.....r...3.Pf..R...>"..^.
3...PRf...."..^...t.Pj....."..^..............A...t&.P.;.v".y..r......Q
..\t.../t.3........2..h\.H..o.........U..j.h..G.d.....P..`.8.I.3..E.P.
E.d.....RQ.M.......M..E......]z..3..E...H..E......E.....f.E.j.P.E.P.M.
.E...."...E..E..E..E.hLrI..E.P.E....{.....U..j.h..G.d.....PQVW.8.I.3.P
.E.d........u...y...E......N.....H.3..A......A.....f...}..E...G.;.
<<< skipped >>>


GET /v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.cvs&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.37 ms","message":"store 2 action and 4 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:20 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.37 ms","message":"store 2 ac
tion and 4 update "}..0..



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?8d62786b8a611e50 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sun, 26 Apr 2015 03:11:56 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Sun, 26 Apr 2015 03:11:56 GMT..Con
nection: keep-alive..



GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ds HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:03 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:03 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.25 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.nt.ff.tab HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:10 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.43 ms","message":"store 1 action and 0 upd
ate "}..0..



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: PCSUNotifier
Content-Length: 216
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","Silverlight":"Install","OK":1,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:40 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 409
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:59 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:58 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 408
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:20 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:11:19 GMT
Connection: close
Content-Length: 0



GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ient HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.22 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:19 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.22 ms","message":"store 1 ac
tion and 0 update "}..0..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 400
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:32 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferAccepted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:32 GMT
Connection: close
Content-Length: 0



HEAD / HTTP/1.1
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:57 GMT
Connection: close



GET /root.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:14:44 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 649
Connection: keep-alive
Set-Cookie: __cfduid=d0ccd6d612d65033b9b993d2fd020301d1430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.net; HttpOnly
Expires: Wed, 15 Jul 2015 00:00:00 GMT
Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT
Cache-Control: public, max-age=6900316
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1dcf1e839e190f63-FRA
0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.
0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..15071500
0000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....1
41125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......
0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0
...`{f.E....P/}..4....K0...*.H.............&...f#...5.[4........{pV.#.
F........:...*Q.....Mx9}....,.S.D.>@.Ju.[)c...`.?.j~...-..{.FHj....
.#.C2.[.,`.......)...Bj2........n...........%......p.6......Q.....1..p
d......F.........mJO.!y.W.......V.M).N.R.....V..|...7.ry. ..gy..I\....
.....j....... .z.E..".HTTP/1.1 200 OK..Date: Sun, 26 Apr 2015 03:14:44
 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 649..Conn
ection: keep-alive..Set-Cookie: __cfduid=d0ccd6d612d65033b9b993d2fd020
301d1430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.g
lobalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-
Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-ag
e=6900316..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudfl
are-nginx..CF-RAY: 1dcf1e839e190f63-FRA..0...0..m...0...*.H........0W1
.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....Gl
obalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....1411
25000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*.
....... ...h..141125000000Z0.0...U.......0*........,^.....141125000000
Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:11:58 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT
Expires: Wed, 29 Apr 2015 04:29:13 GMT
ETag: D60CF3FEA10920BFD9223C04D2095561967D1DBA
Cache-Control: max-age=263234,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp11
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2015042
5042913Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20150425042913Z....20150429042913Z0...*.H........
.....M.he.#b$...d.<....x.....8.n|..ak,....P..z...K....... .......,.
...qv..!...........s..........8&.D....>..$e..L,L.V..Z.......z......
..z...!..O..1....1>.%.F...\...m...7..[1.]..l..//B,.OG........Q.h..:
b.~F_.\;..eb..~... .........TI*p........e0.C....).....b=..k...



GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.regok HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:03 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.29 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:03 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.29 ms","message":"store 1 ac
tion and 0 update "}..0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.finish HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:10 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.21 ms","message":"store 1 action and 0 upd
ate "}..0..



GET /COMODORSAAddTrustCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.comodoca.com


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:11:52 GMT
Content-Type: application/x-x509-ca-cert
Content-Length: 1400
Last-Modified: Tue, 30 May 2000 10:48:38 GMT
Connection: close
X-CCACDN-Mirror-ID: h6edcacrl6
Accept-Ranges: bytes
0..t0..\.......'f.V.I....p...."0...*.H........0o1.0...U....SE1.0...U..
..AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTru
st External CA Root0...000530104838Z..200530104838Z0..1.0...U....GB1.0
...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limit
ed1 0)..U..."COMODO RSA Certification Authority0.."0...*.H............
.0..........T...V...$...Dgt. 7.}#p.q.S...*..K..V..pr.a..K...=...a.....
..>..>\...4z..k......zv.q.......l......~..../O.....gCr......k,..
.....~..n.....$.Ckb.U....l........li..xH0E....<E`.2.Q'.g....k.F.. .
..e.H...N...F7.....HCgNr*.\.L.(.\"{......Q...FNm>.....|3WA<.Q...
\.,c..W.?..]...E...Z$...V=.o..IX........7.....:..CB...........`..(V...
...q....=...H.<...."L....V;....[..."R...i..Le...-pt...g.)iR....PjUF
...(a.p....,!.G.(..Ev...'[email protected]:.\.A..c..qk ..
..1\:jG..yY. ...j..r.WJ.K.....LA...=^(.....Q..G..S........0..0...U.#..
0......z4.&...&T....$.T.0...U........~.=...<....8...22.0...U.......
....0...U.......0....0...U. ..0.0...U. .0D..U...=0;09.7.5.3hXXp://crl.
usertrust.com/AddTrustExternalCARoot.crl05.. ........)0'0%.. .....0...
hXXp://ocsp.usertrust.com0...*.H.............d..._......)W..Z...>.v
.n.Rp..<.M.tj...%...*]L....m.T.u..'.][email protected].....;.....4.~ .y..WE..(
....P.....Wi}..R.s......nf.....-....Y.L...qL|G.;.....l.>\.........H
M.....s...{#....MU.zaE..h.^@k#.yz...k..oF.{.=K....YZ.A$....`XG..nF....
[email protected].............;o.8o..
<<< skipped >>>


GET /3493_bd05aad78249b1c64e2595545bff63b4/1.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: dlrkbt247pbk6.cloudfront.net


HTTP/1.1 200 OK
Content-Type: application/zip
Content-Length: 2170109
Connection: keep-alive
Date: Sat, 25 Apr 2015 20:53:09 GMT
Last-Modified: Sat, 25 Apr 2015 20:13:54 GMT
ETag: "8e00c35a80f9125823c5b5ced168308d"
Accept-Ranges: bytes
Server: AmazonS3
Age: 22672
X-Cache: Hit from cloudfront
Via: 1.1 b56fc979704f01acc351fd21f5c956db.cloudfront.net (CloudFront)
X-Amz-Cf-Id: u5KctQS9zOCmrAkDz0l3nM83-yxbCVgr4BjdLJFqrGZfYv1_Nbi-4Q==
PK...........F0D`.............428.json.....].jRYa..w.........L@.\...q.
..%.v..Q..~DO.M.|.Wj.N.........'?.}...n..0..5.^1.........#..z.n...t..#
.1jq`....*.>#.............m..V.&.vc~.<.w.R.'xD....q..qQ|.H.P6...
.l..&3....g.t/....|7p.......3......~...B|[email protected].}...P......^1....
....AO...t...HT,t.v.4.)......]._.u-g..f..M....:.x~.......vSM.Y....W]..
.~C..M...:]...{..-.e...8.i.2....aO...w...#i.^1......K........|~.k.....
....b......Nr.s.....!*l..5.D(L.w.J.kh.b..S...~..-..Y../.ap......q..j..
%....a.M=E.k}.0....g.`.$SaH...u...I.*h.Y.0.3s~.......a.w..............
.7AP49piUPK...........Fg&`......<......uninstallDlg2.xml.[m..6..~@.
.........v.b.....4..Z..".%.fW&U......7.(Y...\s.].v.X.4.....3b..._%....
r6...m!.".S..Z...gl.Lb...32..Hf..^.....)........O..;q-..T.....z6......
.s&#.p1.>.........|....1..Y......%; t..xjI...Q...M.9N2.<;@.~.p..
..\..A....\..u.....Q%...u..e.... ..'9\........\~.. .!I......v....x.t_D
.$Bw0.V.......4..8...Es....0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d.
...%;...%GK..B.k.[.w....H.$y.Em.R...:Y.....l.v#..'.g...N3.u&........o.
.''..85....Cm..lE. .z.yQYH=.S.rJC........^.. .'...)..-..{..B{B$A......
z.....^.....Oe*..Su.[.."...g6.<...t..dk......xj..?.....N.".T#..:.7.
m~.......{...;.X......:.........PK..........KF.QN.............BFVUpdat
[email protected]~...``[email protected].
..2c..4..c..-j..4lQ..I....s.0 ........._..s>....<...|....3*.a.`D
.a.1./.....0.S_.f...y.!E......W.*l....7...........6..P\fH\.a.X^PxWPP@.
..}.W;.>?..lb...[Fbo. ..k...E...UJ..[...RN|[email protected]}. .}.\Y..
<<< skipped >>>

GET /3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: dlrkbt247pbk6.cloudfront.net


HTTP/1.1 200 OK
Content-Type: application/zip
Content-Length: 2824344
Connection: keep-alive
Date: Sat, 25 Apr 2015 22:53:14 GMT
Last-Modified: Sat, 25 Apr 2015 22:10:55 GMT
ETag: "4c86938e51066bff5850c4d13bd04972"
Accept-Ranges: bytes
Server: AmazonS3
Age: 15477
X-Cache: Hit from cloudfront
Via: 1.1 b56fc979704f01acc351fd21f5c956db.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ToidNhpZRgQAOOlzz_9Ubx7rR0C8DCE6FOA8WzVaSXwUFehH9T4sPw==
PK...........Ft.`j............428.db...7..qD..'.....<..A#.<y....
\...... ....<....g...R.gcsw(.xa..'.3g..EX.....'S.....a.K.s.|{W[.-..
.K....D2..^..^.Y.m.......N..(1...p1...b. 0......?......G.!;Q`......b..
..B.q....c.gnVp.................7AP49piUPK...........Fadb......$......
wpm_v20.0.0.2227.exe..S.fO.7..m.....i...9.i..m..m....F..^.7..oco..Du.S
'3OVfe./.!..I..........[*..qD]..g..A. ....M. .u?&............F..,.~T..
.p.// ...V..U`MY....T..Q................e..B....d...niB..06.a*..G.7.B.
fK...-..945.....2=..........N.\...'.|3..z.4.*........7h.M.$H........cc
C..l.p...;...Am........?......p7.}3pvE.x........}.Y......h.4..'....Ls.
.....Z.e.l.... [email protected].^L.].*..].. TV[`.}......\.!.j.2.Z......,.V.].
q,.G....{L....BV....d.....&...K...z...0^C#.5.,..V.q............5\$..|$
#........z~.s..xZW..=..%.p.W..;-.....C...t2.N....U...=B9#W...;w.....c&
gt;.......}JZ.}...l..=........u..D.......h....J...D..f..J7o$..;...\.sn
....p.".O..L...'.....wW.y.M...((.Z.XE'.....N{........NxW.;.3.....s.f..
......A.. .......a)p....Ul....HN..?}....H?t...d...A.....B<..]....Y?
...wF..#[email protected].. .E>...9.........U...w..F.....]o
}7....q..../7.....O.....=%O,.^..../...%...R6. r.g.[...q....sE......T..
L...2P.3.5..f....E.K'aI.K.I..bu<`f...Ie.G...E......w]H.....9p.<.
...X<....q.p..^8..\L..K. w.]65u?.....*.m.G.:.c...=..e.8..G....yj...
..GyC!.t.{ 5n.......N.,......./.Sg2.z.Zy.M.fk$N.\e..u`......l./.....@5
V|0..!.?.;.Ia*.8.).VF/..~/G..>...(........d.....K..].b....'.' i....
.........X9..G....=.9.*.&.....=...?..oP.1.\`B.....5....*........J.
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 412
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:21 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:11:20 GMT
Connection: close
Content-Length: 0



GET /3493/1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dzqx32c9j9ub.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Date: Sun, 26 Apr 2015 03:10:27 GMT
Location: hXXp://dlrkbt247pbk6.cloudfront.net/3493_bd05aad78249b1c64e2595545bff63b4/1.zip
Server: nginx
X-Cache: Miss from cloudfront
Via: 1.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: lfGEGgdK0mVn-5Kt_-UNdKN6mfUUHKOm62L8LbnjCXACsb2zakrfFQ==
HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Content-Lengt
h: 0..Connection: keep-alive..Date: Sun, 26 Apr 2015 03:10:27 GMT..Loc
ation: hXXp://dlrkbt247pbk6.cloudfront.net/3493_bd05aad78249b1c64e2595
545bff63b4/1.zip..Server: nginx..X-Cache: Miss from cloudfront..Via: 1
.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)..X-Amz
-Cf-Id: lfGEGgdK0mVn-5Kt_-UNdKN6mfUUHKOm62L8LbnjCXACsb2zakrfFQ==..nt>....


GET /3493/2 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dzqx32c9j9ub.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Date: Sun, 26 Apr 2015 03:10:38 GMT
Location: hXXp://dlrkbt247pbk6.cloudfront.net/3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip
Server: nginx
X-Cache: Miss from cloudfront
Via: 1.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Im_8czHimjKnGAcNNfyGUj0qJz-0ENwcmi_8AuK2DU-NjYOPJ5OKWA==
HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Content-Lengt
h: 0..Connection: keep-alive..Date: Sun, 26 Apr 2015 03:10:38 GMT..Loc
ation: hXXp://dlrkbt247pbk6.cloudfront.net/3493_819a0752ed22bbe95df8b3
08cb03ea5a/2.zip..Server: nginx..X-Cache: Miss from cloudfront..Via: 1
.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)..X-Amz
-Cf-Id: Im_8czHimjKnGAcNNfyGUj0qJz-0ENwcmi_8AuK2DU-NjYOPJ5OKWA==..



HEAD / HTTP/1.1
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: WinHttpClient
Content-Length: 111
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceAction":"--install"
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:44 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1
Cache-Control: no-cache
Range: bytes=13927868-14682175
If-Match: "530494e7-e00840"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.soft-ware.net
Connection: Close



o.e[!..h4.x....L.m...g..E......S;Dt....,%...z]~.\h%...fAZ ...S.Ax..H..
-"..!Z..x.m.....`..H..di...@..^Y.......wVmw.........e.............W%".
...5..R..9*..9...|z_.c..2N.K......w.........h|.{s..f7.)p..........b..C
.@~K.1..g.(.t..q.....5t...F.j....."...../.e......ao.7.UFn.I(.Uk. ..M..
..(..EC...).:-.L.u.fnB.N.u.h.O..b...L.|.j.I..-.Z..R.l..&5..-r....I8.l.
.......>Kv....w.(....A.v..e....CIz..@(.L...WV.........l:.78.sn.7..T
.aT.;...p..."....C....ae'...%...i.xy........%....n..w>..)...%..@...
B....^....#_.../..f2.N[.r...?.Iz........N5^.3O\.~)l....*....3W.......l
>..*.%;Q..X.-..?.v8#.F.....>..=^v!.....v..a...e.".&.uE...KB...;t
/.8|f.s..t."[email protected].*... [email protected]..............~"./zi.3.X}T.
....ya.3f<....D....&<.....A... .`.....0..GAj.M.w.....4...-...iB&
gt;S.M7"....szn..xo....K@@.).W..j....b...Vc|..#.q.j....?....e...K...'.
6..2..?....Y^...f0.Rr.$9M3.......l\.71..w2..T...|l.w...4..S..V.....;u.
...j36.3.c21A2_}...../f..1..m._VL.g.........O....f.....;L...nu..X$aH4.
...eVM.,95x..}.........*....T., .e......B-G.F..'.`....y.. ...,31yE.%^.
TY....2.`.. .x...v.to5.S.......X.b...=...T1I...)....f....:.....).r`.$[
&\.^..c..G....G.'...........6e.e.M....zf..}.....v....&..U...k....1..Nr
#``.>..yM...........u...........t..;'..[......b..........J.=J.7.~..
..).T...x...ac ....L.n..B..y...-..3.&.d(........U{..C2.....*i.S......'
..J$o.._....}m8..=2.F. ..t.%.H.......P...j.).N'^9j.......\..:UA.P{.!..
...?.zH2...r.Z)X*.-5....5.....Y..r........C..Z.eE6......HBO(...k.h....
FJ.?....~..%..R.....Ag.]{&...G.i.62.....q}.t.{{....8u)..N...lL.=..
<<< skipped >>>


GET /?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF HTTP/1.1
Host: VVV.google.com.ua
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=0b33c0232bbc0542:FF=0:TM=1430017866:LM=1430017866:S=fe1czZG40Qeq5D8J; expires=Tue, 25-Apr-2017 03:11:06 GMT; path=/; domain=.google.com.ua
Set-Cookie: NID=67=mqPMZDz1cCx0Pj-pvR1nwH-gbdP6DogTst7rrF7YMYiAhqkWKGa_ICVWoN0Cp0DIZ4jJ3xGo2QEc5d0q7mjxyEImReYryKsiuer_xpbFJsPlmWB462RCtdz4Oyhu4UH6; expires=Mon, 26-Oct-2015 03:11:06 GMT; path=/; domain=.google.com.ua; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Sun, 26 Apr 2015 03:11:06 GMT
Server: gws
Content-Length: 276
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2
DNMm7geAF&gws_rd=ssl">here</A>...</BODY></HTML&g
t;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl..Cache-Control: private..Content-T
ype: text/html; charset=UTF-8..Set-Cookie: PREF=ID=0b33c0232bbc0542:FF
=0:TM=1430017866:LM=1430017866:S=fe1czZG40Qeq5D8J; expires=Tue, 25-Apr
-2017 03:11:06 GMT; path=/; domain=.google.com.ua..Set-Cookie: NID=67=
mqPMZDz1cCx0Pj-pvR1nwH-gbdP6DogTst7rrF7YMYiAhqkWKGa_ICVWoN0Cp0DIZ4jJ3x
Go2QEc5d0q7mjxyEImReYryKsiuer_xpbFJsPlmWB462RCtdz4Oyhu4UH6; expires=Mo
n, 26-Oct-2015 03:11:06 GMT; path=/; domain=.google.com.ua; HttpOnly..
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/a
ccounts/bin/answer.py?hl=en&answer=151657 for more info."..Date: Sun, 
26 Apr 2015 03:11:06 GMT..Server: gws..Content-Length: 276..X-XSS-Prot
ection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol
: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-ty
pe" content="text/html;charset=utf-8">.<TITLE>302 Moved</T
ITLE></HEAD><BODY>.<H1>302 Moved</H1>.The d
ocument has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&
;ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl">here</A>...</
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 377
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ApplicationStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=372324, public, no-transform, must-revalidate
Last-Modified: Thu, 23 Apr 2015 10:40:21 GMT
Expires: Thu, 30 Apr 2015 10:40:21 GMT
Date: Sun, 26 Apr 2015 03:14:57 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
3104021Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150423104021Z....20150430104021Z0...*.H........
..........o.}"^O8.[....i...8..o4.....|..aJ.J...U..E[.../...\ .%.o..;.,
r~.0....xgZ...8..K..V.CQ..U...F1..D1..VwQ....<h~.*#........ [email protected]..
.-.6Y,Be...l*[email protected]......*.0.`U.U4...?_......>r..H.......q
...f..0.BD.w.m..-.f.@.%...LH.7..{........AV5......E.%.c.....#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 377
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:07 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ApplicationVisible","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:10 GMT
Connection: close
Content-Length: 0



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=369998, public, no-transform, must-revalidate
Last-Modified: Thu, 23 Apr 2015 10:00:09 GMT
Expires: Thu, 30 Apr 2015 10:00:09 GMT
Date: Sun, 26 Apr 2015 03:15:11 GMT
Connection: keep-alive
0..........0..... [email protected]
3100009Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150423100009Z....20150430100009Z0...*.H.....
.........{...M...p.....?.T.}....;.. .....P...}....b.Q.)6.{....`;......
..23.P|9.S....C.......B.....?....k..N>........B..t6.$.o...([email protected].=..
....P...I.lm.J.M.}[`[email protected]#5.6si..M]...m.9....m.0.0..Tkf...
..t...hx...\...Q.#...YE.p....W. .4.7-.k...g..b..\.k..0.N....50..10..-0
..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authori
ty - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0
...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0..
.U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Netwo
rk1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30..
"0...*.H.............0..........6..]......w';.r........I..c..4.... ...
......TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a..
...i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....
I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=
...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. ...
......hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com
/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.
1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$.
.(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f...3
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=433884, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 03:44:50 GMT
Expires: Fri, 1 May 2015 03:44:50 GMT
Date: Sun, 26 Apr 2015 03:15:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015042
4034450Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150424034450Z....20150501034450Z0...*.H..
...........t........=..O...i...9....... .J.5.]... ...[r.$M.!.bD...z...
.o...30^.u..l...6.N!.K.C......S.,'2......4.....l.... ....I..2.}.&..x..
/C2..x?$n..`.....-l.2..'.>[email protected]......$.x.....A.;....)U*R..r..i.
[]..T....5Q......t..R6..4.7u....3..`..c..xLk....i|.S....1.~.....0...0.
..0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Cod
e Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0..
.U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSi
gn Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..
........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:.
.R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (..
......%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..
8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0..
.0...U....0.0....U. ...0..0......
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 381
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:35 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductDownloadStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:13:35 GMT
Connection: close
Content-Length: 0



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:11:45 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT
Expires: Wed, 29 Apr 2015 04:29:13 GMT
ETag: 24EB23ED03882CA15E50420D66220C73B4B82DDC
Cache-Control: max-age=263247,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp11
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2015
0425042913Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22....|....JR......4.....20150425042913Z....20150429042913Z0...*.H..
..............|.....4........o&E.L.?oP........k9f.....j....m....}...%.
..%l#....z...%.G...bf.Ks2v.,F..F..|g...v....)...T..{.>^.....!P.bg".
...........7..s.....*....)d....jp...iLF.'..[H|.F....a.....t.....X*.j..
 .8......3..<'q......X...2\;9..R......3.....VmD-C.....<.....%S.P
...g..!.`../(.V...?..!s.Y.2w.........i..)]8..r.jI.uk."....K`.c..2h..`t
....j..G..j............w1`.GG....BM`&,.... \NA.8..t.6x....'[email protected]....\
.Q.:...XR:..Z......<....=..U.0\........YWM._.....z~.e..2.......0..H
..q..RRc..7~....:....%.[H...9S..5`1.....@......



GET / HTTP/1.1
Host: VVV.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF
Content-Length: 260
Date: Sun, 26 Apr 2015 03:11:06 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=1
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2D
NMm7geAF">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geA
F..Content-Length: 260..Date: Sun, 26 Apr 2015 03:11:06 GMT..Server: G
FE/2.0..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><m
eta http-equiv="content-type" content="text/html;charset=utf-8">.&l
t;TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>
302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.goo
gle.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF">here</A>..
.</BODY></HTML>....



POST /upload.php HTTP/1.1
Content-Type: multipart/form-data; boundary=8d24dff12ad36c6
Host: 151.236.26.173
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 104857685
Expect: 100-continue
Connection: Close


HTTP/1.1 100 Continue
....




--8d24dff12ad36c6..Content-Disposition: form-data; name="data"....aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
<<< skipped >>>
HTTP/1.1 200 OK


Server: nginx/1.2.1
Date: Sun, 26 Apr 2015 03:12:13 GMT
Content-Type: text/plain
Content-Length: 14
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type
raw-nginx-upload: 1
size=104857685....



GET /random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=8T635656147234101936 HTTP/1.1
Host: 151.236.26.173
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 26 Apr 2015 03:12:03 GMT
Content-Type: image/jpeg
Content-Length: 100101963
Last-Modified: Thu, 11 Sep 2014 08:52:17 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type
raw-nginx-upload: 1
Accept-Ranges: bytes
.....MExif..MM.*.............................b...........j.(..........
.1..... ...r.2...........i....................'.......'.Adobe Photosho
p CS6 (Macintosh).2013:03:22 14:39:08............................ ....
....... ..............................."...........*.(................
.....2...................H.......H.........XICC_PROFILE......HLino....
mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP
  ................................................cprt...P...3desc....
...lwtpt........bkpt........rXYZ........gXYZ...,[email protected]..
.T...pdmdd........vued...L....view.......$lumi........meas.......$tech
...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright
 (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1......
......sRGB IEC61966-2.1...............................................
...XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ...
...b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch....
........IEC hXXp://VVV.iec.ch.........................................
.....desc........IEC 61966-2.1 Default RGB colour space - sRGB........
....IEC 61966-2.1 Default RGB colour space - sRGB.....................
.desc.......,Reference Viewing Condition in IEC61966-2.1...........,Re
ference Viewing Condition in IEC61966-2.1..........................vie
w.........._...............\.....XYZ .....L.V.P...W..meas.............
...................sig ....CRT curv.......................#.(.-.2.7.;.
@.E.J.O.T.Y.^.c.h.m.r.w.|.........................................
<<< skipped >>>


POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: PCSUNotifier
Content-Length: 329
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","ReportInstall":"affID=2380|keyword=installer|campaignID=ppi_2380_installer|uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1|requestID=","Error":1,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:45 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



POST /Servers.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "hXXp://tempuri.org/IServers/GetServers"
Host: VVV.speedcheckerapi.com
Content-Length: 797
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




<s:Envelope xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/">
<s:Body><GetServers xmlns="hXXp://tempuri.org/"><userOb
ject xmlns:a="hXXp://schemas.datacontract.org/2004/07/SpeedInMyAreaSer
vice.Model" xmlns:i="hXXp://VVV.w3.org/2001/XMLSchema-instance"><
;a:Client><a:Id>30</a:Id><a:LicenseId>0</a:Lic
enseId><a:Type i:nil="true"/></a:Client><a:CountryCo
de i:nil="true"/><a:Id>0</a:Id><a:Location><a:
Accuracy>0</a:Accuracy><a:AvailableNetworks i:nil="true"/&
gt;<a:City i:nil="true"/><a:ContinentCode i:nil="true"/>&l
t;a:Country i:nil="true"/><a:CountryCode i:nil="true"/><a:
IPAddress/><a:LanguageCode i:nil="true"/><a:Latitude>0&
lt;/a:Latitude><a:Longitude>0</a:Longitude><a:Networ
k i:nil="true"/><a:PostCode i:nil="true"/></a:Location>
<a:Session i:nil="true"/></userObject></GetServers>&
lt;/s:Body></s:Envelope>

HTTP/1.1 200 OK


Cache-Control: private,no-cache
Content-Length: 2127
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.0
Set-Cookie: ASP.NET_SessionId=ypzfwrycec4mgl3qn3nydznl; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, Accept
Access-Control-Max-Age: 1728000
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
p3p: CP=IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
Date: Sun, 26 Apr 2015 03:11:56 GMT
<s:Envelope xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/">
<s:Body><GetServersResponse xmlns="hXXp://tempuri.org/">&l
t;GetServersResult xmlns:a="hXXp://schemas.datacontract.org/2004/07/Sp
eedInMyAreaService.Model" xmlns:i="hXXp://VVV.w3.org/2001/XMLSchema-in
stance"><a:Server><a:Domain>46.246.126.220</a:Domain
><a:DownloadFolderPath>/</a:DownloadFolderPath><a:Id
>27</a:Id><a:Location><a:Accuracy>0</a:Accurac
y><a:AvailableNetworks i:nil="true"/><a:City>Stockholm&
lt;/a:City><a:ContinentCode i:nil="true"/><a:Country>Sw
eden</a:Country><a:CountryCode>SE</a:CountryCode><
;a:IPAddress i:nil="true"/><a:LanguageCode i:nil="true"/><
a:Latitude>0</a:Latitude><a:Longitude>0</a:Longitude
><a:Network i:nil="true"/><a:PostCode i:nil="true"/><
;/a:Location><a:Scheme>http</a:Scheme><a:Script>p
hp</a:Script><a:UploadFolderPath>/</a:UploadFolderPath&
gt;<a:Version>3</a:Version></a:Server><a:Server&g
t;<a:Domain>151.236.26.173</a:Domain><a:DownloadFolderP
ath>/</a:DownloadFolderPath><a:Id>28</a:Id><a:
Location><a:Accuracy>0</a:Accuracy><a:AvailableNetwo
rks i:nil="true"/><a:City>Zurich</a:City><a:Continen
tCode i:nil="true"/><a:Country>Switzerland</a:Country>&
lt;a:CountryCode>CH</a:CountryCode><a:IPAddress i:nil=
<<< skipped >>>

POST /TakenTests.svc HTTP/1.1


Content-Type: text/xml; charset=utf-8
SOAPAction: "hXXp://tempuri.org/ITakenTests/SaveTakenTest"
Host: VVV.speedcheckerapi.com
Content-Length: 1795
Expect: 100-continue


HTTP/1.1 100 Continue
....




<s:Envelope xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/">
<s:Body><SaveTakenTest xmlns="hXXp://tempuri.org/"><val
ue xmlns:a="hXXp://schemas.datacontract.org/2004/07/SpeedInMyAreaServi
ce.Model" xmlns:i="hXXp://VVV.w3.org/2001/XMLSchema-instance"><a
:BandwidthMonitor><a:TotalDownloadedKiloBytes>60632</a:Tot
alDownloadedKiloBytes><a:TotalUploadedKiloBytes>120064</a:
TotalUploadedKiloBytes></a:BandwidthMonitor><a:Download>
;<a:estimatedTime>0</a:estimatedTime><a:speedInKbps>
58143</a:speedInKbps></a:Download><a:Id>0</a:Id&g
t;<a:Ping><a:time>54</a:time></a:Ping><a:Se
rver><a:Domain>151.236.26.173</a:Domain><a:DownloadF
olderPath i:nil="true"/><a:Id>28</a:Id><a:Location i
:nil="true"/><a:Scheme i:nil="true"/><a:Script i:nil="true
"/><a:UploadFolderPath i:nil="true"/><a:Version>0</a
:Version></a:Server><a:Upload><a:estimatedTime>0&
lt;/a:estimatedTime><a:speedInKbps>96696</a:speedInKbps>
;</a:Upload><a:User><a:Client><a:Id>30</a:I
d><a:LicenseId>0</a:LicenseId><a:Type i:nil="true"/&
gt;</a:Client><a:CountryCode i:nil="true"/><a:Id>0&l
t;/a:Id><a:Location><a:Accuracy>0</a:Accuracy><
;a:AvailableNetworks i:nil="true"/><a:City i:nil="true"/><
a:ContinentCode i:nil="true"/><a:Country i:nil="true"/>&l
<<< skipped >>>
HTTP/1.1 200 OK


Cache-Control: private,no-cache
Content-Length: 2657
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.0
Set-Cookie: ASP.NET_SessionId=szolizomig3ow3rakeo0hfdt; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, Accept
Access-Control-Max-Age: 1728000
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
p3p: CP=IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
Date: Sun, 26 Apr 2015 03:12:23 GMT
<s:Envelope xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/">
<s:Body><SaveTakenTestResponse xmlns="hXXp://tempuri.org/">
;<SaveTakenTestResult xmlns:a="hXXp://schemas.datacontract.org/2004
/07/SpeedInMyAreaService.Model.Callback" xmlns:i="hXXp://VVV.w3.org/20
01/XMLSchema-instance"><a:Error i:nil="true"/><a:Warnings 
i:nil="true"/><a:Provider xmlns:b="hXXp://schemas.datacontract.o
rg/2004/07/SpeedInMyAreaService.Model"><b:CancelPolicy i:nil="tr
ue"/><b:Id>272488</b:Id><b:LogoURL i:nil="true"/>
<b:LogoURLHeight50 i:nil="true"/><b:LogoURLWidth60 i:nil="tru
e"/><b:MacCodePhoneNumber i:nil="true"/><b:Packages i:nil=
"true"/><b:SalesPhoneNumber i:nil="true"/><b:Title>IP-C
om Ltd</b:Title></a:Provider><a:TakenTest xmlns:b="http
://schemas.datacontract.org/2004/07/SpeedInMyAreaService.Model"><
;b:BandwidthMonitor i:nil="true"/><b:Download><b:estimated
Time>0</b:estimatedTime><b:speedInKbps>58143</b:spee
dInKbps></b:Download><b:Id>203422294</b:Id><b:
Ping><b:time>54</b:time></b:Ping><b:Server>
<b:Domain i:nil="true"/><b:DownloadFolderPath i:nil="true"/&g
t;<b:Id>28</b:Id><b:Location i:nil="true"/><b:Sch
eme i:nil="true"/><b:Script i:nil="true"/><b:UploadFolderP
ath i:nil="true"/><b:Version>0</b:Version></b:Server
><b:Upload><b:estimatedTime>0</b:estimatedTime&g
<<< skipped >>>


GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/pcspeedup-single-text-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: MRI81vfcQ vh8/lDL LOAg==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:08 GMT
Etag: 0x8D244DC9EE7A8CA
Last-Modified: Tue, 14 Apr 2015 15:12:56 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 1a704b88-0001-0013-33ce-7f50d1000000
x-ms-version: 2009-09-19
Content-Length: 42673
Connection: close
PK...........D.........D......index.html.\...Gv......fa.V..d...if.j...
...$....A..H....]U=.. .....H.$.y..@^!....H.H.B.\..,........S.9....g...
Fb......:..>8^).....^.L......(W^.._... }{.;3.W.?.mJ....;.y...!.g"YI
..?...8.C..d........s=aUv.s~.).R......I.......:b...........;...J......
../....?..p...S.....,."..........[i.Y,....D.u.....S...@...).r..).\*.VY
.[~.3..R.<....N.1a..o.z../.. .{8X..r....}.d:.i..8|p.S...x%....R.J..
.........^..d.Ti./...i.i.p_.t...2x.m..E.~.....fH..j....f^.I.JO|...6/..
tK.ne..0.....D..M...P.."^..}b...V..2....2..., ...>......^w...i...8.
.f...x.w...(..S.#..........Gt8....i..T.....3\...T1.u.......h..../6..N.
...l.N9..fX...;..2....G..6.........o.<~...$")...H..m.h..|...'..W.0.
.Y)..w...o....U...`. ..t.d.....3..."q........;e..\.......C.H...G..!...
....j1.m...%.V..=....G..U.HW..".p..7....nt) 1...-2.....o.\5w..by../...
.89.=.q..G.3.-.Yf.S.....B..P....jt.>.\.$..HTt_$..7."Uo.......k<~
&.8.k.2U,...=z..D..........8.Zj.{.Y.h.g...U........O....5.(...J.Q.-..q
.W...v..C.b|1...|7>...7..K.....D.)>..*...0:..5p...R.......W.".TK
...jec...z.en.D.....n.s.gA[U....g.&< ..F....^P;Q......7Hue......4..
...s0...^'U&.8...r.L.....wzW..l.Cp...EZ.(..J`..=...F...b*..l8..../9>
;F-./N.....x6.6.......f4.C....G...d...v.Vs...cZa.ws[.O4 ......Z. [email protected]]
xd...B.J.a..7.T......*...:..b ..,..5. d.C._.;..!.".m~AV53. VD\.uV... .
,...9...J...B[........=..X..66..&...%.{.....9..z1..@#3C.a* ....1dC.(..
[email protected]..;.Nu...:q*]....v.....IN..H...e.H".C..v. ..${\1.m.>..Zs.%.
..`=8......%.aq.."[email protected]%,........L....Oq
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:12:03 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT
Expires: Wed, 29 Apr 2015 04:29:13 GMT
ETag: 24EB23ED03882CA15E50420D66220C73B4B82DDC
Cache-Control: max-age=263229,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp11
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2015
0425042913Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22....|....JR......4.....20150425042913Z....20150429042913Z0...*.H..
..............|.....4........o&E.L.?oP........k9f.....j....m....}...%.
..%l#....z...%.G...bf.Ks2v.,F..F..|g...v....)...T..{.>^.....!P.bg".
...........7..s.....*....)d....jp...iLF.'..[H|.F....a.....t.....X*.j..
 .8......3..<'q......X...2\;9..R......3.....VmD-C.....<.....%S.P
...g..!.`../(.V...?..!s.Y.2w.........i..)]8..r.jI.uk."....K`.c..2h..`t
....j..G..j............w1`.GG....BM`&,.... \NA.8..t.6x....'[email protected]....\
.Q.:...XR:..Z......<....=..U.0\........YWM._.....z~.e..2.......0..H
..q..RRc..7~....:....%.[H...9S..5`1.....@......



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 417
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



GET /v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=cvs.visit.mystartsearch&update1=ref,cvs&update2=identifier,installer&update3=version,6.3.7602.2124&update4=nation,us&update5=language,en HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:10:59 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
57.............V*.I,)V.R..V.Q*..M....LL.r......... .....T........<.
....S......T..Z.]. .H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Da
te: Sun, 26 Apr 2015 03:10:59 GMT..Content-Type: text/html; charset=ut
f-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By:
 PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57............
.V*.I,)V.R..V.Q*..M....LL.r......... .....T........<.....S......T..
Z.]. .H.....0......


GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.dlzip1.mystartsearch.finish,1 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: xa.xingcloud.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:01 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
Content-Encoding: gzip
56..............A..0....,9.XO.o..R$...$..z....2d.v. ,n.i..x.p....`....
.......3 ..~.P6>H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Dat
e: Sun, 26 Apr 2015 03:11:01 GMT..Content-Type: text/html; charset=utf
-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: 
PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..56.............
.A..0....,9.XO.o..R$...$..z....2d.v. ,n.i..x.p....`...........3 ..~.P6
>H.....0..



GET /COMODORSACodeSigningCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.comodoca.com


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:12:13 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 25839
Last-Modified: Sat, 25 Apr 2015 08:50:59 GMT
Connection: close
X-CCACDN-Mirror-ID: h6edcacrl6
Accept-Ranges: bytes
0.d.0.c....0...*.H........0}1.0...U....GB1.0...U....Greater Manchester
1.0...U....Salford1.0...U....COMODO CA Limited1#0!..U....COMODO RSA Co
de Signing CA..150425085059Z..150429085059Z0.b.0".......,i....P.'.7...
130725153017Z0"......6(...U..)V.6...130731153941Z0!.._#..I..$.d..$%...
[email protected]!.......~...}....*..
.140327125438Z0!..xtW.u....tf. T.h..140407130614Z0!..^uc..'.....p.....
.140407130622Z0!..2..v.s..f..3#.'...140414130006Z0"....R|..Z.I...U47..
..140429145655Z0!..h..&.Oe..j.L.}....140502134858Z0!..R.x ..c\.;.-n.j.
..140505165508Z0!..6...Ci.WM.........140519192807Z0!..e..IJ... .[.C...
..140520152605Z0"......>.-.n..f]...(..140526042357Z0"....,b...3fP.}
...d...140527111014Z0!..o.K....'.U..KH.-..140527152547Z0".........%...
..<.....140528165921Z0!.....~2.....f$j.....140530162719Z0"....4q...
.e[.........140602104040Z0!..*...ox..BTt..R!...140605144057Z0!......y.
j*......1...140606161714Z0"....W..~....l........140606190404Z0".......
|BP[...5L ....140606190440Z0"........1(...v...>a..140610185012Z0!..
AI..y}I...v.......140610185029Z0!..4..k...,G.DJH.N...140610210158Z0"..
..T.q..i.1....T....140611033025Z0!..f.<.M]@......9.|..140616152648Z
0!.......O*<R..SHx.C..140620190555Z0"......oU.fU..........140623111
824Z0!../,V..r.&.uNn..*...140707151821Z0!..O..].9/.M;........140711123
959Z0".........i[.....a{...140723190533Z0!..).'..\.H....z.pP..14072519
3446Z0"....__.H....Y...B.|..140729143516Z0"....v.>.D.D..g`#[email protected]
731221657Z0!...J.>j.1K/..Qt.....140801080058Z0!..pc.yB..,.w.J..
<<< skipped >>>


GET /0.gif?2920516&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:13:08 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=5447eecb-9eym-433b-b267-e4aef67e236e; domain=.histats.com; Max-Age=31536000; Expires=Wed, 13-May-2015 03:53:37 GMT
GIF89a.............!.......,...........D..;..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:12:09 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Fri, 24 Apr 2015 22:51:17 GMT
Expires: Tue, 28 Apr 2015 22:51:17 GMT
ETag: 9EE11AD5AC8713D60F5AFA8AE83EEB12ACE092D7
Cache-Control: max-age=242947,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp11
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......).`..M....j....K.I....2015042
4225117Z0s0q0I0... .........w....;.i.4.U.B.......).`..M....j....K.I...
.wY.^Z.....U[R../....20150424225117Z....20150428225117Z0...*.H........
.........7.a(..p..-^o9v.m...bJ...g.$o&.1.,.X.I.fO].W.......#..o.....M.
....P...pV.....e,.......a.7aji...$..q..n._.....t..Mb....WY..........E/
.....u..%..Z.U..a..7.k.....k&.Q...:.D*...4.....B....6$ZN)..A.@.=..qd..
( oGw........'.o...\K(.pl..........Svs..i.y]._..q0F..



POST /upload.php HTTP/1.1
Content-Type: multipart/form-data; boundary=8d24dff12ad36c6
Host: 151.236.26.173
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 104857685
Expect: 100-continue
Connection: Close

--8d24dff12ad36c6
Content-Disposition: form-data; name="data"

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 26 Apr 2015 03:12:13 GMT
Content-Type: text/plain
Content-Length: 14
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type
raw-nginx-upload: 1
size=104857685....



GET /featurelimit.aspx?productID=1&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&requestID=&version=3.9.8.0&language=&campaignID=&QuickScan=0 HTTP/1.1
Connection: Keep-Alive
User-Agent: PCSUService
Host: VVV.pcsuapi.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
Set-Cookie: ASP.NET_SessionId=qetcfykw3vkgigcqmryiy12j; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:11:44 GMT
Content-Length: 1
6HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; cha
rset=utf-8..Server: Microsoft-IIS/8.0..Set-Cookie: ASP.NET_SessionId=q
etcfykw3vkgigcqmryiy12j; path=/; HttpOnly..X-AspNet-Version: 4.0.30319
..X-Powered-By: ASP.NET..Date: Sun, 26 Apr 2015 03:11:44 GMT..Content-
Length: 1..6..



GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.hp HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.19 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:04 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.19 ms","message":"store 1 ac
tion and 0 update "}..0..



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=speedtest HTTP/1.1
Content-Type: text/plain
Host: VVV.pcspeeduplog.com
Content-Length: 485
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"Serve
r":28,"Ping":54,"DkB":60632,"UkB":120064,"DBkB":63135,"UBkB":124536,"D
T1Min":1935.093,"DT1Max":134247.289,"DT1Avg":48989.005,"DT1Med":52042.
086,"DT2Min":26235.036,"DT2Max":89900.123,"DT2Avg":58143.138,"DT2Med":
54091.422,"DT3Avg":48980.291,"UT1Min":17095.706,"UT1Max":106265.627,"U
T1Avg":96695.986,"UT1Med":102063.821,"UT2Min":102063.821,"UT2Max":1062
65.627,"UT2Avg":104293.693,"UT2Med":104264.702,"UT3Avg":96543.353

HTTP/1.1 200 OK


Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:12:24 GMT
Content-Type: text/plain
Content-Length: 17
Connection: keep-alive
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 420
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckSuccessful","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: evzyomLfdykbHeHg wF1rg==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:08 GMT
Etag: 0x8D218DF91BA1080
Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 7a5ce9f7-0001-0009-57ce-7f7fbe000000
x-ms-version: 2009-09-19
Content-Length: 47048
Connection: close
PK........t.GE........>.......index.html.Wmo.6.......W.6:Kq[.C".H..
....I7..@I'..E.$e....w.$G..4...6.;.=..K....g..\....b..OQ.K.....v...[..
(l~{..,C.......cz...i....(I.]L-...i8!i......~?......o...-.j.%.DL...0..
......i.?..W..cR. K.Nczc...5..|.,..WA.epc(......$..'/.y-S..........bJ.
...D.t..*..tv..N..T...'....l...&@&....UU.`.`....$[..2n*f....N..,.=....
..JV.=&..G...<.}..PY.....c.J.v.,M.6....u.,..i..L.....IL.&}.^....2..
.V.jA;%<'.=.>.....]....s.n.v{.M....v....yD.'&..x.3J.o;.W...p..X.
..........P.U.3'{.s........H..m/x..]?r...*.S .?.z.>..4_u.}R....B.a{
. .o..6...0...9.......'&a_..U..,T.k.!.J."f..RL*....8!.%.....Q.s..Wk...
:. .^{...m......X..[k...$g.t'...f.1...w....R....5I.3&....b......" ....
...3"..,...aP2[...7.8._....]..q..9..xf.7.T....2J...U..Sz....F(..s....`
.0G."..........Z..._,F(....XEl...VL....u.-.....T'Y...|..J.......z..u..
.lL.!.T....D.h.V.......L.1.c`.Ey).a7O..o...(pP`...I W..~?>qY..b....
...(b.......%X......D0.of.7....f.....|.4..lXa.2![%ty...i..1....Jf..K..
}...s..{#[email protected].*......(.......T...5.c.zqT...}..,^..%K...Tk.
;[email protected]@5.....p.../......PK........CK.D-.b
.....C.......css\style.css.V...0.]'R..mT.]..y4%......Xq.e...^..;~....T
P..3...9.'.. z[-.\..U...ipI...O....."..bqG........{..eI...'$p.....W...
.j.=~....Z..r...U...K.(......M*.B....{.s"........r..}.M...c..$..:....R
I(.'....o..h...dcn....!xC-?N.....\n4WU....s.h{..N......;p..qU..?q.$n..
c"I...2 .n.-.g. ..([email protected]..."..`.5A..%.R...I.....$.;..
|....I...w...K..A.....^=...BY.u.....A}v........A..*z.x.]...y|...).
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 406
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:58 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferAccepted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:57 GMT
Connection: close
Content-Length: 0



GET /v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,cvs HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.36 ms","message":"store 3 action and 5 upd
ate "}..0......


GET /v4/sof-ient/535559167_198339_B48A115F?action1=install.cvs HTTP/1.1


Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.66 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:19 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.66 ms","message":"store 1 ac
tion and 0 update "}..0..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 397
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:20 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:19 GMT
Connection: close
Content-Length: 0



GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.soft-ware.net
Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:13:16 GMT
Content-Type: application/octet-stream
Content-Length: 14682176
Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT
Connection: close
ETag: "530494e7-e00840"
Expires: Tue, 26 May 2015 03:13:16 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x
..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7.......
.................PE..L....l.K.................d.......B..K5...........
[email protected]......`.................................
...............3.P)...................................................
........................................................text....c.....
..d.................. ..`.rdata...............h..............@[email protected]
[email protected]....,........................
......rsrc...P)....3..*..................@..@.........................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
......G..H.P.u..u..u...|[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


GET /0.gif?2920520&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=5447eecb-9eym-433b-b267-e4aef67e236e


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:15:09 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:11:45 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT
Expires: Wed, 29 Apr 2015 04:29:13 GMT
ETag: D60CF3FEA10920BFD9223C04D2095561967D1DBA
Cache-Control: max-age=263247,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp11
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2015042
5042913Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20150425042913Z....20150429042913Z0...*.H........
.....M.he.#b$...d.<....x.....8.n|..ak,....P..z...K....... .......,.
...qv..!...........s..........8&.D....>..$e..L,L.V..Z.......z......
..z...!..O..1....1>.%.F...\...m...7..[1.]..l..//B,.OG........Q.h..:
b.~F_.\;..eb..~... .........TI*p........e0.C....).....b=..k...



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=487986, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 18:45:16 GMT
Expires: Fri, 1 May 2015 18:45:16 GMT
Date: Sun, 26 Apr 2015 03:14:52 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015042
4184516Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150424184516Z....20150501184516Z0...*.H.....
........|.k`.#..:..."...8....:Hu%.....Pf...sS.!.Og.....4.......R.Y..e.
.....mG.-.&.Q....}..*.S......!.^.. .&S.)..o...ij.2.....^4.D.Y..N...a..
.a.-".p_E]..M....c..9.!8.%..u<...)........z}......R.j3B..l.........
........@...!......=m....<.Ep.....,...|......1.BwP.9"........0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%[email protected]"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=433801, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 03:44:53 GMT
Expires: Fri, 1 May 2015 03:44:53 GMT
Date: Sun, 26 Apr 2015 03:14:52 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015042
4034453Z0s0q0I0... ...................F....0.yV......{&.K......&......
....'[email protected]...*.H........
.....$S....KNR".3....>E..y..c.C.=......{Z..=bOT....f...5...eE......
...<....I..:..'....T.JI.;..&:p...'TQ.9J.zg/B...Y ...}X9.K.>..R..
./Z.o].3"..l....}..;.%.."D.tm..B...7UKV.......D...r..o|..e......&.....
......6...../xV.*p..T.._......!x..G...C...d....l...yIaQCi.......0...0.
..0............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Cod
e Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0..
.U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSi
gn Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0..
.......q<...A...#......A...u..Lz.............o..D.vQ%..s.......f...
.e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p..
..M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L.
..5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0.
..U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.ve
risign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS in
corp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U
........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..
............-..^.........f.P`...s.....8.....V.......... .... B.(@-
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 403
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:45 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:45 GMT
Connection: close
Content-Length: 0



GET /gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:14:44 GMT
Content-Type: application/ocsp-response
Content-Length: 1493
Connection: keep-alive
Set-Cookie: __cfduid=d7f9e022abe6711ba67b77f3cb2fa0be01430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.com; HttpOnly
X-Powered-By: Servlet/3.0; JBossAS-6
ETag: e1d3bf0704693f9610586c5ad76eac842e52e7bd
Expires: Sun, 26 Apr 2015 11:19:01 GMT
Last-Modified: Sat, 25 Apr 2015 23:19:01 GMT
Cache-Control: max-age=180, public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1dcf1e8163e21595-FRA
0..........0..... .....0......0...0.......9e.K.....__..........2015042
5231901Z0u0s0K0... ........)[email protected]...^./.....2k.
..!'=e.,.KdXe.I..6m....20150425231901Z....20150426111901Z0...*.H......
.....A...Xh8....S.]P..9...=..h... !......%.>.o...B..Yg%f....o.z....
......_..."$C...H.gl.h)..3.......u...H/..W..!.Va.......c....-.g.n...`.
......i-._..%....a..zR._.\..:</...!.I.....u..U.'.5..0.{...=..>..
.].a..}...M7....].......l....e...(...f.... [q_..W|.ma.(...hI....0...0.
..0...........!J .v...._......60...*.H........0Z1.0...U....BE1.0...U..
..GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G20.
..150324152349Z..150624142349Z0..1.0...U....BE1.0...U....GlobalSign nv
-sa1C0A..U...:GlobalSign CodeSigning CA - SHA256 - G2 OCSP responder -
 11.0...U....201503241623000.."0...*.H.............0.........8..|Z....
.|j......q..*d....Q...{.;G....%.!(9.gD...k.. ....(....~&.(........a'.o
...%..ap...x...5*.........Vx.......55.....7..5....kL..E1M...L....?...s
....#...,n........../...'..:...z..R.....w...Fw.n...nd.e....0v.^.......
">G..}|..z.Y*<:./.D&.j.9.)../...rD.A........0..0...U....0.0...U.
..........0...U.%..0... .......0... .....0......0...U.......9e.K....._
_........0...U.#..0....J.Z.M1...^./.....2k0...*.H................}[...
xH..t-N..e...cSd..0.4.&.m......2J...r.....4.d..m... .>..uS.w...4.&g
t;.(...A.....h...:=..\q.l.hf.t"...=........=..Z...Z.....K.v...Y. .....
...'B.C...U3........h?....b...!1.<h.%4...o.h.{..!.!Y.G....."...H.Q.
q.>..a.<.......G.7..X.OM..>7|b.....i.q....u..kF..
<<< skipped >>>


GET /download/F/8/C/F8C0EACB-92D0-4722-9B18-965DD2A681E9/30514.00/Silverlight.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: PCSUInstaller
Host: download.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 14 May 2014 07:41:33 GMT
Accept-Ranges: bytes
ETag: "3a12baed476fcf1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6958304
Date: Sun, 26 Apr 2015 03:11:22 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........K...K...
K.......D...K...!......._.......J.......J...RichK...................PE
[email protected]... ........... ..............
..................k.......... .......................... .............
............i..<...........!.......................................
........ ...............................text...`w... ...x.............
..... ..`.data................|[email protected]..
~..............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................n...D...4..............
.....................Z...............|................................
...&...2...:...T...n...........................................&...:..
.P...n...x...........................................>...L...f...~.
.............................."...<...R...h.......N...\...8...(....
...................................b...........>...&...............
....n...:...H...T...`.................................................
..................................Hn.@.............&..............
<<< skipped >>>


GET /partners/pcspeedup.exe HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: pcspeedup-7ff.kxcdn.com
Connection: Close


HTTP/1.1 200 OK
Server: keycdn-engine
Date: Sun, 26 Apr 2015 03:11:20 GMT
Content-Length: 6929152
Connection: close
Last-Modified: Mon, 13 Apr 2015 09:48:40 GMT
ETag: "552b90f8-69bb00"
X-Edge-Location: rumo
Content-Type: application/octet-stream
Content-Disposition: attachment
Accept-Ranges: bytes
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L......N............
.....P..........xd.......p....@..................................>j
[email protected]......
.......................................................P...L..........
..................text....C.......D.................. ..`.itext.......
`.......H.............. ..`[email protected]
s.....W...........b...................idata...............b...........
...@....tls.................r...................rdata...............r.
.............@[email protected]..............@..@.............
........&..............@..@...........................................
......................................................................
[email protected].........
[email protected]([email protected]......@...............................@..
[email protected]@..:@..:@..:@..:@..:@..:@[email protected]@[email protected][email protected]
[email protected]...%..A....%..A....%..A....%..A....%..A....%..A....
%|.A....%..A....%x.A....%..A....%..A....%..A....%..A....%..A....%..A..
..%..A....%..A....%..A....%..A....%..A....%t.A....%..A....%..A....%..A
....%h.A....%d.A....%`.A....%..A....%..A....%X.A....%T.A....%P.A....%.
.A....%..A....%..A....%..A....%..A...S..........$D...T.J....D$,.t.
<<< skipped >>>


GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1
Cache-Control: no-cache
Range: bytes=11255344-14682175
If-Match: "530494e7-e00840"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.soft-ware.net
Connection: Close


HTTP/1.1 206 Partial Content
Server: nginx
Date: Sun, 26 Apr 2015 03:13:17 GMT
Content-Type: application/octet-stream
Content-Length: 3426832
Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT
Connection: close
ETag: "530494e7-e00840"
Expires: Tue, 26 May 2015 03:13:17 GMT
Cache-Control: max-age=2592000
Content-Range: bytes 11255344-14682175/14682176
|.zv.y...3..O .K.&Xh^T)......k\.$..........._.).#.l.X..VFe....`......=
[email protected] ...Y.......9.. h......(.}.#*"bD..c.z*....R&c.U]^
o,<lB...DG.....bB1DR...........O]..%..>{3~.....y...)....e..|.*u.
....X...2....*.}..Ek..Y.N#..v?.".";Ltx...N....BT.f..X....*.&...3...R.h
.7 [email protected].)..C..L.#<.z.?....L=.!...l.U.L3.?.....,..M8..9.N~...
./.>...K...<..O..?.?.!.....8.<.m.Hc.8..d....U[.E..p..#..f.?..
.!.kt..r...L[..A..}....M.AF...........=.SdTcd-....p......T...p;:......
.%>.I.d..32..5$W..E5.......[[email protected].......
.<.z.R.yln...h...8.T......d^.T.9.I'.I......|.;.U..&..0....,.....tpz
{k.....o#..6t.cO..4......b..}..a..BKN....U1..U..........9......[.....*
Y..>d..T........i.\.r.l...:......"......66.A.....N..R.x&...b...../j
..... 3.O.h...{.9{ ...{.g. g..!.....ZYz...@...`=..q;..tJ....M..zOm....
@[email protected].,G.......J.v.Z... -......>3.y\ ..1vg.j......,..Lj..HI..
.T......Z.j\.{..1..PiE..<..6O......?.....v....d(h....b..|./..a..$\.
TU.....C.|8(&v...g..qw.".Rn#..Im........"^8...|.S....M{P....*r.]^.....
..:%......U.M...B..'So.V..r....... hQ9.Z...ps......,G................v
..S,...T.?Kc..y.t.,.j. ...^..t.|%.S.?N|.92.5U"U....Q..j..o.\..hpiq.G..
... ..s.7..85vo...KG...N..h... ..i.d.^S..........*[email protected].:..
 ..n.......e.b..:c....zU..]..k.....R|b...3.%...7LX..........S...].....
..$..9NO#[email protected]..%..........Xz......Mb......'T.nay.........J....
.....%r>.....Y^,.U.d..]R..."..Q....>'.V....HKt&.j.}(.d......,.[.
 .W.....r..C....w..# .'.L$.. ...M..:uq...C...vr...0.I{....R.6....q
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 411
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: PCSUNotifier
Content-Length: 219
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","Silverlight":"Download","OK":200,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:23 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:14:57 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=116023, public, no-transform, must-revalidate
Last-Modified: Sun, 26 Apr 2015 01:10:27 GMT
Expires: Mon, 27 Apr 2015 13:10:27 GMT
ETag: "c30fade8d543f5204181f6438f822d3f1b5d2cff"
Content-Length: 1741
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Ari
zona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Dad
dy Root Validation Authority - G2..20150426011027Z0d0b0:0... .........
#o..K......#..... ...:....g(.....An ............20150426011027Z....201
50427131027Z0...*.H.............f...>N../_..*........*.......#.....
a.......2.....&jB3.!!9s/o.(3.....-.z....).*.k..n..'<Q.../..I.....G.
U~.V.E5 .......2...e... . .!)(L.<pf.......-........\ .1.1(..|.....0
..?.>...4y..W.!..0l.Qd).....iN$:>&..O.m.s... ....N.........!.le.
.....|.D.. ....#Dv|y.......0...0...0..q..........t....o0...*.H........
0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDa
ddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...15
0316070000Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U...
.Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Valida
tion Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...
&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;...
.C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7..
..p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2
%.|c...A....Fk.T..24.0B...p.........0..0...U.......0.0...U...........0
...U.%..0... ......... .......0...U.......O........f...e..r..0... ....
[email protected]./hXXp://crl.godaddy.com/repository/gdroot-g2
.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/r
epository/0...*.H.............bW%D.2.X..U[0d..........|.BaG.Y.?.u.
<<< skipped >>>


GET /random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=7T635656147234101936 HTTP/1.1
Host: 151.236.26.173
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 26 Apr 2015 03:12:03 GMT
Content-Type: image/jpeg
Content-Length: 100101963
Last-Modified: Thu, 11 Sep 2014 08:52:17 GMT
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type
raw-nginx-upload: 1
Accept-Ranges: bytes
.....MExif..MM.*.............................b...........j.(..........
.1..... ...r.2...........i....................'.......'.Adobe Photosho
p CS6 (Macintosh).2013:03:22 14:39:08............................ ....
....... ..............................."...........*.(................
.....2...................H.......H.........XICC_PROFILE......HLino....
mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP
  ................................................cprt...P...3desc....
...lwtpt........bkpt........rXYZ........gXYZ...,[email protected]..
.T...pdmdd........vued...L....view.......$lumi........meas.......$tech
...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright
 (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1......
......sRGB IEC61966-2.1...............................................
...XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ...
...b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch....
........IEC hXXp://VVV.iec.ch.........................................
.....desc........IEC 61966-2.1 Default RGB colour space - sRGB........
....IEC 61966-2.1 Default RGB colour space - sRGB.....................
.desc.......,Reference Viewing Condition in IEC61966-2.1...........,Re
ference Viewing Condition in IEC61966-2.1..........................vie
w.........._...............\.....XYZ .....L.V.P...W..meas.............
...................sig ....CRT curv.......................#.(.-.2.7.;.
@.E.J.O.T.Y.^.c.h.m.r.w.|.........................................
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 407
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:58 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:58 GMT
Connection: close
Content-Length: 0



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: PCSUNotifier
Content-Length: 204
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","installerStart":1,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:21 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:11:45 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Fri, 24 Apr 2015 22:51:17 GMT
Expires: Tue, 28 Apr 2015 22:51:17 GMT
ETag: 9EE11AD5AC8713D60F5AFA8AE83EEB12ACE092D7
Cache-Control: max-age=242971,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: h6edcaocsp11
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......).`..M....j....K.I....2015042
4225117Z0s0q0I0... .........w....;.i.4.U.B.......).`..M....j....K.I...
.wY.^Z.....U[R../....20150424225117Z....20150428225117Z0...*.H........
.........7.a(..p..-^o9v.m...bJ...g.$o&.1.,.X.I.fO].W.......#..o.....M.
....P...pV.....e,.......a.7aji...$..q..n._.....t..Mb....WY..........E/
.....u..%..Z.U..a..7.k.....k&.Q...:.D*...4.....B....6$ZN)..A.@.=..qd..
( oGw........'.o...\K(.pl..........Svs..i.y]._..q0F..



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 148
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3530\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3531\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:05 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 183
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3532\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:05 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 219
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3533\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:06 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:06 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 219
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3220\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:06 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:06 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3412\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=1&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:06 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:06 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3413\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=2&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:07 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:07 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3414\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=3&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:08 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:08 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3415\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=4&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:08 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:08 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3416\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=5&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 249
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3650\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=9&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 250
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3652\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=10&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:09 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 266
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3654\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=12&command_parameters=/start /ch=CO18&vostage=main&reason=00:50:56&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:24 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 250
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3655\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=13&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:25 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 257
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3675\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=21&command_parameters=/start /ch=CO18&vostage=main&dloc=1&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:25 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"2066\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3510\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3534\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3638\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:32 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:32 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3637\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:32 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:32 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3502\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:32 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:32 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3503\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:33 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3504\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:33 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3505\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:33 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3506\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3507\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:34 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 188
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3508\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:35 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13
:35 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 223
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3527\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Sun, 26 Apr 2015 03:13:35 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}..



GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/progress.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: fJIiuJo 0/ih6f3fHKFgHw==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:08 GMT
Etag: 0x8D218DF91A5C530
Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 01583424-0001-0048-20ce-7f57ad000000
x-ms-version: 2009-09-19
Content-Length: 85732
Connection: close
PK..........=F..?.....F.......index.html..io.6....?0\..H-...$..6M..k. 
...).J.-:2.R.. ...#uQ...i;..h..|.)g...g..\[email protected].|..K&C:q...X
XPI.....S..c|.qI..\...#/.5..~.C...y.......o..a.X..-....{I.....'...I@..
(.t:..6......d.O.X.Dxc<O..O).w..=:......<..K.....c.{..4..d....^O
....!.E4.4I.KD6.$...K..DR4FR....*....$.......h...v"....n....}H....F._.
}....*.... .^1_.V........9....K..X..x..4....}E.!q.bSd.zW.=Ae*x.....a.^
].cP#`>[email protected] Da. ZU......?..^F..&..^..1...0Q.4a6.k......0....Q..
.....5.. G-.2G..!:xz....c[.j.....8..........X1.G .(P.Ih.8........l8..,
..2.%..K.....D.!....@4...}.7.#.r.N..>F....L..."[email protected]
.s..T."...wbln.-.hfA0...:.m......J.........4.......%.eR...K...V\..W>
;....j.,.......u.k.O..jc.@>S...%2.=..]......R..TaP_s.. sZGzX.$..B.W
.m...3...b...&X.U....Y..E.8.....U...u/.."Z.....:.WFjIy....9..ut......d
{.U2...6...;p.W....m._./.Lw@v._......[.!..M|...@G..._G .F./,..7..K.Gq.
p.`.1W...p.....TK........'...t.-....c.#..,../..En].D...|G...%.......Y.
[email protected]..:[.<I.D..u.T(.......v......0...8.|..8...../*..
D..me.1.%...GXu..n.0...9......).;......."R:NW.[.[z.[....5...........n.
.......p..#.[.Pn..lFs..F.RPL.m.rv..).......Q.....%;...>BC...Q.yKe..
m}O...0.._l*....yd......9.~.....v.Ot-<..*.........v..e........,.#..
......bH...c.Y.s.c....S.........a<N%..1V..b..1..=..z.n..g..73.1.=2.
..NT.B..pr.S./.....p..g.i..I@...:....qe.u=Z.c..E.6..).K|T. ..p^li=....
U{.o..%E.`.!...^..T14..b.Vi..c[. .?.. .X...F-.T.W|7...f.e..Wd.y-..h|.7
..7 .1k.#.p^..=..Fm..s#<K..(.-Y...k.. ..."..Y..7{.....wk....o..
<<< skipped >>>


POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: WinHttpClient
Content-Length: 113
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceAction":"--speedtest"
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:44 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /COMODORSAAddTrustCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.comodoca.com


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:11:45 GMT
Content-Type: application/x-x509-ca-cert
Content-Length: 1400
Last-Modified: Tue, 30 May 2000 10:48:38 GMT
Connection: close
X-CCACDN-Mirror-ID: h6edcacrl6
Accept-Ranges: bytes
0..t0..\.......'f.V.I....p...."0...*.H........0o1.0...U....SE1.0...U..
..AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTru
st External CA Root0...000530104838Z..200530104838Z0..1.0...U....GB1.0
...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limit
ed1 0)..U..."COMODO RSA Certification Authority0.."0...*.H............
.0..........T...V...$...Dgt. 7.}#p.q.S...*..K..V..pr.a..K...=...a.....
..>..>\...4z..k......zv.q.......l......~..../O.....gCr......k,..
.....~..n.....$.Ckb.U....l........li..xH0E....<E`.2.Q'.g....k.F.. .
..e.H...N...F7.....HCgNr*.\.L.(.\"{......Q...FNm>.....|3WA<.Q...
\.,c..W.?..]...E...Z$...V=.o..IX........7.....:..CB...........`..(V...
...q....=...H.<...."L....V;....[..."R...i..Le...-pt...g.)iR....PjUF
...(a.p....,!.G.(..Ev...'[email protected]:.\.A..c..qk ..
..1\:jG..yY. ...j..r.WJ.K.....LA...=^(.....Q..G..S........0..0...U.#..
0......z4.&...&T....$.T.0...U........~.=...<....8...22.0...U.......
....0...U.......0....0...U. ..0.0...U. .0D..U...=0;09.7.5.3hXXp://crl.
usertrust.com/AddTrustExternalCARoot.crl05.. ........)0'0%.. .....0...
hXXp://ocsp.usertrust.com0...*.H.............d..._......)W..Z...>.v
.n.Rp..<.M.tj...%...*]L....m.T.u..'.][email protected].....;.....4.~ .y..WE..(
....P.....Wi}..R.s......nf.....-....Y.L...qL|G.;.....l.>\.........H
M.....s...{#....MU.zaE..h.^@k#.yz...k..oF.{.=K....YZ.A$....`XG..nF....
[email protected].............;o.8o..
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 413
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:20 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:11:19 GMT
Connection: close
Content-Length: 0



GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1
Cache-Control: no-cache
Range: bytes=7599136-14682175
If-Match: "530494e7-e00840"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.soft-ware.net
Connection: Close


HTTP/1.1 206 Partial Content
Server: nginx
Date: Sun, 26 Apr 2015 03:13:16 GMT
Content-Type: application/octet-stream
Content-Length: 7083040
Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT
Connection: close
ETag: "530494e7-e00840"
Expires: Tue, 26 May 2015 03:13:16 GMT
Cache-Control: max-age=2592000
Content-Range: bytes 7599136-14682175/14682176
..<.`.n..B5..C........:..........S..k...~...>B%U./|...`..I.ll..P
.u...iB..|..W..P...k.3..t..ADD{..n@A.[...T.#N.....%.......<*Q..L...
.(.2._...:..`........q.u.W^=....O...r...,h......t.....P!X...C{.n...#N.
y.i'...1(........5c=TGpD.....^.B..`......\.\..d..{z.l..0.vh..B.Pn..h.J
YM....=`.....z.IW..\....n.T!GR.......iP...1...fo.......aR....y..X]..EG
..A'.N"D....m..?..M.N.[N.f...kQ[m......].[..;.......0.............lL..
Bv. ..B<yp.-.."..7.....f...&wO$..{(@ .z:.T5.R.{d.v..m....kM..~...'.
..~.?4..).Bd......].P..%..T*....l..[.....R........~..g.......J...H...~
tT0....V.j.)3......rd._..E=H...h:..1...Ez!.Jp.u..**F .l(........S/a...
.EU.(/.c....{..5..T....-3...........q...1l....JT.@B!.q..Q. ..6pYr...G%
...X..*.5..".8.'1...q....F;(.....=...3.....L ..i.MG.]..U..L.].....Lh.S
...X.].4.1..X......m8.$iPLu..[.q..9.{`..6.k.FY.r.uy....)....s..K..@...
w.*n......Ql..lx..7...bD..)...!.`{..<../8E&T.rz.&...]........R..!. 
.....m.l.r..].y.g ..b..Tv..t..S.$.&...F..<...w.i!.y.....|..0&....,.
I...$...c.......9wV....p..wQ]\s...).....D=...._.. X.....tx:..*_...hw..
...~...4...0..G$s..W..o?.8=X|_...(........x:u,jR$[&S.7.@?..-up...#.b..
.h:]R.5)...H.y......[./R...*.=..E'..^....q..... N..h.(o=.....b....ls..
................{...W..=.....g..\;...c.|.#.k..............wH 4.r.g.]..
..K.... ...Rr.h?.sn..#...1^S.......U.G...v..~.a.v..O,Z&..|....[...p..V
z...ej.q.g.q..iJ..'!.. .qa.F...e.n......]c..Rm........V&.,..`..n..p..G
%.).z.C2VW_....m.j.....0..8.m.......QD..l#.R...R..r..DO..A..m.Wj......
.....d...>.S.a.......SNc........g.g....l..[.z..q..3DT..6`..X...
<<< skipped >>>


GET /getsettings?query=nS4a1/oVbU6Q99uIRNKVE+/vPOOkGCX04WBXR7pdK/UKcGWB+Rqy0NTAeyD4Sb/ziarEhWj7HN5nXXj2qWaNwxVXn6EikLycAMKB/i3j0PQE9RFK9YaMPY1tOXp7CoA5I0G8etbIuG9ofZP1IeMKZP4ShkeXaNCevjkr0AZe+vo= HTTP/1.1
Connection: Keep-Alive
Host: dt.web-search-home.com


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 26 Apr 2015 03:13:39 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/5.3.15
Set-Cookie: PHPSESSID=8n9t762i99mdunrqb7q2iha045; path=/; domain=web-search-home.com
Content-Length: 54060
BgJdlSPe24tHz9J/E97T4BDe92S9A71i36gQ4DJZdX/LSknzlGjR/9vR6FQP0845 X23TG
NFYdAq3iFB2MfphSIxDQg31SyUxnsLWO 7aROBtZTruqkvJxlmWeGchDnnqJLV7uuu8/h5
AEbsejilcUz7bBSksdFi7TD1J1i103mGwvcrc9hwjq9W5YT E PihjARI43nSNiUCGeNk 
mnRJ4kR1zhx2tcxZaP vFyIzEkV6oKiAsqJH8gM68vrY7uaHGR2/OtPCwEstfg/UZuWvO4
f8A 1fHXKMZ9tizYnVK5m8t h6ns7qVYlR5wHxxMN68hnOuJvMvArTFd2gDrolt7Luh02q
7C19zw4  c8RKJY2tJ8AUmtuLuOf/aBf0nOa/QeGoao6WCxbouws0vWZgRMVxqXqyjQ9/g
qNu8Dyudeke/oqGNM5/tM0CT73NE 0xlWZzjS1JXeLn9FfDkCBauaBDQXa41mXhhcmaxzn
d5vmvjoEeEO9qfiYMmyo/LTbyQ5p4hjWR2IMzVAQ9oWyG5jcmoBBQVtfgdDJo59UnXy5pk
vS8RgrCIpBiOgK9fgc2Rh4DjN6HR4hBGAIzb91vlZEOZz9FSdEQhx4/fYbJlN3eFqkH7bD
yuPvtjjbfW3TNq5aJAyKBlJEJ9Pr3JW/JJliOz zJfmHrpjlXHhXRBpk9BGFlOm7BCorwF
BWFiqa3lMXW5Mo6ZRzkevDI834hNO7jFmRXv3FYmIplgndkFRvQ1wn42J0LTSyfuVeJOQ6
lQHy1ySUvt2N 4FJxwmgzsZ6zT RPSE2Mjq1 1miOXmzK8FhHP2EUn IzlUCVdF7FxM4lM
0153021acbhFgLvcY5J87g9mld2VEm0tQKbEkvjZBN876/LQ86A2Ppdmj4vm997Z9W64XI
iP7MpaSt6qcdUz0Uffj3QD9rm9K6glVFL0fRddPJ4JhlRS8uGEH20ZfegHLBMYroeHfR7f
aDkhkn3bo1e9CD4H2x tq1kunUEW4dngu4rOecZ/HbnZYrYeNNtFowc8gHoobe 7pKRvCx
 n9PIyNygVgJ7TAuR903AkT3s LUzMRNuPj7DA/JD/LgxdisER/bjphGwWPKrsA9j0mO3i
NWo0x4xd9PtGYlKMHINdZppsdQfCIGLgrudhZ2yBGVklUy44OGcoJigk14nuTqS2IyngQH
r2mBsuP8O4eGZKBVIdoHTL39qRLHQ2YsLVrkdFr2xjaGmo2h1Mjd8QLgWzWgeit48Ug7jn
jM5o2BKKse4tqRqIGQuTI2gQCX8f15bwT0qL8QMBXDP2Ed9pDpRFcLBAHd6kYjTwIGA5d1
WYNJrdKZzejzMKm6nGz3tANZTKcft1j0B iV6FkW0vL3SCjeN0HWrHfRDh QMx2Rxd/VPo
E1oX9ecx7Ft iZP7lMtKyuFbYzyYsqrLhiYS8Gm8RBP1IwjbGSk9LClw2Dp1jM6ciTrf9s
yQORFUWcEYFSzFpxHltm2NmhYTwQhmpfHKTL 3XAl/1IiT/7WRKR319gZK7YPwXTTr
<<< skipped >>>


GET /root-r3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.net


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:14:43 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 594
Connection: keep-alive
Set-Cookie: __cfduid=da63f65db910aeeeb6637ef4c2b031fa41430018083; expires=Mon, 25-Apr-16 03:14:43 GMT; path=/; domain=.globalsign.net; HttpOnly
Expires: Wed, 15 Jul 2015 00:00:00 GMT
Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT
Cache-Control: public, max-age=6900317
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1dcf1e8011e715d7-FRA
0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U.
...GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*.
.......1..F...141125000000Z0.0...U.......0*........%[email protected]
Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U..
.....0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B
.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R.
 .....rS....t.T_.....Y.R......p OS..2.s........(C.e.x3.#.d6L.d=.UI.;T.
.G...mx....... .......-........-.....J....$.Ko.e#......3....*..3.s...0
.........N..W?'.U...f..h..e...m.9.HTTP/1.1 200 OK..Date: Sun, 26 Apr 2
015 03:14:43 GMT..Content-Type: application/x-pkcs7-crl..Content-Lengt
h: 594..Connection: keep-alive..Set-Cookie: __cfduid=da63f65db910aeeeb
6637ef4c2b031fa41430018083; expires=Mon, 25-Apr-16 03:14:43 GMT; path=
/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:0
0 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: pu
blic, max-age=6900317..CF-Cache-Status: HIT..Accept-Ranges: bytes..Ser
ver: cloudflare-nginx..CF-RAY: 1dcf1e8011e715d7-FRA..0..N0..6...0...*.
H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0.
..U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141
125000000Z0.0...U.......0*........%[email protected]*
........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0..
...K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.
r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t
<<< skipped >>>


POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: WinHttpClient
Content-Length: 104
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","SpeedTest":"Silent"
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:45 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/base.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: yfeb6HeSX7QcohHPlnHtCg==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:09 GMT
Etag: 0x8D218DF9198F3F0
Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: e4e619cd-0001-004c-62ce-7fa22f000000
x-ms-version: 2009-09-19
Content-Length: 34496
Connection: close
PK.........`nEP...............index.html.VQ..8.~...a..........&=q.Ew.`
.....M..wS;........N....p.....=.?.3cO...W..O....y1~.(n.A.#..F.[a.....&
gt;~.....r2...?W.!a.%-J;.Y.. ......F5...9..m.........B..%.f~j...E..].h
rD. .8M..E.7.gE. pDM.Ei..4aw&..\.^....a.,.....F.......k..*[.AL5.#|u].B
d6...g......Q.r;....}..}kW.,.r6.ac5.z&.h.1..v..../.V2.BI.R....k.3.Vs.5
...,.n...;.1......H`!d..!I.Z.".e..5.9...o.....0...{ga..5.m&U.q.. ..z.k
)..Z...I..RQ.It..jN......."#....zwRM.v...B.\-...bo..%uk.@......}....l1
[email protected]..#.w...........G.:9P.X.-......
......>4.........;.............g} p..G5O._...d.t#`..e..|O.H.vE..VZ.
...[?...@#................Ai......q#..*....,j.wY.......O....).0.i....H
...e........v..N.o.J.7.gn..\U.;3... v7....Y..Eu......H.n.].T...P.....g
...1au..|9.Jb.N.........-l0B....\...*.9n...Q.JSp..{.z..Q9...%.....0..W
..ug......q.G.L....]%lg6.<qD<v............k%_j....TMc.....2...G.
...{.T7..k...C2.'.9....T..Tj...:N.C.M..?..C.DD=...mR:.uD.Ymd9..qYp..qS
z.J&_>.J.>.V.-?......U:C..!...*..$B..uA.5...PK.........`nE....m.
..5.......css\style.css...n.0...C... [email protected]..&..H.(...../M...]......
.......4q.......n..YXL...x4k....g<z..v..X.,.(...q3*.7&./M.2T..P.,-H
.....L)YT.....y].>.p......)Y.....|.) U.oCp&..Y./....EL...q..m......
..C....s..;[email protected]....>..=5..".....9...5O.d.;d7K..h;.aUH.'.. .
.K-.u.s4nX'. ...W.|...6.W.W........?#...............Q.^..y.h.m...n.4L_
.i=.....................R._A....W.... sC.1]V...PK.........`nE.H}.1....
k......js\jquery-1.10.2.min.js..i....0.}[email protected]...'.]....N....;
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=364887, public, no-transform, must-revalidate
Last-Modified: Thu, 23 Apr 2015 08:35:12 GMT
Expires: Thu, 30 Apr 2015 08:35:12 GMT
Date: Sun, 26 Apr 2015 03:15:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015042
3083512Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
......_J.r.R......~..^'r...w..H-C3.].Y....1.X.j .........Dd..........z
.*.B/...V....WB.q..9....mY.<.$...]........r.D'.....mm.....lHp......
[email protected]>.......R..'.!.........i..^......h...AB.....IJI
.......).8~...dC*7*.?....l.....C.'Lb...,...N....;../W.......#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQD+rJ0jfxxchg== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:14:58 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=121159, public, no-transform, must-revalidate
Last-Modified: Sun, 26 Apr 2015 02:40:34 GMT
Expires: Mon, 27 Apr 2015 14:40:34 GMT
ETag: "3111f9e04d8ebef8ea6a55fe00deee5518579974"
Content-Length: 1788
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20150426024034Z0l0j0B0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,........#..\.....20150426024034Z....2015042
7144034Z0...*.H...............Q.D1..f...@h;R.|.O......CO*...P.<...v
..6.q.........^..r...!o...yk.t>65h.z.7k....O...].5t*.E......"$d.[..
.H'A...G%b.C.k;=|..{;*sqi......i..S.}..A.7..... @./}.j.3E.P.~\... ....
b..y"...y.J...w!..Ea{..5....Vir...ih.}..[......J..Su.....V......5.e..A
..q..[uB^*....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....
US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1
-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secu
re Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U
....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 
0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0..
.......xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D
....l=.HS.N......A..;HTTP/1.1 200 OK..Date: Sun, 26 Apr 2015 03:14:58 
GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control:
 max-age=121159, public, no-transform, must-revalidate..Last-Modified:
 Sun, 26 Apr 2015 02:40:34 GMT..Expires: Mon, 27 Apr 2015 14:40:34 GMT
..ETag: "3111f9e04d8ebef8ea6a55fe00deee5518579974"..Content-Length: 17
88..Connection: close..Content-Type: application/ocsp-response..0.....
.....0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona
<<< skipped >>>


GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.wpm HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"0.61 ms","message":"store 1 action and 0 upd
ate "}..0..



GET /0.gif?2920545&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:13:08 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=b3ea9fc7-f8pi-4cbb-9ea2-8658212e6140; domain=.histats.com; Max-Age=31536000; Expires=Wed, 13-May-2015 03:53:37 GMT
GIF89a.............!.......,...........D..;..



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: WinHttpClient
Content-Length: 100
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceStart":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:44 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.RegWrite HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926
Host: xa.xingcloud.com


HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 26 Apr 2015 03:11:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
xa-api-version: v4
48..{"stats":"ok","time":"1.23 ms","message":"store 1 action and 0 upd
ate "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 20
15 03:11:18 GMT..Content-Type: text/html; charset=utf-8..Transfer-Enco
ding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api
-version: v4..48..{"stats":"ok","time":"1.23 ms","message":"store 1 ac
tion and 0 update "}..0..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 414
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckSuccessful","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 378
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:58 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"DownloadScreenShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:58 GMT
Connection: close
Content-Length: 0



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 791500626200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Sun, 26 Apr 2015 03:11:25 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b.HTTP/1
.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tue, 14 
Apr 2015 05:02:07 GMT..Accept-Ranges: bytes..ETag: "2711f7277076d01:0"
..Server: Microsoft-IIS/8.5..VTag: 791500626200000000..P3P: CP="ALL IN
D DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT CO
M INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length:
 554..Cache-Control: max-age=900..Date: Sun, 26 Apr 2015 03:11:25 GMT.
.Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0.
..U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0
!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0.
..U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... ..
...7......150712164223Z0...*.H.............WK....e.\.-.n......./......
."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._
.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x....
..W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t...
<<< skipped >>>


GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1
Host: download.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
Connection: keep-alive


HTTP/1.1 206 Partial Content
Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT
ETag: "4b1e700-2dc5623-508c5f506dac8"
Server: Apache
X-Backend-Server: ftp3.dmz.scl3.mozilla.com
Content-Type: application/octet-stream
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
X-Cache-Info: cached
Cache-Control: max-age=110518
Expires: Mon, 27 Apr 2015 09:53:04 GMT
Date: Sun, 26 Apr 2015 03:11:06 GMT
Content-Range: bytes 900000-1199999/47994403
Content-Length: 300000
Connection: keep-alive
d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._....
..y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..
5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3.
..I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......
W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8..
..2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/[email protected]
Jg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u.
.yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. 
.k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w...
....&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i.....
.(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q
..nZ@..|[email protected]..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.
....u.$...&}.......Od.. ....".......;[[email protected]$.n.[...B?n.....
.$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....
9...I.m [email protected]<...i.v./-.\-......d..~h..H. ..6.M
..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$.
..s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......
m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3.
..1...'Ki../[email protected]..<.M$..2..|.v.n/6...V.
.......lE/......w8-........-R..\e...WA...756.H.]/d.....-......'.......
.. ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._.
..c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 414
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:35 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:13:35 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 420
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckSuccessful","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 0



POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1
Connection: close
Content-Type: text/plain
User-Agent: WinHttpClient
Content-Length: 102
Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceRunning":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:44 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /SysInfo/count_vn.php?ch=test HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:12:24 GMT
Content-Type: text/html
Content-Length: 45438
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.21
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
...p..................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
.......p.......z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

GET /SysInfo/count_vc.php?ch=test HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:12:39 GMT
Content-Type: text/html
Content-Length: 98816
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.21
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......v.<.2mR.2
mR.2mR.]..."mR.]....mR.]...QmR.;...5mR.2mS.fmR.]...1mR.]...3mR.Rich2mR
.........................PE..L......T.....................r......pH...
.... ....@.......................................@....................
.............L[..P....................................!...............
...............8L..@............ ..D............................text..
.{........................... ..`.rdata...B... ...D..................@
[email protected][email protected][email protected].....
.........@[email protected][email protected].................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U.............rA.3...$.
...S... A.VW3...JA.9~.u9h.....D$.j.P. ........Qh.KA..T$..L...h.JA..L$.
...........h.........;=..A.v...$...._^[3.3..a4....]................U..
.M..E.PQjdR..5.....].........3...............U...E..V....dKA.t.V..3...
....^]..........j.j.j.j.P..8!A..]..u...........t).N........u..........
F........u....B......E...u...t).N........u..........F........u....B...
...E...u...t).N........u..........F........u....B......M.Q.E......1...
2........t).V........u..........N........u....P......E...u...t).F.
<<< skipped >>>

GET /SysInfo/glob.php?ch=test&sof=4 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:12:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.21
0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 26 Apr 2015 03:12:54 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..0....
..


GET /vuupc/stats.php HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 26 Apr 2015 03:13:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.21
e..21430018110LP7..0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 26 Ap
r 2015 03:13:31 GMT..Content-Type: text/html..Transfer-Encoding: chunk
ed..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5
.5.21..e..21430018110LP7..0..



GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=900000-1199999
Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1
Connection: keep-alive


HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: bouncer4.webapp.phx1.mozilla.com
Cache-Control: max-age=60
Content-Type: text/html; charset=UTF-8
Date: Sun, 26 Apr 2015 03:11:02 GMT
Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
Keep-Alive: timeout=3, max=489
Content-Length: 0
Connection: Keep-Alive
X-Cache-Info: cached
HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer4.webapp.
phx1.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; 
charset=UTF-8..Date: Sun, 26 Apr 2015 03:11:02 GMT..Location: hXXp://d
ownload.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US
/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=489..Content-
Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..



GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sun, 26 Apr 2015 03:11:56 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache
-Control: max-age=900..Date: Sun, 26 Apr 2015 03:11:56 GMT..Connection
: keep-alive..



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 371
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:07 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:10 GMT
Connection: close
Content-Length: 0



POST /config-from-production HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 219
Connection: Close

{"os":"WinNT","osver":"6.1.7601 (Service Pack 1) SP: 1.0","lang":"en-US","uid":"c0322acd-5e5d-42f0-b163-c591ee6ff5b9","prod":"soft-warenet/1.0/campaigns/product website/","expiresOn":"2115-04-17T05:29:59.9719135 00:00"}
HTTP/1.1 200 OK
Content-Type: text/plain
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:08 GMT
Connection: close
Content-Length: 10123
{"certificate":"cyberservices","productSetup":"downloadguide/temp/e4b8
f397-103f-4dc2-b462-a5bf20471890/DoNothing.exe","windowHeight":389,"wi
ndowWidth":506,"product":{"version":"1.0","displayName":"Soft-WareNet"
,"installCodeJs":"","installTest":"true","files":[{"url":"hXXp://az687
722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default
/campaigns/product website/exe/DoNothing.exe","localFile":"DoNothing.e
xe","cmdParametersJs":"","fileType":{"name":"Product","assemblyQualifi
edName":"Freemium.Domain.Campaign.Product, Freemium.Domain"},"etag":nu
ll,"hash":null,"isExternalFile":false,"region":"default","version":"1.
0","id":"donothing/1.0/default","name":"DoNothing","isEncoded":false}]
,"uiFile":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/s
oft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow
-5-text-en-us.zip","logo":"hXXp://az687722.vo.msecnd.net/public-source
/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/D
oNothing.png","installationPath":"","infoText":"<p>We will not s
ave either your IP address or other user data. We will only evaluate a
nonymised statistics for the optimization of the usability and our pro
duct. By using the downloader you agree to the usage of such data acco
rding to our strict privacy policy guidelines. Please read our detaile
d licence agreement (EULA) as well.</p><p>In order to fina
nce our service we permit software producers to advertise their produc
ts in the downloader. Before the integration every product of our 
<<< skipped >>>


GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/websearches-single-text-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: t5d9xFrjre0T4zeVhcBpwg==
Content-Type: application/octet-stream
Date: Sun, 26 Apr 2015 03:10:09 GMT
Etag: 0x8D2292EAEAAFDBD
Last-Modified: Tue, 10 Mar 2015 09:49:48 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 4587b7e4-0001-003a-71ce-7f2693000000
x-ms-version: 2009-09-19
Content-Length: 40632
Connection: close
PK........'f[F..U...... ......index.html.Z.n.Ir.[...}...u.(.... J.%.6.
K.Dj.'....&..pf.{.4....I.....(y.|U.=.R?,....Lr......=...bx>.p...r..
..?u..^w.dB_....Su.=t..h.J.-eq..\..It.g......P......T..Cby,..4V.'.....
...Tgw...O.[........T..Re$.FMO".....Q.:.66.(.5.I...~.s.....s......Y...
...5.....Z.*.K.g.}..~...F...2.D.....|..8e2.vdQt...B.l...Ty^......Z.Tk.
.\::9v...?......2...;.<.lk....8..]..G...(...K....$.....}z.......:..
l...-...$.9(....l)...JS......,...z...er...a...*J..1.&.g.n......h......
.}...f....S...l.......u6......Ee.,.k..!.Z...?_f.X...9[..V.T..>..q.[
E5r..B.Y.-..O..........=...M.$.: .. '.>.!..D.P...8..:Q..r...v .....
s.z...|..W.....m........^.|.,.H.z.Y..w....R.9.OT.......I......|C[.<
.....D....~.t.6s$.r}.&A...o`D~.E....\...G....".....!...^tpAm....i>.
.*...".?H...BL...=....O6.P........xn.. *...V.V.[...Z/...O...DDDq...4g.
...,.....~U..zA!.. ..K.5.%[r3&2...qexe.%..N.....!......evR...9..x....v
.....zA........<......(yW...j.6&....d..88j......ai.......c..5..y.@7
..6..M..&G........OL...s!4.z!........k..|./.....e....F}.$2..E.....q.$.
V..4;..'.....#.@..*...~......o.,U.........U..~..?;.Rb8mEt....!...N....
...m.4e?..y..[....5.UZ..|e.!..x1..L....Z.b..6.......;....3.R..H7S.D[.#
.&F..[...O.Be.....H.R....$Z.(..[.ZI...z1;.k{]..:9.....HR.O.?.[$.J..%..
[v......{.U........;9..P=7...ic.....2i<...HU...=.8.H.......yQ..._..
.....zu_...O.a..A.........k..U..s.X...,1.U..o[$.....Y"2....t....{.%:.F
hw~t:..\..........f.8.~...........}......"..{7.....}.g....>..Wo.c0.
..g..........|x5....X.]....~...5....~.J./.D..,Gd..;...J:........!.
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 406
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:45 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferAccepted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:10:45 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 380
Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:37 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductInstallStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 26 Apr 2015 03:13:37 GMT
Connection: close
Content-Length: 0



GET /gs/gscodesigng2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.com


HTTP/1.1 200 OK
Date: Sun, 26 Apr 2015 03:15:01 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 3023
Connection: keep-alive
Set-Cookie: __cfduid=d4aa5625df3b911142708b6d8e18392451430018101; expires=Mon, 25-Apr-16 03:15:01 GMT; path=/; domain=.globalsign.com; HttpOnly
Expires: Sun, 03 May 2015 01:00:00 GMT
Last-Modified: Sun, 26 Apr 2015 01:00:00 GMT
Cache-Control: public, max-age=596699
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 1dcf1eeb52e00f75-FRA
0...0......0...*.H........0Q1.0...U....BE1.0...U....GlobalSign nv-sa1'
0%..U....GlobalSign CodeSigning CA - G2..150426010000Z..150503010000Z0
...0#...!......{O...f...D..120801152402Z0#...! ......eq.8.\..v..121119
212403Z0#...!.#.... ...;.h..8..121119212406Z0#...!....:...#f5&u..i..12
1119212410Z0#...!...J~.^.t.........121119212413Z0#...!r.y.....5=..h([I
..121119212416Z0#...!...T.}......td.n..121119212419Z0#...!.e....U.G...
......121119213604Z0#...!qiS13S... ny...#..121119222403Z0#...!U. !..QQ
....~..'..121119222411Z0#...!...ta..mXks.`7....121119222413Z0#...!....
:,.opI>...b...121119222415Z0#...!i...d..........X..121119222417Z0#.
..!..........-..'....121119222419Z0#...!.{U.s.J..|.G;.....121119222422
Z0#...!....7M........./..121119222425Z0#...!......tu.......-..12111922
2427Z0#...!..........m.......121119222430Z0#[email protected](S<....k....1
21119223603Z0#...!H....{.....>......121119223613Z0#...!_...Lg....s-
.k....121119224803Z0#...!......iS...2{..A..121119224807Z0#...!....E.i.
..E.\I ...121119224809Z0#...!....j.Y....%u..d..121119224811Z0#...!S...
...c.......,..121119224814Z0#...!I.d.6..q..........121119224816Z0#...!
.7T..T..E.........121119224818Z0#...!.8V...|.c.1.<..$..121119224821
Z0#...!..5H..A.PA".......121119224823Z0#...!..9|....p..A...~..12111922
4825Z0#...!...z..g{g.Mt..G...121120180003Z0#...!5....u.H.5.n..K...1211
21154803Z0#...!a. ..5.Q.....g.Y..121127202406Z0#...!.9...^............
130118021202Z0#...!.g.|.d..-,...A....130201163603Z0#...!......R..B....
.h..130212223046Z0#...!....oL$Ds.|...IN..130327184808Z0#...!,oYM;.
<<< skipped >>>


POST /upload.php HTTP/1.1
Content-Type: multipart/form-data; boundary=8d24dff12ad36c6
Host: 151.236.26.173
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 104857685
Expect: 100-continue
Connection: Close


HTTP/1.1 100 Continue
....




--8d24dff12ad36c6..Content-Disposition: form-data; name="data"....aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
<<< skipped >>>
HTTP/1.1 200 OK


Server: nginx/1.2.1
Date: Sun, 26 Apr 2015 03:12:13 GMT
Content-Type: text/plain
Content-Length: 14
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type
raw-nginx-upload: 1
size=104857685....



POST /log?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1
Connection: close
Content-Type: text/plain; Charset=UTF-8
Accept: */*
User-Agent: PCSUInstaller
Content-Length: 124
Host: VVV.pcspeeduplog.com

"productID":1,"version":"3.9.8.0","uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","Start":1,"OS":"6.1.7601-SP1","silent":1
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 26 Apr 2015 03:11:21 GMT
Content-Type: text/plain
Content-Length: 17
Connection: close
Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT
ETag: "52094f9f-11"
Accept-Ranges: bytes
log completed: OK..



GET /msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?fb2283c00361ac01 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 867
Date: Sun, 26 Apr 2015 03:14:43 GMT
Connection: keep-alive
0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root 
CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..29
0318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.
0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(..
.v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..
h..'.8...>..&Y.s....&.....[...`.I.(.i;...(....aW7.t..t.:.r/.......=
...3.. .S.:.s..A. :......O..2`.W....hh.8&`u..w..... [email protected].^....w.
d.z._....b..l.Ti....n...qv.i.........B0@0...U...........0...U.......0.
...0...U........K...E$.MP.c.......0...*[email protected].
...A.....(.3.k.t...-..........sgJ..D{x..nlo.).39E....Wl.....S.-.$l..c.
.ShgV>...5!..h....S......]F...zX(./....7A..Dm.S(.~.g.........L'.L.s
sv.....z..-....,.<.U...~6..WI...-|`..AQ.#...2k.....,3.:;%..@.;,.x.a
/....Uo.....M.(.r..bPe.....1....GX?_HTTP/1.1 200 OK..Content-Type: app
lication/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT.
.Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS
/7.5..X-Powered-By: ASP.NET..Content-Length: 867..Date: Sun, 26 Apr 20
15 03:14:43 GMT..Connection: keep-alive..0.._0..G.............!XS..0..
.*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1
.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....Globa
lSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.
H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R..
.Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2192:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
rs\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp
h-g}j
vT%SJLAu
.reloc
GetProcessHeap
setup_plugin.dll
/.yy\\
{{ssHH
7;;??##''  //
12::""**
1266::>>""&&**..
2377;;??##''  //
=>::6622..**&&""
34<<$$,,
4511==99%%!!--))
78<<0044((,, $$
9:>>2266**..""&&
<=995511--))%%!!
>?;;7733//  ''##
9:22**""
23;;##  
=>66..&&
0199!!))
8911))!!
;<884400,,(($$
.NP,"
u%c$#
|%Sp&
L-3}c
nssD02B.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nssD02A.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

nsissetup.exe_2868:




.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
?.uEW
operator
GetProcessWindowStation
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
F3.1.0.197
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
%s '%s' [err=%d]
%s [f='%s']
%s [n=%d] -> hr=0xx
%s [f=0x%p,t=%u]->id=%u
%s -> watch for self-living object 0x%p
%s -> self-living object 0x%p has finished the work -> wait when it is done
%s -> drop self-living object 0x%p as it is done
<#$@@$#>
- got tag of %d bytes
%s [id=%u,call=%d]
- hr=0xx
DLG ENTRY v%s WIN%d.%d.%d ÛIT IE%d.%d
).uE(
{P:d T:d S:%d D:d.d.d} %s
!>%s [
name='%s'
%s, f='%s'
%s [f='%s',len(d)=%d]
%s [id=%s,type=%s]
- size: %d
%d.%d
kernel32.dll
user32.dll
wininet.dll
DeleteUrlCacheEntryW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpQueryInfoA
HttpSendRequestA
InternetCrackUrlW
urlmon.dll
shell32.dll
ShellExecuteExW
shlwapi.dll
oleaut32.dll
advapi32.dll
CryptImportKey
CryptDestroyKey
psapi.dll
%s [this=0x%p]
JsFileExecution::JsFileExecution
JsFileExecution::~JsFileExecution
JsFileExecution::doWorkRoutine
- queue #%d: %d items, add 0x%p
- queue #%d: %d items, run 0x%p
- request start: this=0x%p (v=%d)
- request end: this=0x%p, hr=0xx
- drop cache for '%s'
this=0x%p,f='%s',d='%s'
- DefWinProc -> %d
%s [this=0x%p,show=%d]
%s [file='%s']
%s [this=0x%p, root=lx, path='%s', f=0xlx] -> %d
- ID:='%s'
len(code)=%d
f='%s'
%s, count=%d
%s, name='%s'
Eval, len(expr)=%d, ns='%s', hr=0xx
CScriptSiteObj::GetItemInfo, name='%s'
- unpack `this`, hr=0xx
%s [this=0x%p,main=%d,url='%s']
%s [url='%s']
%s, hwnd=0x%p
- enum http_response_headers: '%s' (0xx)
- enum http_response_headers '%s' -> '%s'
- start a %sloader at %lu
HTTP/1.1
- request range %lu-%lu by '%s'
%s, this=0x%p
%s, this=0x%p, auto=%d
- send, counter=%d
- status: %d
- stop on range write, hr=0xx
- read %lu bytes by %lu portions
- has etag: %s
%s, this=0x%p, handle=0x%p, status=%d
^-- server IP is '%s'
^-- host is '%s'
i)%UUUUUU\
(h(%UU
-1N}wZ
X.saN
wQ.SsD
M.uix
0$0(0,0|0
5,585\5|5
4$4,484\4|4
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Advapi32.dll
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
scriptMain.js
ScriptInterfaces.tlb
.part
http_response_headers
SupportsRange
Range%d
http_response_status
http_response_body
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp

ProtectWindowsManager.exe_3500:




.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
?456789:;<=
!"#$%&'()* ,-./0123
SHELL32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
SHLWAPI.dll
%dYeArdMoNthdDaY
URLDownloadToFileA
file_url
ShellExecuteExW
SHDeleteKeyW
GetWindowsDirectoryA
GetProcessHeap
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW
RegCreateKeyW
ReportEventW
ADVAPI32.dll
PSAPI.DLL
USERENV.dll
VERSION.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
263f3k3z3
=>>_> ?`?}?
5 5$5(5,5
? ?$?(?,?0?4?8?<?
:$:,:8:\:|:
%s_%s
\\.\Phys
..\Src\json\src\json_value.cpp
..\Src\json\src\json_reader.cpp
xxxx
..\Src\json\src\json_writer.cpp
kernel32.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
portuguese-brazilian
WindowsMangerProtect
SOFTWARE\supWindowsMangerProtect
xa.geoip
visit.heartbeat
ProtectWindowsManager.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
TypesSupported
%s is already installed
%s installed
%s failed to install. Error %d
%s is not installed
Could not remove %s. Error %d
WindowsProtectManger
Advapi32.dll
/c ping 127.0.0.1 -n 2 > nul && del
"%s" %s
psapi.dll
Explorer.exe
urlmon.dll
update.exe
Assertion failed: %s, file %s, line %d
WindowsMangerProtect Service
C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
WindowsMangerProtect service
SysTool PasSame LIMITED
Windows SysTool Svr
20.0.0.2227
Windows SysTool.exe

ProtectService.exe_3684:




.text
`.rdata
@.data
.rsrc
@.reloc
GET %s%s%s HTTP/1.1
Host: %s
%sUser-Agent: Mozilla/4.0
POST %s HTTP/1.1
%sContent-Type: %s
User-Agent: Mozilla/4.0
Content-Length: %u
%*s %d %*s
%*[ ]%[^
?456789:;<=
!"#$%&'()* ,-./0123
file_url
E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb
GetProcessHeap
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegOpenKeyW
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
MSVCP110.dll
InternetCrackUrlW
WININET.dll
WS2_32.dll
SHLWAPI.dll
MSVCR110.dll
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_calloc_crt
__crtGetShowWindowMode
_amsg_exit
_wcmdln
__crtSetUnhandledExceptionFilter
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
SensApi.dll
VERSION.dll
PSAPI.DLL
USERENV.dll
.?AVCHttpClient@@
.?AVCTcpipSocket@@
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
2-2v2
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=
WinHttpClient
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.
hXXp://xa.xingcloud.com
xxxx
%u_%u
%s_%s
%s_X
\\.\PhysicalDrive%d
UpDateProcess.exe
hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s
g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
Report HeartBeat
cmdshell.exe
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall
explorer.exe
Advapi32.dll
"%s" %s
psapi.dll
Explorer.exe
json_value.cpp
ljson_reader.cpp
ProtectSvc.exe
4.0.1.2253

HPNotify.exe_3756:




.text
`.rdata
@.data
.rsrc
@.reloc
<9%uo
wszUrl
strUrlTemp
hKEY
strSelUrl
strUrl
strConfUrlTemp
strDsUrl
strHpUrl
strCmdLine
tCPW
%UUUU
e_GetBrowserCurrentHpUrl
e_GetBrowserCurrentDsUrl
URLDownloadToFileW
URLDownloadToFileW ret:0XX
Error : %d
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.1.3
monochrome
unsupported bit depth
`'\%D,3
Run-Time Check Failure #%d - %s
%s%s%p%s%ld%s%d%s
%s%s%s%s
RegOpenKeyExW
RegCloseKey
del /s/q %1\*.*
%suninstall.bat
E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHDeleteKeyW
SHLWAPI.dll
MSVCP110.dll
MSVCR110.dll
_calloc_crt
_CRT_RTC_INITW
__crtGetShowWindowMode
_amsg_exit
_wcmdln
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
GdiplusShutdown
gdiplus.dll
IMM32.dll
DeleteUrlCacheEntryW
WININET.dll
COMCTL32.dll
GetProcessHeap
#*1892 $
%,3:;4-&
.?AVCActiveXEnum@DuiLib@@
.?AVCWebBrowserUI@DuiLib@@
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
3?3
1-2}2
77t7
9":,:6:@:
12u2
9 9$9(9,9094989<9
0 1@1\1|1
hXXp://VVV.bing.com/
hXXp://VVV.yahoo.com/
hXXp://VVV.google.com/
%sconf
web/?type=dspp&
web/?type=dspp
hXXp://VVV.v9.com/
Itemd
BrowserAction.dll
%u_%u
%s_%s
%s_X
\\.\PhysicalDrive%d
\\.\Scsi%d:
UrlEdit
conf.xml
hXXp://v9.com/license_agreement.html
hXXp://v9.com/privacy_policy.html
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s
hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s
%stmp%d.tmp
urlmon.dll
main.xml
explorer.exe
Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex
IeWatchDog.dll
BrowerWatchFF.dll
BrowerWatchCH.dll
Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)
msimg32.dll
User32.dll
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
0xX
keyboard
msftedit.dll
password
%s%s%s
Correct password required
%s\%s
WebBrowser
transshadow
transshadow1
dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
M-d-d
WebBrowserUI
errorUrl
{D27CDB6E-AE6D-11CF-96B8-444553540000}
user32.dll
MSPDB110.DLL
ADVAPI32.DLL
/c ping 127.0.0.1 -n 2 > nul && del /s/q
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
%Program Files% (x86)\XTab\skin\
SupHPNot.exe
4,0,1,2253
SupHPNty.exe

PCSUService.exe_604:




.text
`.rdata
@.data
.rsrc
@.reloc
SSSSSh
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
127.0.0.1
C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb
WS2_32.dll
IPHLPAPI.DLL
sqlite3_exec
sqlite3_free
sqlite3_open16
sqlite3_close
sqlite3_extended_result_codes
sqlite3.dll
CreatePipe
GetProcessHeap
KERNEL32.dll
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
pdh.dll
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
Secur32.dll
GetCPInfo
PeekNamedPipe
zcÁ
.PA_W
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1&282R2<3a3
2,2f2
2,2 3@3g3w3
= =7=?={=
?$?(?,?0?4?8?<?@?
0(0/04080<0]0
0&1,1014181
5#5(575^5
7.747(8?849
8 8$8(8,808
? ?$?(?,?0?4?8?<?@?
2 2$2(2,20242
srclient.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
PCSUService-Timer.log
Wevtapi.dll
ERROR: GetWindowsBoottimes(): could not load Wevtapi.dll
Subscribing for Microsoft-Windows-Diagnostics-Performance/Operational - Event/System[EventID=100]
Microsoft-Windows-Diagnostics-Performance/Operational
ntdll.dll
ERROR: WaitUntilSystemIdle(): could not load Wevtapi.dll
ERROR: InitializePerformanceCounters(): check the registry keys in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
iexplore.exe
firefox.exe
chrome.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
RemoveExeImageHook(%s)...
DeleteValue failed: %d
DeleteKey failed: %d
registry key is not empty!
HKEY_LOCAL_MACHINE
ERROR: ProcessHelper.Start: hChildProcess != NULL
CreateOutputPipe
CreateInputPipe
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
RegistryHelper::GetValue():RegOpenKeyEx()
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
WinHttpClient
3.9.8.0
dddddd.d000
WindowsBoottimes
|userlogin|
PCSUBootTimes.log
,"LoginToIdle":
INSERT OR REPLACE INTO Boots(Idle, LoginToIdle, WinlogonToIdle, UptimeAtIdle, USBCacheActive) VALUES('
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
/update.aspx?uniqueID=
\PCSpeedUp-Silent-Update.exe
/SP- /VERYSILENT /updateMode=true /LOG=update.log /countryCode=
HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up
ERROR:RegistryHelper::CreateValue(HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up, UpdateChecked):
FileUploader.exe
Checking HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up key for USBCacheFill value...
DELETE FROM UC_STAT WHERE file LIKE '%.sys';
DELETE FROM UC_STAT WHERE file LIKE '%.tmp' AND read_counter<1000;
DELETE FROM UC_STAT WHERE file NOT LIKE '%.exe%' AND file NOT LIKE '%.dll%' AND read_counter=1;
hXXp://VVV.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
PCSUService: WinHttpClient.SendHttpRequest():
PCSUService: SendHTTPRequestAsync:
PCSUSD.exe
PCSUUCC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Speedchecker Limited\PC Speed Up
PCSUService.exe
PCSUQuickScan.exe
hXXp://qslimit.pcspeedup.co/qs_limit.aspx?productID=1&uniqueID=
SendHttpRequest
PCSUSpeedTest.exe
hXXp://VVV.pcsuapi.com
hXXp://VVV.pcsuapi.net
hXXp://VVV.pcsuservice.com
hXXp://VVV.pcsuapi.info
hXXp://VVV.pcsuapi.org
hXXp://VVV.sdapi.co
hXXp://VVV.sdltdapi.com
hXXp://VVV.sdservice.co
hXXp://VVV.sdltdapi.net
/featurelimit.aspx?productID=1&uniqueID=
PCSUSpeedTestGUI.exe
PCSUSpeedTest.exe /L /S
PCSUSpeedTestWifi.exe
PCSUSpeedTest.exe /L /SL
RegistryHelper.SetValue
RegistryHelper.DeleteValue
RegistryHelper.CreateKey
RegistryHelper.DeleteKey
SysUtils.SetRestorePoint
IOHelper.FileCopy
IOHelper.Delete
Process.Start
The Process.Start didn't receive 7 arguments.
Process.HasExited
The Process.HasExited didn't receive 2 arguments.
Process.Stop
The Process.Stop didn't receive 2 arguments.
Process.Terminate
DB.ExecuteNonQuery
The DB.ExecuteNonQueryEx didn't receive the query/sql to execute.
DB.ExecuteScalar
The DB.ExecuteScalarEx didn't receive the query/sql to execute.
DB.ExecuteReader
The DB.ExecuteReader didn't receive the query/sql to execute.
NetworkHelper.GetAllMACAddresses
Service.Start
Service.Stop
Remove.IFEO
PCSUSD.Scan
PCSUSD.Enable
PCSUSD.Disable
Process.CheckBrowsers
PCSUUCC.Scan
PCSUUCC.Refresh
PCSUUCC.Update
PCSUUCC.Clean
PCSUUCC.Fill
PCSUUCC.Install
PCSpeedUp.sys"
PCSUUCC.Uninstall
PCSUUCC.On
PCSUUCC.Off
PCSUUCC.Status
PCSUUCC.Usage
cmd /c PCSUUCC.exe /usage > CacheUsage.txt
PCSUService.SpeedTest
PCSUService.SpeedTestWifi
HTTP.Send
server_port
PCSUService.conf
service status: PID = %d, state = %s, CheckPoint = %d, WaitHint = %d
EnumDependentServices failed (err=%d)
Stop dependent service "%s"...
OpenService failed (err=%d)
ControlService failed (err=%d)
QueryServiceStatusEx failed (err=%d)
Timeout! (%d sec)
StartService(%s)...
ERROR! OpenSCManager failed! (err=%d)
ERROR! OpenService(%s) failed! (err=%d)
ERROR! StartService failed! (err=%d)
ERROR! QueryServiceStatusEx failed (err=%d)
Current State: %d
Exit Code: %d
Check Point: %d
Wait Hint: %d
StopService(%s)...
Service stop timed out. (%d sec)
ERROR! StopDependentServices failed! (err = %d)
ERROR! ControlService failed (err=%d)
Wait timed out (%d sec)
ExecuteNonQuery: sqlite3_exec:
ExecuteScalar: sqlite3_exec:
ExecuteReader: sqlite3_exec:
LocalExecuteNonQuery: sqlite3_exec:
LocalExecuteScalar: sqlite3_exec:
LocalExecuteReader: sqlite3_exec:
sqlite3_open16:
sqlite3_close:
PRAGMA foreign_keys = ON;
SELECT DISTINCT s.ID, s.ValueName, s.ValueData, l.Path, s.ValueType FROM Startups s, ScanStartupApplications ssa, Locations l WHERE (s.Action = 2) AND (s.ID = ssa.IDStartup) AND (ssa.IDLocation = l.ID) ORDER BY s.ValueType DESC;
hXXp://VVV.safedownloadapi.com
ERROR:CheckUpdateURL():ResponseContent:
%Program Files% (x86)\PC Speed Up\PCSUService.exe

nssCF71.tmp_3176:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp
inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
^2S%S
nse5ACF.tmp
s\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp
Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
nssCF71.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsi84C8.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

SpeedCheckerService.exe_2188_rwx_00D00000_0000F000:




.EelP
x.elP
?.elP

nssCF72.tmp_3656:




.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
portuguese-brazilian
operator
GetProcessWindowStation
C:\dev\src\dl_generic_library\helpers\voping\voping_cpp\Release\voping_cpp.pdb
KERNEL32.dll
HttpSendRequestW
HttpOpenRequestW
WININET.dll
WinHttpCrackUrl
WINHTTP.dll
GetCPInfo
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
3(3/394@4
8#:0:9:|:
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
,hXXp://sstatic1.histats.com/0.gif?%u&101

DTLite4461-0327.exe_3840:




.text
`.rdata
@.data
.ndata
.rsrc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
ÒHh
.oulj_
yTCP
S%CXm
-0VA}
.text0
`.reloc
@.rsrc
@.reloc
GetProcessHeap
COMDLG32.dll
nsDialogs.dll
InstallOptions.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
s\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll
s.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp
RegPagePaidInfo.ini
disc-soft.com account:
o530.tmp\setuphlp.dll
All Files|*.*
nso530.tmp
fo.ini
Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe"
secure.disc-soft.com/payment/dtLite,1
ted in your e-mail receipt from disc-soft.com or in your disc-soft.com account:
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe"
%Program Files% (x86)\DAEMON Tools Lite
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a
DTLite4461-0327.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nso4E0.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe
470417835
1508098
-1693842398
4129502
Windows Gadget
Integrate with Windows Explorer
SCSI Pass Through Direct (SPTD) layer is needed for Advanced Emulation features.
Windows Gadget for quick access to main DAEMON Tools functionalities from Desktop.
4260574
4326110
4.46.1.0327.0
DAEMON Tools Lite4.46.1.0327.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    pcspeedup.exe:3936
    install.exe:2612
    PCSUService.exe:604
    PCSUService.exe:3100
    PCSUService.exe:3444
    cvs_mystartsearch.exe:948
    BaofengUpdate.exe:3384
    BaofengUpdate.exe:2892
    nssCF71.tmp:3176
    ProtectWindowsManager.exe:3500
    ProtectWindowsManager.exe:3460
    PCSUSD.exe:4000
    ProtectService.exe:3668
    ProtectService.exe:3684
    wpm_v20.0.0.2227.exe:3440
    MSI106D.tmp:3272
    pcspeedup.tmp:3952
    VOPackage.exe:1780
    XTab_Setup2253.exe:3544
    HPNotify.exe:3756
    coregen.exe:3664
    coregen.exe:3576
    coregen.exe:3472
    coregen.exe:3460
    coregen.exe:1132
    coregen.exe:3624
    coregen.exe:336
    coregen.exe:3440
    coregen.exe:3208
    coregen.exe:3392
    coregen.exe:3144
    coregen.exe:1244
    coregen.exe:2060
    coregen.exe:3080
    coregen.exe:1108
    SpeedCheckerService.exe:3264
    cmdshell.exe:3740
    %original file name%.exe:2192
    PCSUSpeedTest.exe:3468
    regsvr32.exe:4004
    regsvr32.exe:1072
    nssCF72.tmp:3656
    Skyhook.exe:912
    Silverlight.exe:3240
    PCSUNotifier.exe:3972
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-PAARG.tmp\pcspeedup.tmp (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SilverlightMSI.log (90000 bytes)
    C:\135c1e3ab58ad80afdd7f364\install.res.dll (397 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Silverlight0.log (6780 bytes)
    C:\135c1e3ab58ad80afdd7f364\Silverlight.msp (3692 bytes)
    %Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (13980 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService.log (1858 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService-Timer.log (99 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUSpeedTest.exe (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\Thumbs.db (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_1.ipk (37339 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\quick_searchff#5.4.10.xpi (1209 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe (19594 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\2[1].zip (291497 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll (1137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\UninstallManager.exe (15958 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BaofengUpdate.exe (1206 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg.png (1209 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\sweetsearch!1.0.0.1031.xpi (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tCE1709AA862C234DD936mp.tmp (144 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\DataBase (7769 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe (1137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\close.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\conf (83 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\428.json (520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_2.ipk (28823 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\Thumbs.db (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\428.db (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\1[1].zip (195558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe (3249 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\scrollbar.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\googlelogo.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\restoreprefs.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\properties.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\default_logo.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A987.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\Thumbs.db (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es-419\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en-US\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\index.html (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\last_tab.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\common.js (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\misc.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\search.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg.png (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pl\locale.properties (1 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\icon.png (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\google_trends.png (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\tr\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome.manifest (1 bytes)
    %Program Files% (x86)\Mozilla Firefox\browser\searchplugins\mystartsearch.xml (565 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\scrollbar.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\style.css (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\stat.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\addonmanager.js (531 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\newtab.ico (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\preferences.js (379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\Thumbs.db (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\logo.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\js.js (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\close.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\ga.js (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A998.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\vi\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\remoterequest.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\settings.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\misc.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\428.json (520 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\aes.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.xul (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\speed_dial.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe (14022 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\simple.css (4 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\fvd.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\0[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84C9.tmp (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B6Z6HGT4.txt (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\0[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp (43 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
    C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)
    C:\Windows\Tasks\PC SpeedUp Service Deactivator.job (336 bytes)
    %Program Files% (x86)\PC Speed Up\Sqlite3.dll (585 bytes)
    %Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
    %Program Files% (x86)\XTab\msvcr110.dll (876 bytes)
    C:\ProgramData\IHProtectUpDate\update\conf (5 bytes)
    %Program Files% (x86)\XTab\CmdShell.exe (32 bytes)
    C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coregen.exe (69 bytes)
    %Program Files% (x86)\PC Speed Up\unins000.exe (49 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-SBV4J.tmp (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Silverlight.exe (1738736 bytes)
    %Program Files% (x86)\PC Speed Up\is-0OS0F.tmp (2321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SNE55.tmp (20 bytes)
    %Program Files% (x86)\PC Speed Up\is-29LNJ.tmp (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SG3HV.tmp (54589 bytes)
    %Program Files% (x86)\PC Speed Up\is-F2546.tmp (31891 bytes)
    %Program Files% (x86)\PC Speed Up\is-8PBKC.tmp (673 bytes)
    %Program Files% (x86)\PC Speed Up\is-6KBMV.tmp (48 bytes)
    %Program Files% (x86)\PC Speed Up\unins000.msg (864 bytes)
    %Program Files% (x86)\PC Speed Up\is-3GVGP.tmp (3361 bytes)
    %Program Files% (x86)\PC Speed Up\PCSULauncher.exe (81 bytes)
    %Program Files% (x86)\PC Speed Up\is-IPS4T.tmp (23 bytes)
    %Program Files% (x86)\PC Speed Up\is-8FSMN.tmp (2321 bytes)
    %Program Files% (x86)\PC Speed Up\is-65J6L.tmp (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-PB612.tmp (601 bytes)
    %Program Files% (x86)\PC Speed Up\is-RIIRJ.tmp (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PCSUNotifier.exe (2465 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PopupNotification.dll (2321 bytes)
    %Program Files% (x86)\PC Speed Up\is-V7JN2.tmp (6841 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Sqlite3.dll (3361 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedCheckerService.exe (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\itdownload.dll (1489 bytes)
    %Program Files% (x86)\PC Speed Up\App.config (3718 bytes)
    %Program Files% (x86)\PC Speed Up\is-S2DD8.tmp (55 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_setup64.tmp (6 bytes)
    %Program Files% (x86)\PC Speed Up\is-V94DR.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-S7P3F.tmp (28 bytes)
    %Program Files% (x86)\PC Speed Up\is-BSQHS.tmp (2321 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService.conf (605 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-JF5OQ.tmp (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-EKJKL.tmp (265 bytes)
    %Program Files% (x86)\PC Speed Up\is-QCKKO.tmp (889 bytes)
    %Program Files% (x86)\PC Speed Up\is-3GHQ8.tmp (4545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\delete_me_reportInstall.txt (2 bytes)
    %Program Files% (x86)\PC Speed Up\is-1IA04.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-26 #001.txt (585081 bytes)
    %Program Files% (x86)\PC Speed Up\is-A5LBU.tmp (2105 bytes)
    %Program Files% (x86)\PC Speed Up\uninstaller.dat (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\WebBrowser.dll (2763 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-55LAA.tmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-C42T5.tmp (7 bytes)
    %Program Files% (x86)\PC Speed Up\is-50NHH.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\PC Speed Up.lnk (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-QOQI6.tmp (47 bytes)
    %Program Files% (x86)\PC Speed Up\unins000.dat (53168 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BA2BP.tmp (601 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUSD.exe (405 bytes)
    %Program Files% (x86)\PC Speed Up\is-95IRN.tmp (601 bytes)
    %Program Files% (x86)\PC Speed Up\is-0OSRR.tmp (7726 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService.exe (446 bytes)
    %Program Files% (x86)\PC Speed Up\is-MBUJ4.tmp (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MNGUG.tmp (4 bytes)
    %Program Files% (x86)\PC Speed Up\is-LMJL1.tmp (12 bytes)
    %Program Files% (x86)\PC Speed Up\is-1MP8Q.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF41B.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD83B.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF611.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn8ABB.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEEDA.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy87EC.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp (3656 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD53D.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF778.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\WmiInspector.dll (2840 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd8944.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF2E2.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoFA58.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiD28C.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst900B.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8646.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst9192.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8480.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage\Configure.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\stats[1].htm (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD907.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD134.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\IpConfig.dll (3440 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD6E3.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\vnstF593.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy92EA.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd9442.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoD3E5.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEDA1.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\heu39T.nss (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\VOPackage.exe (1748 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF1B9.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe (1336 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF8D1.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd95C9.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\Uninstall.exe (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\count_vn[1].htm (2888 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF080.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyCD6E.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8E45.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\count_vc[1].htm (5984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp (7288 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\SLMSPRBootstrap.dll (618 bytes)
    %Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll (65 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ELL.dll (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\favicon.bmp (894 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHT.dll (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupHelper.exe (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChrome.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LTH.dll (3722 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageTrialInfo.ini (796 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\RUS.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\License.rtf (814 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-header.bmp (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PTB.dll (5114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-wizard.bmp (7192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SLV.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PLK.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageEmail.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ReinstPage.ini (478 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BIH.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\InstallOptions.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.bmp (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SVE.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll (165851 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SKY.dll (3410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ESN.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChromeIcon.bmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ITA.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ENU.dll (3722 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HEB.dll (3402 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HRV.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ARA.dll (3402 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy51F.tmp (316027 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\AFK.dll (29 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NLB.dll (3718 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LVI.dll (1913 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DAN.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ioSpecial.ini (8566 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\JPN.dll (2461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KOR.dll (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FRA.dll (5123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\OCSetupHlp.dll (27504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DAEMON_Chrome.bmp (7192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHS.dll (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\MountSpace.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPagePaidInfo.ini (7109 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CAT.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\translate-icon.bmp (894 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gcapi_dll.dll (16424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\share-icon.bmp (838 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupWaitPage.bmp (8184 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DEU.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Toolbar.exe (20624 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FIN.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HUN.dll (3402 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gtapi.dll (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\IND.dll (3722 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ROM.dll (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\license.bmp (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CSY.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\TRK.dll (2465 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KAT.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\moutspace-bg.bmp (22552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NOR.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Chrome.exe (20624 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DTSetupHelper.exe (6532 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\GLC.dll (1917 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BGR.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\WaitPage.ini (642 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\UKR.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SRL.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\System.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageType.ini (9662 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HYE.dll (3402 bytes)
    %Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
    %Program Files% (x86)\XTab\skin\btn.png (2 bytes)
    %Program Files% (x86)\XTab\install.data (68 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
    %Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
    %Program Files% (x86)\XTab\conf (1638 bytes)
    %Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
    %Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
    %Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\ver.txt (47 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
    %Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
    %Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
    %Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
    %Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
    %Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\main.xml (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
    %Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
    %Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
    %Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
    %Program Files% (x86)\XTab\web\js\js.js (18 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\logo.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
    %Program Files% (x86)\XTab\web\main.css (19 bytes)
    %Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\close.png (3 bytes)
    %Program Files% (x86)\XTab\web\data.html (20 bytes)
    %Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
    %Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
    %Program Files% (x86)\XTab\skin\about.png (4 bytes)
    %Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxE3BA.tmp\System.dll (23 bytes)
    %Program Files% (x86)\XTab\skin\settings.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
    %Program Files% (x86)\XTab\web\js\common.js (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
    %Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
    %Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.ni.dll (8729 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.dll (32 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll (932 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.ni.dll (13798 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll (17751 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll (940 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll (5844 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.dll (24 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll (94223 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.dll (323 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.ni.dll (123677 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.dll (520 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll (612 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.dll (65 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll (17059 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.dll (73 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll (922 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.dll (131 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.ni.dll (40448 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll (616960 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coreclr.dll (291 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorrc.dll (12 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.dll (229 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll (579 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.dll (561 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll (900 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\system.dll (241 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.dll (438 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6B84D30E5F69CEB3278532D063D4504 (25 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (704 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
    %Program Files% (x86)\PC Speed Up\Speedchecker.log (4481 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
    %Program Files% (x86)\PC Speed Up\agsXMPP.dll (540 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6B84D30E5F69CEB3278532D063D4504 (324 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallState (196 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallLog (720 bytes)
    C:\Windows\System32\config\SYSTEM (3355 bytes)
    %Program Files% (x86)\PC Speed Up\InstallUtil.InstallLog (684 bytes)
    C:\Windows\System32\config\SYSTEM.LOG1 (4619 bytes)
    C:\$Directory (768 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe (12626 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll (30 bytes)
    %Program Files% (x86)\PC Speed Up\ManagedWifi.dll (36 bytes)
    %Program Files% (x86)\PC Speed Up\SharpBrake.dll (49 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)
    %Program Files% (x86)\PC Speed Up\Skyhook.exe (184 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (848 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
    C:\Windows\System32\config\SOFTWARE (116274 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (848 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (160036 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedChecker.dll (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part (5654 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\index.html (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\dad4890a8fda856f77d8f153dc13db68\VOPackage.exe.part (20091 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\uifile.zip.part (1968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\index.html (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\progress.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\index.html (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe.part (903094 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\index.html (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\css\style.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\last.zip.part (1968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe.part (421975 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo.png50x50[1].jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\uifile.zip.part (2937 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\noconnection.html (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\uifile.zip.part (2933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\uifile.zip.part (2933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\base.zip.part (1964 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\css\style.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress-bar.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\262bebb37d687dabfd48d85e0de76564\cvs_mystartsearch.exe.part (45604 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUHelper.dll (286 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QGQ329ST.txt (106 bytes)
    %Program Files% (x86)\PC Speed Up\wpsapi.dll (49 bytes)
    C:\135c1e3ab58ad80afdd7f364\silverlight.7z (100007 bytes)
    C:\135c1e3ab58ad80afdd7f364\$shtdwn$.req (788 bytes)
    C:\135c1e3ab58ad80afdd7f364\silverlight.msi (364 bytes)
    C:\135c1e3ab58ad80afdd7f364\install.exe (3678 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "PCSpeedUp" = "%Program Files% (x86)\PC Speed Up\PCSUNotifier.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now