MD5: 8f0dd6d56f6866b5ed1effe628d7c71b
SHA1: d0a873671d6d897aa0fad6b58a35ff6f3824d9e1
SHA256: e9fcdfee321934b560bdac6557438ca011de84e4583a12f23e73eea713b0906e
SSDeep: 24576:ExGDhqy1fkXC6jBNrrDT8oQWT5cgvzxP8SCUO:pNqrCQvFjrDCUO
Size: 1079328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

aff_setup.exe:2808
thirdpartyinstaller.exe:1176
%original file name%.exe:2008
8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220
pm-standalone-setup.exe:2420
pm-standalone-setup.tmp:888
dd2a5f4929d14f419028f48e1839521d766015.exe:1632
OLBPre.exe:2904
pc-mechanic.exe:2708

The Worm injects its code into the following process(es):

pc-mechanic.exe:2024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process aff_setup.exe:2808 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1405.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd2a5f4929d14f419028f48e1839521d766015.exe (91153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_1628.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw93A9.tmp (7291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_8198.dat (784 bytes)

The process thirdpartyinstaller.exe:1176 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (176 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)

The process %original file name%.exe:2008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-3OBPR.tmp\8f0dd6d56f6866b5ed1effe628d7c71b.tmp (50 bytes)

The process 8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (41394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\aff_setup[1].exe (42672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\checkmark_10x8.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\pcmechanicpm-standalone-setup[1].exe (5665064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\pm-standalone-setup.exe (5425549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #001.txt (23254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\microsoft_partner.bmp (53 bytes)

The process pm-standalone-setup.exe:2420 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J194S.tmp\pm-standalone-setup.tmp (50 bytes)

The process pm-standalone-setup.tmp:888 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L5TB4.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-D42IV.tmp (20504 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-VO3E7.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-LQCTJ.tmp (114305 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-T38DQ.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-4VGDV.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-8MILD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2BQ2S.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-81TR2.tmp (3361 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-C2PRA.tmp (13 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-G88F5.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-MALHE.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-KQQMD.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1EKH1.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-65M8L.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-BQT7R.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-1MPBL.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-3U8HG.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-1HAGF.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8UFQG.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-TT2MJ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #002.txt (460554 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-KV1T1.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-03EBF.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-BI3OR.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-I7C42.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-K89A0.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-4O73U.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-1NT3A.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-DG0QA.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-0LHNU.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-JJR23.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-277QT.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-LQ5K1.tmp (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4UCCP.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-NRGN6.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-E9LUF.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-N1UL8.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-ETSB4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-73U4E.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-4B2SS.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-48U0H.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-IGR6O.tmp (28498 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2B2SF.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8GN06.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\printer.bmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-94UBV.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-RVIJM.tmp (601 bytes)

The process dd2a5f4929d14f419028f48e1839521d766015.exe:1632 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw9FD9.tmp (54650 bytes)
%Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe (35833 bytes)
%Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
%Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
%Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)

The process OLBPre.exe:2904 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\OLBPre\state.jdat (428 bytes)
%Program Files% (x86)\OLBPre\aff.jdat (140 bytes)

The process pc-mechanic.exe:2024 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6914 bytes)

The process pc-mechanic.exe:2708 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (825 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6093 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)

Registry activity

The process 8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallerBuiltWithOffers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "A3 F7 D6 A7 26 77 D0 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "A3 F7 D6 A7 26 77 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process pm-standalone-setup.tmp:888 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Icon Group" = "Uniblue\PC Mechanic"

[HKCR\pc-mechanic]
"URL Protocol" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"NoModify" = "1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"EstimatedSize" = "62107"
"InstallDate" = "20150415"
"Comments" = "Uninstall PC Mechanic"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"UnitID" = "4010"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MinorVersion" = "0"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"EcommercePlatform" = "cleverbridge"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)" = "pc-mechanic.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = ""

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe /SILENT"
"DisplayVersion" = "1.0.5.0"
"URLUpdateInfo" = "http://uniblue.com/software/pcmechanicpm/updates/"
"UninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe"

[HKCR\pc-mechanic]
"(Default)" = "URL:PC-Mechanic Protocol"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MajorVersion" = "1"
"DisplayName" = "PC Mechanic"
"Publisher" = "Uniblue Systems Limited"
"HelpLink" = "http://www.uniblue.com/support/manuals/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallDate" = "2015-04-15"

[HKCR\pc-mechanic\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe --serial=%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Setup Version" = "5.5.4 (u)"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl" = "http://www.uniblue.com/cm/marimedia-an/pcmechanicpm/an_row_01/purchase/"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"URLInfoAbout" = "http://www.uniblue.com/support/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"lang" = "en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\PC-Mechanic"

The Worm deletes the following value(s) in system registry:

[HKCR\pc-mechanic]
"URL Protocol"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)"

[HKCR\pc-mechanic]
"(Default)"

[HKCR\pc-mechanic\shell\open\command]
"(Default)"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl"
"InstalledLocation"

The process dd2a5f4929d14f419028f48e1839521d766015.exe:1632 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayVersion" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayName" = "MyPC Backup"
"DisplayIcon" = "%Program Files% (x86)\OLBPre\uninst.exe"
"Publisher" = "MyPC Backup"
"HelpLink" = "http://support.mypcbackup.com"
"URLInfoAbout" = "http://www.mypcbackup.com"
"UninstallString" = "%Program Files% (x86)\OLBPre\uninst.exe"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pc-mechanic.exe:2024 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process pc-mechanic.exe:2708 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Uniblue Systems Limited
Product Name: PC Mechanic
Product Version: 1.0.5.0
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.0
File Description: PC Mechanic Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 159
595f1fc6db9af2f5b74feffe71c7a123
07cb679acc810aa050cc2353509e5393
8643014e30fccffd0048979713cb7001
eb2d058ca6921e2c6d56f35f5502a4d4
e3b5bd3126a441609fa77f52a36ae298
6370fab243594f9a469c66fe6f14eeb3
b49995f511e0b27eba38a7e2b08de623
c0c14fd4f291d6001d09993c25e3825b
5906a85cd27be3d0508bc3f1ec5e62de
b153399713231db375646f1d0f00ab81
ed1a11d0c026c535c9400af0cc285c8d
a4db7fea7fc4bc8ddca8f616d1b44968
a31c60775ffa14da852aebac7b20b350
07c2c6d77dead8e72846174d8f034016
8be396cd92a8dcc0aa3cb8034507ee02
1f22d7f81ed540bd5af17738eadaf9d6
f56a7328f430b18efa42246422615699
eaee4be2373fe1db7128b7367bcab4ca
d4770d5ccb75c91c1909b13ef3fec96c
86fbfc957a5090937eae9aa34297c99e
6f31b53ed4d816e8a9c074763b4e39c6
0d198f08a94a52c1c7562b3d8b30764d
b7848c9100697f733bcb9c8a7ce39d71
0e3565470c38a5b53affaae2aca325e5
5fec4f59585289a6894b58ac06c594b8

URLs

URL	IP
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe
hxxp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe	54.192.46.144
hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/pm/version.txt?from=1.0.5.0
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track
hxxp://api.uniblue.net/v1/geo/country-code	54.228.215.241
hxxp://s3-1-w.amazonaws.com/latest_updates/application.txt
hxxp://uniblue.com/api/v1/geo/country-code	54.228.233.135
hxxp://track.backupgrid.net/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe	184.154.139.137
hxxp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe	184.154.139.131
hxxp://backupgrid.jdibackup.netdna-cdn.com/MyPCBackup_ppi_Setup.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f09e3a75e6cdb42
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4379edd6935cb292
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.51.123.27
hxxp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt	54.231.16.185
hxxp://tracking.uniblue.com/v1/collect	54.247.176.17
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=	23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f09e3a75e6cdb42	87.245.216.25
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.216.57
hxxp://www.uniblue.com/api/v1/geo/country-code	54.228.233.135
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.216.57
hxxp://tracking.uniblue.com/v1/track	54.247.176.17
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=	23.51.123.27
hxxp://update.uniblue.com/pm/version.txt?from=1.0.5.0	54.243.120.72
hxxp://download.uniblue.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe	54.243.120.72
hxxp://crl.verisign.com/pca3.crl	23.51.117.163
hxxp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe	94.31.29.237
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.216.57
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI=	23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.216.57
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=	23.51.123.27
hxxp://cdn.backupgrid.net/aff_setup.exe	94.31.29.237
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4379edd6935cb292	87.245.216.25

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY Python-urllib/ Suspicious User Agent

Traffic

GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0

Host: track.mypcbackup.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 301 Moved Permanently

Date: Wed, 15 Apr 2015 02:49:18 GMT

Server: Apache

Set-Cookie: SESSID=d9spekf2n5b71ug4pm2120ms25; path=/; domain=.mypcbackup.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: 748a7624422584634822bd3a2bf604ae=4cfceb115c4a698cc6e6dcfc4ed60f30; expires=Thu, 13-Aug-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com

Set-Cookie: intc=1; expires=Thu, 16-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com

P3P: CP="We do not have a P3P policy"

location: hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe

Set-Cookie: aff_id=67333; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_name=MaxiDisk1; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hop_id=97175; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: hash=5e234192e97f23d956a71adc69f7cd0d; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: tid=PC-Mechanic; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com

Set-Cookie: 9bf5853aunique=true; expires=Tue, 14-Jul-2015 02:49:18 GMT; path=/; domain=mypcbackup.com

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=366969, public, no-transform, must-revalidate

Last-Modified: Sun, 12 Apr 2015 08:45:09 GMT

Expires: Sun, 19 Apr 2015 08:45:09 GMT

Date: Wed, 15 Apr 2015 02:52:18 GMT

Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015041
2084509Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150412084509Z....20150419084509Z0...*.H.....
.........>.3..7..M....._........b...A.......).:.!M..._...4<.,...
r.g.y5...g.6.u...Z.2'.^?Ic1.t&.-..U...tc.loL....?x.. .G..GHw6....2...s
B.i..4..(...I...1...E..5....bfO.`N....58..u;..n Zg(..............Z....
|Iu...HC..S.9...|.K.)....csE.?.(.o..H^.z.o.=z..m`...M......X....0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%[email protected]"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=547829, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 11:00:03 GMT

Expires: Tue, 21 Apr 2015 11:00:03 GMT

Date: Wed, 15 Apr 2015 02:52:18 GMT

Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015041
4110003Z0s0q0I0... ...................F....0.yV......{&.K......&......
.8....t..............20150414110003Z....20150421110003Z0...*.H........
.......P.'.-..(.c.tC~J.@m.,..r..T\n.6...H.T....r.Ht#........^.5.N.{...
,...)....sf8........<.c..I.....a.....7LZ.c...N....8...........KI^..
.0V@<........}.bB,.....@e.;.f8"...z8.,d.......l.P.?.D.{.-.u..w.u.j2
.^......k.......r...5e....0`..K.......T.. ......9..NET.C.....0...0...0
............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code S
igning 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U.
...VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign 
Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.....
....q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e.
./jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M
/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5
.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U
....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veris
ign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incor
p. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U...
.....0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H.....
.........-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT

If-None-Match: "924558f3e994cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT

Accept-Ranges: bytes

ETag: "2711f7277076d01:0"

Server: Microsoft-IIS/8.5

VTag: 791500626200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Wed, 15 Apr 2015 02:51:55 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b.HTTP/1
.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tue, 14 
Apr 2015 05:02:07 GMT..Accept-Ranges: bytes..ETag: "2711f7277076d01:0"
..Server: Microsoft-IIS/8.5..VTag: 791500626200000000..P3P: CP="ALL IN
D DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT CO
M INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length:
 554..Cache-Control: max-age=900..Date: Wed, 15 Apr 2015 02:51:55 GMT.
.Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0.
..U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0
!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0.
..U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... ..
...7......150712164223Z0...*.H.............WK....e.\.-.n......./......
."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._
.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x....
..W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t...
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?4379edd6935cb292 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT

Accept-Ranges: bytes

ETag: "80b4d90ca4fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 48151

Date: Wed, 15 Apr 2015 02:51:55 GMT

Connection: keep-alive
MSCF............,...................I......._.........WFr. .authroot.s
tl.J..:58..CK...8T.....c.5.}l.s..%D..[R.l...l7iTBWiA..*......D!K.....d
....*s.....<..s.;.93..~....g.....Y.......q.....9........;..2..^....
Y%,..,8......Wf.Q;s.....n&v<;.Wcs....AB..BD]].].p.....|.z$.......?.
.*../.."$... ..P.."..K9.P>.g.mt...q.yqT.......[...%wX.]..(";...*..x
....;.gt...W..pH[.*.A.]..J.......<z'X..%..GV.7......2Z8q.OU?.Y=....
%ln..A.P.....c=D...=h..Z..78G....].........Z...0.O..!.B(.0a....rv<.
.K.Z......[.PJ."6...(...p....ffV&6,........#.^^.y.....C.]...`U..;]....
.7.;..<\.2w|.`v.......v.|.xD.G.'..4z....1..A.5.h.. .p.@.@.#h..T;...
...z..Y*..)...Is..y....W..z..XP*LU..........4.q.....\...|.F.".[.l9.3.o
....>,...y.K....&..B...^.cA#......q.976?.E..i...g...s.....K$&...(.[
......J..a.z4......5,wk.....L.9..=.j..r........Z........U`..;....5.&.X
..h<Uw.F.ifP...r....A=..N...._...R........`B.......re...X....U....a
..._...XU.z..s..>lt.9..W..4..r.w...I...C....L.&..l.,...`.S.A#.P.d. 
...?N.qUd....#....l......6v.F..<V...#..X...;-|...da...O#.....C.....
....3`..X....I.S'.>."*.X.z.V..0.........j.oO..xRnL.....X...q.[..[,X
F..L.j....D..=..N..[....G7...l.Hi!.i.p@....,"..E.;...8f."....y.......&
lt;..........h.a.b..|....<f..8,....6...k..T".|:.....zm.........n..I
..x.....1.=....q..I.6....;...O.....rf.1..H.a..|....zk..c.5.A&~o...R...
....V...:..c...:....<Z....3..I1.B..%.9.3....:.X...Elk.3.b..>*../
.{..O.=......7..}[email protected]|iQ.....G...A..3...B...0A*@I.[.....4.
..\..?..R.c.(.8(..h..w.s.....X ........>r|...?._..%..O.d.,.....
<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT

If-None-Match: "96bfbfb1d77cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT

Accept-Ranges: bytes

ETag: "a1132b8ef65d01:0"

Server: Microsoft-IIS/8.0

VTag: 438176043100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Wed, 15 Apr 2015 02:51:25 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150323204828Z..
150622090828Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......)0... .....7......150621205828
Z0...*.H.................k...#......w..^L1........r...B..gLX..G.. 4...
6.e..^..s=... o..nz..`..z...5..5.01.........w..v...M...<.....,...}&
I......].g...>.?.L.(.`....*^5J...y. ....`.y8Il.V\mS..p..V....>,.
...OR%.r0.)Po\j.C.kE...EGF.Z....gcP....d.6.edP...f.?.......&Y8.Z...".'
.X.$g.TP....,.....{.wd.h...N7..^{.#...@[..U....{.*.~.d)... ...!...c.@Q
y.C........}......?...j....?%..x.. -.%....qNX.B...7E4...-[...;Z....,..
>x..K......r....-x..8.2)...W..M ....j..s.Y_....V6......e...........
...2..%....aq.U..!...r...b.>.'....3..........jT...H.=......


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT

If-None-Match: "a413fc3b169cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT

Accept-Ranges: bytes

ETag: "dde36a309c58d01:0"

Server: Microsoft-IIS/8.0

VTag: 438569342300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Wed, 15 Apr 2015 02:51:25 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......40... .....7......15060
4224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL..
"k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA
.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3..
.v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<
;~..v.w....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT

If-None-Match: "87fbb3811f68cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT

Accept-Ranges: bytes

ETag: "cf2633d6957d01:0"

Server: Microsoft-IIS/8.5

VTag: 438481415700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Wed, 15 Apr 2015 02:51:25 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......20... .....7......150602222607Z0...*.
H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..)......
...._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j
...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<
.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P
.#..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=551815, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 12:05:24 GMT

Expires: Tue, 21 Apr 2015 12:05:24 GMT

Date: Wed, 15 Apr 2015 02:52:30 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
4120524Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.....I....V.W.{..^>..#./.......%.....w..k8..........W........../P..
............Y.?F/..'[email protected]!.p(.~Rx.........P.....(.ftCy.
...?.....7 ..:..l....f..|]...K......S"h.{V1?..K.1..n.`.H.p .......,..1
.........\..Vl...L.u.0......Y.).N.<.1........r.....Q.....#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>

GET /aff_setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: cdn.backupgrid.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 15 Apr 2015 02:48:55 GMT

Content-Type: application/octet-stream

Transfer-Encoding: chunked

Connection: keep-alive

x-amz-id-2: anR9HUoOMrBxJsv8rYV6HyE1PYWBM5fKI67JOW9Tc8613XuTvoQEdNhdH4sYmkim9K/Xad7PP88=

x-amz-request-id: 9AEF7D8D6192CF39

Last-Modified: Wed, 15 Apr 2015 02:22:52 GMT

ETag: W/"1880b2782d67fd2a085fb7d100dac569"

Server: NetDNA-cache/2.2

X-Cache: HIT

Content-Encoding: gzip
500a..............{|T..?...0...$. ...........@&....2...1..3.$f.....8..
..k{l....4...z...b....$(*...........i.......L@O{....{?..'......Z.Y.m=.
.w..yV0..`DPUA..........F..[^.-.........&.................u..q..A..V.Z
..vY..Uzg...d.....e.<&V...&..........o...J<'.}.z ..y.'..... D...
....%.$a....J...f.(]. <......y.........zm...t.C...*D...8....*....2.
=AA.K..A..."./...a...G..$.&.....Cx=....1.g...f5T.K.........U......,.L.
<.z.Da*.&.......U..<.....`........4.m.Z$...............%.....`c.
Y..o..H....2-J..b..Zdt..E.SU..f.x..D.@2\n%....c...(Z...._.9R...Z^)....
..OP&..P7 ..y_.r.>...R.S...f..:..C.../.....P..Y.}KK./.3C...JPc.....
r..%..p....L.}.Q.aG.3T<.f,B7AG.1.Hwj.......UNWO........7...|r.*y..s
..%...A..DiL..<]...M][email protected]".QOk....s.TQxt.r3*y..(...N
.ID..Ym.<z..EP.d...........P[.GY.7...K.........(./P..>J..B.I1.t.
%...I..Fi....-G%k.2.i.G).....Pg{/.Y.D5....X....F..^.L)1...W.P.2....5|.
.....J.i.^..[.*%g.X.*2.ep$........LSx.N1..)>.r.SP..Fy.@.]2....N...g
....$jA9....."G...`.. }.l.....R.=.....8.5xT.Zj..7L..m x.....I.aF.i.(..
...6.....|cH2..b...!}Q............R.HZ..!Hn.s..G.O(....c.v&7Sz(.}.C.!j
.......&.....%...w..x.x....?...U..M.V:.s.......MGx..7..{_J....A#.hm...
..c6.Ja..%[email protected]..^..X"[email protected]......".....:.........V...:.i..F
{Ql.".m./.3.% U...%]xd.....Sx..e.m.e..s...S.......i....4~..Y.VP.[c.#..
4.....jX5.....2$...s.sT!DM.2....&O.....U..S_.T).QJ.*.).A..>..R:?N1.
..........`..............*2.WV..3..2..gv.}..`:zV...G.......WPQ..V.r.r.
[.t.iPS5....[6hn.j...a....#..}.*d.o.[\D.[..n............T\}.....z7
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1552

content-transfer-encoding: binary

Cache-Control: max-age=552895, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 12:25:08 GMT

Expires: Tue, 21 Apr 2015 12:25:08 GMT

Date: Wed, 15 Apr 2015 02:52:31 GMT

Connection: keep-alive
0..........0..... [email protected]
4122508Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150414122508Z....20150421122508Z0...*.H.....
........nr.3...bK.....r.......e....A...tF..uTPG..5.....R.4..........U.
...>{.p.....g......Qz....G...r.....e.....$..Om.3.r....m...........h
..Ra>F..P..z.........j..........U.Y.Cppv..B...V...Z.ka0.w.T.....l..
*.....9.=n......p... ..o..../j....9V....J.t*....J.W*..B'.......50..10.
.-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Auth
ority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only
1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.
0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Ne
twork1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 3
0.."0...*.H.............0..........6..]......w';.r........I..c..4.... 
.........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..
a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G..
...I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B...
..=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. 
.........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.
com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0..
.0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.
*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=601588, public, no-transform, must-revalidate

Last-Modified: Wed, 15 Apr 2015 01:55:09 GMT

Expires: Wed, 22 Apr 2015 01:55:09 GMT

Date: Wed, 15 Apr 2015 02:52:31 GMT

Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015041
5015509Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150415015509Z....20150422015509Z0...*.H..
.............ny.*..<biwZX.....V....$`*...Y.Hs.....?./k.7.....i...R.
rW.FxvW6D...0}.-.a.......>....~NG.M...T....y.....Q..A3..........)..
..D.........j..'ox...q@.}.....9;d....6n.."....`#Su1V(.H......).EU%.eO.
.........h..)G.). .\:......R...T..Ip.=f.h6..]......../.....A.......0..
.0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Cla..

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:32 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /MyPCBackup_ppi_Setup.exe HTTP/1.0

Host: cdn.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Wed, 15 Apr 2015 02:48:59 GMT

Content-Type: application/octet-stream

Content-Length: 1119486

Connection: close

x-amz-id-2: B2Z6KnHVyIRktoKQruR3484H8tUq eQY r8AbD5BtFthUxD2LTN49un8X3yTRASaK5dxCU0vrSc=

x-amz-request-id: B93EA96792185D31

Last-Modified: Tue, 14 Apr 2015 23:57:04 GMT

ETag: "c40ba3b952382be22efdb2ce180b5233"

Server: NetDNA-cache/2.2

X-Cache: HIT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^.
.K.................b...........6............@.........................
.P.......................................................p............
......................................................................
.............................text....a.......b.................. ..`.r
data...............f..............@[email protected]..........
[email protected]........
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] ...Pj.h.[[email protected].@._^3.
[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0

Host: track.backupgrid.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 301 Moved Permanently

Date: Wed, 15 Apr 2015 02:49:17 GMT

Server: Apache

Set-Cookie: SESSID=3esumcv6st2sv6bl836ot9ran6; path=/; domain=.backupgrid.net

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net

Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net

Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net

Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net

location: hXXp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe

Content-Length: 0

Content-Type: text/html; charset=UTF-8

POST /v1/track HTTP/1.1

Accept-Encoding: identity

Content-Length: 111

Host: tracking.uniblue.com

Content-Type: application/json

Connection: close

User-Agent: Python-urllib/2.7

{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:28 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: Close
{.  "status": "OK".}..

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f09e3a75e6cdb42 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT

If-None-Match: "0af536cf2ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

Accept-Ranges: bytes

ETag: "804047d4e66d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6384

Date: Wed, 15 Apr 2015 02:51:24 GMT

Connection: keep-alive
MSCF............,...................O........"........wFK. .disallowed
cert.stl.j......"CK...8T...g...d.B..1.Z.N.Y.Vv..[..".B.ml..e....$[....
DZ......=.../..>.....f..9.=g......{...Nr*.(...:(..H.l$..0(.E.P..I..
a\d....$.. ."..Yj([email protected]\ ....7.....q..C.H.>...$D..G....
@.H.4...DQ...F..vh.Uf>.A.........,......a.>p.3.Qx..u....... _.o.
 .D.9<..Y..-.H4W..Y......... .....}A6~.P*..V7....w.FS..:......5...P
.r. ....8.J6.,.OK>%g.d..ozf"C.....N<qM.Y.Ez;.sh.C....LgM..p...pv
.............|.>[..p.K..86.dJ.I..g./.}."6Y,.....j:@W_6.R.t..n....sW
.|......E<.a..H.u..sC.......J?.-g........J.b.w....s.=..p..#..J.....
W.....&....}%.cu ;...#.z.y....(."..a.5.... .../..o/..., .7...>.....
Y..:#cF..../.....e...d.S....&...7>...A.%...r...t...(..s {...^...6.a
..A...d..6.xA.....q.... ..lq.|.c..!)..\.....|.t..K...u...9j@.?.....R..
.....FA6._Sb..w.j........o......z..U.$..~.2.=.%..cE.j..-uew..]b.......
.......A.8.Y..[..2..>......S1...|...x.}.P...f..3.J-..s.0...~...=h..
.4\.'..F.P.l.v"<."...\[email protected][email protected]\.2|.... ...
G.......2....!...._..i.`-2*...rq......}..e..B..Sp..c......l..-E..,..N.
...pI/f9..}.J...b.tg.(.Wl.`....3..9.j.R...z.tS......)*K0.m.sk7........
._....m.p!.......f..8..I.u1.'5ro....q...........o..A...r..x....4...w..
../..h.<pX=.u.r.djAb..W..\....&...,...... vK..[5....<..A=.qi.i.=
.28K.............j...;.-X. ....u7L.U\wB.H.1..d.$.9B...0..4I..eJ|....V 
P.....R(.I...;".7A...L..X.&.A.Bmv.........b$i..R.P.9..{z..x.n.P......x
.z:...<}.<}N.\H...$..p.}..;..\.].N....}.|q.G\Ho.j../IS1.,.B.
<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 141

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.third_party_offer_not_shown","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:59 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:59 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 129

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:01 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:52:01 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 130

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:17 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:52:17 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 131

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_completed","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:25 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:52:25 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /pm/version.txt?from=1.0.5.0 HTTP/1.1

Accept-Encoding: identity

Host: update.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7

HTTP/1.1 302 Found

Cache-Control: max-age=600

Content-Type: text/plain

Date: Wed, 15 Apr 2015 02:49:16 GMT

Location: hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt

Server: openresty/1.5.8.1

Content-Length: 69

Connection: Close
hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt.
.

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 132

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_accepted","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:20 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:20 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 143

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_download_initiated","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:09 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:52:09 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 132

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_included","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:09 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:09 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 130

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_shown","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:15 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:15 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 133

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_accepted","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:20 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:20 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 142

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_started","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:21 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:21 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..
..


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 142

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:09 GMT

Server: ngx_openresty/1.2.6.6

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:52:09 GMT..Server: ngx_openresty/1.2.6.6..Con
tent-Length: 20..Connection: keep-alive..{.  "status": "OK".}..

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: VVV.uniblue.com

Connection: close

User-Agent: Python-urllib/2.7

HTTP/1.1 200 OK

Cache-Control: max-age=7200

Content-Type: text/plain

Date: Wed, 15 Apr 2015 02:49:17 GMT

Server: ngx_openresty

Content-Length: 3

Connection: Close
UA...

GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: download.uniblue.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Wed, 15 Apr 2015 02:48:26 GMT

Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe

Server: openresty/1.5.8.1

Content-Length: 166

Connection: keep-alive
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>openresty/1.5.8.1&
lt;/center>..</body>..</html>..HTTP/1.1 302 Moved Tempo
rarily..Content-Type: text/html..Date: Wed, 15 Apr 2015 02:48:26 GMT..
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcme
chanicpm-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Leng
th: 166..Connection: keep-alive..<html>..<head><title&g
t;302 Found</title></head>..<body bgcolor="white">..
<center><h1>302 Found</h1></center>..<hr>
;<center>openresty/1.5.8.1</center>..</body>..</h
tml>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=400136, public, no-transform, must-revalidate

Last-Modified: Sun, 12 Apr 2015 18:00:33 GMT

Expires: Sun, 19 Apr 2015 18:00:33 GMT

Date: Wed, 15 Apr 2015 02:52:13 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
2180033Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150412180033Z....20150419180033Z0...*.H........
.....i...h.Z.RiX ..=....~.L....... [email protected].
kX....].H....F..#...T...YaR.....t(...<.b<YF.E.3...o.Sh]...gL....
4p.*..,O.d....px%.i..{...^.s.._.x.=..Q..q.."X.5..%:.......&&M]S...b-.`
<.f..|....$..$.JJ..6....K.y.m...(.fH..>...A.e).Z_.L..O..1...#0..
.0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 
Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US
1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2T
erms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSig
n Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.
............m5*R........2....>...yU4..L.. ...........u..Hez..Pn....
.d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i
..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....
&."...:.C.Q.i~rl..<..krS..8.B..o][email protected].
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010
<<< skipped >>>

POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 123

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:39 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:39 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 129

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_shown","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:45 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:45 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 122

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:51:49 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:51:49 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....


POST /v1/collect HTTP/1.1

Connection: Keep-Alive

Content-Type: application/json; Charset=UTF-8

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Content-Length: 144

Host: tracking.uniblue.com

{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_completed","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK

Content-Type: application/json

Date: Wed, 15 Apr 2015 02:52:24 GMT

Server: ngx_openresty

Content-Length: 20

Connection: keep-alive
{.  "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..D
ate: Wed, 15 Apr 2015 02:52:24 GMT..Server: ngx_openresty..Content-Len
gth: 20..Connection: keep-alive..{.  "status": "OK".}....

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "4313801b45e80b5b006d195679f28274:1427247615"

Last-Modified: Wed, 25 Mar 2015 01:40:15 GMT

Date: Wed, 15 Apr 2015 02:52:10 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..150318000000Z..150
630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H..............aI...vc...*.d...i...M
F..8.........._4h.. ..'mY%...Mt...6.FK.". ..h.G#.0.$ .?.x8)....T.pQB..
..Y......9.j...T.}.r.....z.......h.HTTP/1.1 200 OK..Server: Apache..ET
ag: "4313801b45e80b5b006d195679f28274:1427247615"..Last-Modified: Wed,
 25 Mar 2015 01:40:15 GMT..Date: Wed, 15 Apr 2015 02:52:10 GMT..Conten
t-Length: 933..Connection: keep-alive..Content-Type: application/pkix-
crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.17
05..U....Class 3 Public Primary Certification Authority..150318000000Z
..150630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....
{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q
.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=347790, public, no-transform, must-revalidate

Last-Modified: Sun, 12 Apr 2015 03:24:51 GMT

Expires: Sun, 19 Apr 2015 03:24:51 GMT

Date: Wed, 15 Apr 2015 02:52:09 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015041
2032451Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150412032451Z....20150419032451Z0...*.H........
.....fqZ.m..:.1..o.2.-......K..v....oAJu. /_#.$...X ..O..z........:F.I
#$W.~.T|.f........Nt...P.=.`.i|..'.B....w.S..l.bp.;.W...@=.yCU./z&`...
.w.K5.}..........8..jq.6.....|..f..*...0c.#..A...[........v6../8...".u
.3o.`.4.Q.0e... ...d.w..c.N. ..4..!........8..&y>.g....0...0...0..3
......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSi
gn, Inc.1705..U....Class 3 Public Primary Certification Authority0...1
41202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corpora
tion1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA -
 G1 OCSP Responder Certificate 30.."0...*.H.............0..........'..
....Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).
....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p.
.^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._..
.... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. 
.e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. ....
...0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0..
. .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$
..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D..
.........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,.
...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=381927, public, no-transform, must-revalidate

Last-Modified: Sun, 12 Apr 2015 12:55:22 GMT

Expires: Sun, 19 Apr 2015 12:55:22 GMT

Date: Wed, 15 Apr 2015 02:52:10 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
2125522Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150412125522Z....20150419125522Z0...*.H........
......BU$.cve..io'...N..O.....X4...6.>...3...._.y....U...>{....~
.9.6.M.I..^..X.K..'.........zM......<........E....4ob/.)*....G\.L;O
..H.../......XG.L9....%*.%.0.yS......q...J4.....M...oU2.x.......e.!...
...E=....O..#.i..!."....L!..L:a....z.T.$.......O...U....7y.F...#0...0.
..0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.........m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d.
..nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F
*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."
...:.C.Q.i~rl..<..krS..8.B..o][email protected]
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>

GET /api/v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: uniblue.com

Connection: close

User-Agent: Python-urllib/2.7

HTTP/1.1 301 Moved Permanently

Content-Type: text/html

Date: Wed, 15 Apr 2015 02:49:17 GMT

Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code

Server: ngx_openresty

Content-Length: 178

Connection: Close
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=536559, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 07:54:56 GMT

Expires: Tue, 21 Apr 2015 07:54:56 GMT

Date: Wed, 15 Apr 2015 02:52:17 GMT

Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
4075456Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150414075456Z....20150421075456Z0...*.H........
[email protected]...>5...B.hdp.~..$9...d...Tx\.....<9i..m?...W..!.#..
...b...4.e...:..3...6p.L.U...s.y.8.....(e.. ........,....-.C.........)
.6..qb..E..B.. .aJ....So.^.U...{.z.GD5..}0...z.M..'...i5...m.)L.qT....
op....P|'S..7.......U.P..6.{jk..z.J..-.9d.."[...u05.WE}_....#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>

GET /latest_updates/application.txt HTTP/1.1

Accept-Encoding: identity

Host: pm.uniblue.com.s3.amazonaws.com

Connection: close

User-Agent: Python-urllib/2.7

HTTP/1.1 200 OK

x-amz-id-2: SoJghxWLedS/9C4NrB7rOj0hzmQ7JK8P9h/Vqt2M51Pf4Fs8aGl3xt6XoK68r6U7aSuQtVdQzgQ=

x-amz-request-id: 3464D2CED7A40B3E

Date: Wed, 15 Apr 2015 02:49:18 GMT

Cache-Control: max-age=86400, public

Last-Modified: Tue, 24 Mar 2015 09:46:29 GMT

ETag: "7afc8227ca4783a30e4f834d1815a2fe"

Accept-Ranges: bytes

Content-Type: text/plain

Content-Length: 7

Server: AmazonS3
1.0.5.0..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=566269, public, no-transform, must-revalidate

Last-Modified: Tue, 14 Apr 2015 16:10:00 GMT

Expires: Tue, 21 Apr 2015 16:10:00 GMT

Date: Wed, 15 Apr 2015 02:52:11 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150414161000Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201504
14161000Z....20150421161000Z0...*.H.............d.9. SV.a)Jt..5..\..qe
.`8..C!yX.OY.~Y<...p.|.5*..U.p.:1....h....V. 3#`..&\.Z.o.DI{...rCJ.
W.2.dS....YZS..y.......Lb..&........Y..6uc....s....U.Z.....J.V.]...W.$
........$D..02&.L&L..F/P........|.a.?. SN..^.........hh.9........@..*P
.8...M`......KX[....z...r......0...0...0..{.........[..I|.....Zm..0...
*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSig
n Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa
 (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000
Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCS
P Responder0.."0...*.H.............0.........Y....h..@..>.....%.-..
...O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;
]s!.\"v...|....][email protected]. ..W....n..*..-
f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6....
.[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... ...
....0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. 
.........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rp
a0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...
0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.
....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..........k
<<< skipped >>>

GET /v1/geo/country-code HTTP/1.1

Accept-Encoding: identity

Host: api.uniblue.net

Connection: close

User-Agent: Python-urllib/2.7

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Date: Wed, 15 Apr 2015 02:52:40 GMT

Location: hXXp://uniblue.com/api/v1/geo/country-code

Server: nginx/1.1.19

Content-Length: 161

Connection: Close
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.1.19</c
enter>..</body>..</html>....

GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: d21bsqatndqkg8.cloudfront.net

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 18839984

Connection: keep-alive

Date: Wed, 18 Mar 2015 10:47:04 GMT

Cache-Control: max-age=86400, public

Last-Modified: Wed, 18 Mar 2015 10:32:55 GMT

ETag: "6843e5f8e199b000decdb9ef0cb74b3f"

Accept-Ranges: bytes

Server: AmazonS3

Age: 70625

X-Cache: Hit from cloudfront

Via: 1.1 3634ed11ef3267122afd0504d98e1154.cloudfront.net (CloudFront)

X-Amz-Cf-Id: zs_A_t7uG_wvmesVxe0Cn64uv7H25O7VX_HWxljXIFa4km12Jrc50w==
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....WZR............
......................... [email protected]............
[email protected]`..h.......
......................................................................
...............text...,........................... ..`.itext..D.......
.................... ..`.data........ [email protected]..
...V...0...........................idata..............................
@....tls.....................................rdata....................
..........@[email protected]................ ..............@..@................
....................@..@..............................................
......................................................................
[email protected]............
@...string([email protected]......@...............................@.....
.... 9@.([email protected]@[email protected]@[email protected]@..9@.,[email protected]@[email protected].%..A....%..A.
...%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..
A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%
h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A...
.%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A.
..S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

tCPV

USER32.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

KERNEL32.dll

windows_exe

%s\%s

PYTHON27.DLL

zlib.pyd

ZLIB.PYD

<zlib.pyd>

Not enough space for new sys.path

no mem for late sys.path

PY2EXE_VERBOSE

PyImport_ImportModule

PyExc_ImportError

PyImport_AddModule

undefined symbol %s -> exit(-1)

Importer which can load extension modules from memory

s#sss:import_module

MemoryLoadLibrary failed loading %s

Could not find function %s

import_module

import_module(code, initfunc, dllname[, finder]) -> module

_memimporter

%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat

%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe

%Program Files% (x86)\Uniblue\PC-Mechanic

pc-mechanic.exe

library.dat

windows_exet

.logc

The logfile '%s' could not be opened:

See the logfile '%s' for details(

%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR

%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt

zipextimportert

<install zipextimporter>R$

library.dats

app.main(

joint

__import__t

bootstrap_main.pyR$

332222##

%%cxaax

`>>>>=>`

\4544545454545444

C.yLF

<asmv3:windowsSettings

xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

<assemblyIdentity type='win32' name='Microsoft.VC90.CRT' version='9.0.21022.8' processorArchitecture='x86' publicKeyToken='1fc8b3b9a1e18e3b' />

<!--Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

1.0.5.0

pc-mechanic.exe_2024_rwx_2530A000_000F5000:

-Vh}o

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   aff_setup.exe:2808
   thirdpartyinstaller.exe:1176
   %original file name%.exe:2008
   8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220
   pm-standalone-setup.exe:2420
   pm-standalone-setup.tmp:888
   dd2a5f4929d14f419028f48e1839521d766015.exe:1632
   OLBPre.exe:2904
   pc-mechanic.exe:2708

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\NSISdl.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1405.pdf (784 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd2a5f4929d14f419028f48e1839521d766015.exe (91153 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsRandom.dll (808 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_1628.txt (784 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsJSON.dll (15 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw93A9.tmp (7291 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\LogEx.dll (1597 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_8198.dat (784 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (176 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-3OBPR.tmp\8f0dd6d56f6866b5ed1effe628d7c71b.tmp (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\InstallerExtensions.dll (715 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\aff_setup[1].exe (42672 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_setup64.tmp (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\license.en.rtf (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\printer.bmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\checkmark_10x8.bmp (310 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\banner_icon.bmp (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\pcmechanicpm-standalone-setup[1].exe (5665064 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\pm-standalone-setup.exe (5425549 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #001.txt (23254 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\windows8_with_innovation.bmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_shfoldr.dll (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\microsoft_partner.bmp (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J194S.tmp\pm-standalone-setup.tmp (50 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L5TB4.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-D42IV.tmp (20504 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-VO3E7.tmp (35285 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-LQCTJ.tmp (114305 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-T38DQ.tmp (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp (4 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-4VGDV.tmp (197872 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-8MILD.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2BQ2S.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-81TR2.tmp (3361 bytes)
   C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-C2PRA.tmp (13 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-G88F5.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-MALHE.tmp (601 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-KQQMD.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1EKH1.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-65M8L.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-BQT7R.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-1MPBL.tmp (4 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-3U8HG.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-1HAGF.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-8UFQG.tmp (75544 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-TT2MJ.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #002.txt (460554 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-KV1T1.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-03EBF.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-BI3OR.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-I7C42.tmp (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-K89A0.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\license.en.rtf (26 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-4O73U.tmp (4545 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-1NT3A.tmp (524 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-DG0QA.tmp (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-0LHNU.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-JJR23.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-277QT.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\windows8_with_innovation.bmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-LQ5K1.tmp (11 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4UCCP.tmp (112 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-NRGN6.tmp (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-E9LUF.tmp (10 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-N1UL8.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\InstallerExtensions.dll (715 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_setup64.tmp (6 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-ETSB4.tmp (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-73U4E.tmp (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-4B2SS.tmp (601 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-48U0H.tmp (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-IGR6O.tmp (28498 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2B2SF.tmp (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_shfoldr.dll (47 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\is-8GN06.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\printer.bmp (1 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-94UBV.tmp (1281 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-RVIJM.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsExec.dll (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll (13 bytes)
   %Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsRandom.dll (808 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
   %Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw9FD9.tmp (54650 bytes)
   %Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\AccessControl.dll (20 bytes)
   %Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
   %Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
   %Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
   %Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\DotNetChecker.dll (1597 bytes)
   %Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
   %Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
   %Program Files% (x86)\OLBPre\state.jdat (428 bytes)
   %Program Files% (x86)\OLBPre\aff.jdat (140 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6914 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (825 bytes)
   C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
   %Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
   C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
   C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"
   
   [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
   "Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
   
   [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
   "Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
   
   [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
   "SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
   
   

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.