mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6370fab243594f9a469c66fe6f14eeb3
SHA1: 51eeabf89ea1332a16e1ae16a705c14cdf3baec5
SHA256: 1d154e2c7506ab7c712fe716cc9a72825282622887a83586999a2545c9dd64ad
SSDeep: 24576: xGPhqy1fkXC6jWqMPP8iJUFN1aJ0gt6UKqicrN7L6:D5qrC35JMmh5Li2dL6
Size: 1079304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
aff_setup.exe:2456
thirdpartyinstaller.exe:2104
f17163569e4a465daf3b6da720d89cfd453527.exe:3016
%original file name%.exe:544
pm-standalone-setup.exe:2384
pm-standalone-setup.tmp:3036
6370fab243594f9a469c66fe6f14eeb3.tmp:1912
OLBPre.exe:1996
pc-mechanic.exe:2092
The Malware injects its code into the following process(es):
pc-mechanic.exe:1464
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process aff_setup.exe:2456 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1631.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_7303.dat (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f17163569e4a465daf3b6da720d89cfd453527.exe (70731 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8278.tmp (7055 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_5491.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
The process thirdpartyinstaller.exe:2104 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (159 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
The process f17163569e4a465daf3b6da720d89cfd453527.exe:3016 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
%Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
%Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\AccessControl.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe (35833 bytes)
%Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
%Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB2.tmp (53436 bytes)
The process %original file name%.exe:544 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4UT2U.tmp\6370fab243594f9a469c66fe6f14eeb3.tmp (50 bytes)
The process pm-standalone-setup.exe:2384 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1H51R.tmp\pm-standalone-setup.tmp (50 bytes)
The process pm-standalone-setup.tmp:3036 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files% (x86)\Uniblue\PC-Mechanic\is-DO5B8.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-GQQ2S.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4809N.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-TC6LJ.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-VIO38.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-MT98U.tmp (1281 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SCO1H.tmp (11 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-JQ4AC.tmp (28498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-HM56Q.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-P9UK8.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8MS6Q.tmp (197872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-48GAC.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-5C6PO.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-63GPD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-NQ169.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L6MCH.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-NUFSC.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-NA0D6.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-H6F47.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-O9S12.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0HCFP.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-GNJ87.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-KOCF3.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-89JUT.tmp (20504 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-UA41N.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-B3VTK.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5KR80.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-IAB01.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SL1JH.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-I4BQB.tmp (524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-5F093.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1HFMO.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4922V.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-NC1C1.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-98M57.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-F6R1G.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-S6O40.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-KCV9H.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-0FK39.tmp (114305 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-374C7.tmp (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0VG09.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-340GT.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-DD808.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-HBFA9.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #002.txt (455577 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-KQIUT.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-NQ7OO.tmp (601 bytes)
The process 6370fab243594f9a469c66fe6f14eeb3.tmp:1912 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\pm-standalone-setup.exe (103056 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (5514 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\pcmechanicpm-standalone-setup[1].exe (1515154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\aff_setup[1].exe (18697 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #001.txt (23254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\checkmark_10x8.bmp (310 bytes)
The process OLBPre.exe:1996 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files% (x86)\OLBPre\state.jdat (428 bytes)
%Program Files% (x86)\OLBPre\aff.jdat (140 bytes)
The process pc-mechanic.exe:1464 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (7006 bytes)
The process pc-mechanic.exe:2092 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6125 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)
Registry activity
The process f17163569e4a465daf3b6da720d89cfd453527.exe:3016 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayVersion" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayName" = "MyPC Backup"
"DisplayIcon" = "%Program Files% (x86)\OLBPre\uninst.exe"
"Publisher" = "MyPC Backup"
"HelpLink" = "http://support.mypcbackup.com"
"URLInfoAbout" = "http://www.mypcbackup.com"
"UninstallString" = "%Program Files% (x86)\OLBPre\uninst.exe"
The Malware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process pm-standalone-setup.tmp:3036 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Icon Group" = "Uniblue\PC Mechanic"
[HKCR\pc-mechanic]
"URL Protocol" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"NoModify" = "1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"EstimatedSize" = "62107"
"InstallDate" = "20150420"
"Comments" = "Uninstall PC Mechanic"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"UnitID" = "4250"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MinorVersion" = "0"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"EcommercePlatform" = "cleverbridge"
[HKCR\pc-mechanic\DefaultIcon]
"(Default)" = "pc-mechanic.exe,1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = ""
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe /SILENT"
"DisplayVersion" = "1.0.5.0"
"URLUpdateInfo" = "http://uniblue.com/software/pcmechanicpm/updates/"
"UninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe"
[HKCR\pc-mechanic]
"(Default)" = "URL:PC-Mechanic Protocol"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MajorVersion" = "1"
"DisplayName" = "PC Mechanic"
"Publisher" = "Uniblue Systems Limited"
"HelpLink" = "http://www.uniblue.com/support/manuals/"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallDate" = "2015-04-20"
[HKCR\pc-mechanic\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe --serial=%1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Setup Version" = "5.5.4 (u)"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl" = "http://www.uniblue.com/cm/crosspath/pcmechanicpm/pcm_de02/purchase/"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"URLInfoAbout" = "http://www.uniblue.com/support/"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"lang" = "en"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\PC-Mechanic"
The Malware deletes the following value(s) in system registry:
[HKCR\pc-mechanic]
"URL Protocol"
[HKCR\pc-mechanic\DefaultIcon]
"(Default)"
[HKCR\pc-mechanic]
"(Default)"
[HKCR\pc-mechanic\shell\open\command]
"(Default)"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl"
"InstalledLocation"
The process 6370fab243594f9a469c66fe6f14eeb3.tmp:1912 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallerBuiltWithOffers" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadNetworkName" = "Network 4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "54 05 B2 0D F8 7A D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process pc-mechanic.exe:1464 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
The process pc-mechanic.exe:2092 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Dropped PE files
MD5 | File path |
---|---|
e5cc3997457cd365e43c19f0f9110148 | c:\Program Files (x86)\OLBPre\LinqBridge.dll |
bb96c55079ead70a35746ad4f8509bab | c:\Program Files (x86)\OLBPre\OLBPre.exe |
660605e24b0cf1068bfbb4a4ec647652 | c:\Program Files (x86)\OLBPre\uninst.exe |
2ae42712f67f30dfeb9b7ae8798e1c29 | c:\Program Files (x86)\Uniblue\PC-Mechanic\InstallerExtensions.dll |
6de5c66e434a9c1729575763d891c6c2 | c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcp90.dll |
e7d91d008fe76423962b91c43c88e4eb | c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcr90.dll |
5434e18b933e03f274d8da59fda4c676 | c:\Program Files (x86)\Uniblue\PC-Mechanic\icudt.dll |
28888738b5521923a244fac763767db4 | c:\Program Files (x86)\Uniblue\PC-Mechanic\libcef.dll |
a681d994fefa6865b181937c97688c96 | c:\Program Files (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe |
718355a4c81fdae7e890292ed04c0dac | c:\Program Files (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe |
5bf98032f3b5ac20ed8160d9a183baff | c:\Program Files (x86)\Uniblue\PC-Mechanic\unins000.exe |
8261a06c2664ace68b763ab096fcaca8 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\aff_setup[1].exe |
6843e5f8e199b000decdb9ef0cb74b3f | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\pcmechanicpm-standalone-setup[1].exe |
8261a06c2664ace68b763ab096fcaca8 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe |
89a093e37ca6953ebbe96f59310e11b7 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\f17163569e4a465daf3b6da720d89cfd453527.exe |
2ae42712f67f30dfeb9b7ae8798e1c29 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\InstallerExtensions.dll |
526426126ae5d326d0a24706c77d8c5c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_setup64.tmp |
92dc6ef532fbb4a5c3201469a5b5eb63 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_shfoldr.dll |
6843e5f8e199b000decdb9ef0cb74b3f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\pm-standalone-setup.exe |
62efa7b730eb0523a026ea4325403b77 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
aff_setup.exe:2456
thirdpartyinstaller.exe:2104
f17163569e4a465daf3b6da720d89cfd453527.exe:3016
%original file name%.exe:544
pm-standalone-setup.exe:2384
pm-standalone-setup.tmp:3036
6370fab243594f9a469c66fe6f14eeb3.tmp:1912
OLBPre.exe:1996
pc-mechanic.exe:2092 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1631.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_7303.dat (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f17163569e4a465daf3b6da720d89cfd453527.exe (70731 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8278.tmp (7055 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8279.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_5491.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (159 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
%Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
%Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
%Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\AccessControl.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
%Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB3.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
%Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx8AB2.tmp (53436 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4UT2U.tmp\6370fab243594f9a469c66fe6f14eeb3.tmp (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-1H51R.tmp\pm-standalone-setup.tmp (50 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-DO5B8.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-GQQ2S.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4809N.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-TC6LJ.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-VIO38.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-MT98U.tmp (1281 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SCO1H.tmp (11 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-JQ4AC.tmp (28498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-HM56Q.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-P9UK8.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8MS6Q.tmp (197872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-48GAC.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-5C6PO.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-63GPD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-NQ169.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L6MCH.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-NUFSC.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-NA0D6.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-H6F47.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-O9S12.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0HCFP.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-GNJ87.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-KOCF3.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-89JUT.tmp (20504 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-UA41N.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-B3VTK.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-5KR80.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-IAB01.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-SL1JH.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-I4BQB.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-5F093.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1HFMO.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4922V.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-NC1C1.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-98M57.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-F6R1G.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-S6O40.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-KCV9H.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-0FK39.tmp (114305 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-374C7.tmp (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DCEN2.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-0VG09.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-340GT.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-DD808.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-HBFA9.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #002.txt (455577 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-KQIUT.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-NQ7OO.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\pm-standalone-setup.exe (103056 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUC72OXY\pcmechanicpm-standalone-setup[1].exe (1515154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6HVGFTJ0\aff_setup[1].exe (18697 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-20 #001.txt (23254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-63LV7.tmp\checkmark_10x8.bmp (310 bytes)
%Program Files% (x86)\OLBPre\state.jdat (428 bytes)
%Program Files% (x86)\OLBPre\aff.jdat (140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (7006 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Uniblue Systems Limited
Product Name: PC Mechanic
Product Version: 1.0.5.0
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.0
File Description: PC Mechanic Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Uniblue Systems LimitedProduct Name: PC Mechanic Product Version: 1.0.5.0Legal Copyright: Copyright (c) Uniblue Systems LimitedLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.5.0File Description: PC Mechanic Setup Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 61740 | 61952 | 4.43024 | 3a126e478661f20816f9d9285615f98e |
.itext | 69632 | 2884 | 3072 | 3.97317 | ba48b9b17b3dd8b92da3bd93f20ddb34 |
.data | 73728 | 3208 | 3584 | 1.55702 | d7fd5f4b562d7961758f3d6a8c834fd0 |
.bss | 77824 | 22196 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 102400 | 3536 | 3584 | 3.44625 | 93d91a2b90e60bd758fc0c4908856ae1 |
.tls | 106496 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 110592 | 24 | 512 | 0.14174 | 3dffc444ccc131c9dcee18db49ee6403 |
.rsrc | 114688 | 240000 | 240128 | 3.69358 | e4a89d11d280d5a8143e7f337ebee43a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 166
595f1fc6db9af2f5b74feffe71c7a123
a63983b8148a9dbb51de498d3831e142
4f7921744d1b44754678161fb41c27bf
56f58db64e07dbb9fb549fe0b74f0bd9
284f9c42d36b49cd82841c128630f385
68f7cea38bac51f19c9bf5e9f720a88c
036ab1a2b116104300bdcf47c73661cb
3bfba3c8c3687d344b2f1ac1885f48c2
07c2c6d77dead8e72846174d8f034016
07cb679acc810aa050cc2353509e5393
8643014e30fccffd0048979713cb7001
eb2d058ca6921e2c6d56f35f5502a4d4
e3b5bd3126a441609fa77f52a36ae298
b49995f511e0b27eba38a7e2b08de623
c0c14fd4f291d6001d09993c25e3825b
5906a85cd27be3d0508bc3f1ec5e62de
8f0dd6d56f6866b5ed1effe628d7c71b
b153399713231db375646f1d0f00ab81
ed1a11d0c026c535c9400af0cc285c8d
a4db7fea7fc4bc8ddca8f616d1b44968
a31c60775ffa14da852aebac7b20b350
8be396cd92a8dcc0aa3cb8034507ee02
1f22d7f81ed540bd5af17738eadaf9d6
f56a7328f430b18efa42246422615699
eaee4be2373fe1db7128b7367bcab4ca
Network Activity
URLs
URL | IP |
---|---|
hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe | |
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect | |
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe | |
hxxp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe | 54.230.45.7 |
hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/pm/version.txt?from=1.0.5.0 | |
hxxp://api.uniblue.net/v1/geo/country-code | 54.228.215.241 |
hxxp://s3-1-w.amazonaws.com/latest_updates/application.txt | |
hxxp://uniblue.com/api/v1/geo/country-code | 54.247.66.171 |
hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track | |
hxxp://track.backupgrid.net/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe | 184.154.139.137 |
hxxp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe | 184.154.139.131 |
hxxp://backupgrid.jdibackup.netdna-cdn.com/MyPCBackup_ppi_Setup.exe | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1735fb5d02dddd2d | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?40cd6cf25a6e9807 | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?40cd6cf25a6e9807 | 87.245.216.19 |
hxxp://tracking.uniblue.com/v1/track | 54.246.127.16 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.216.57 |
hxxp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt | 54.231.10.57 |
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.51.123.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.216.57 |
hxxp://tracking.uniblue.com/v1/collect | 54.246.127.16 |
hxxp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe | 94.31.29.237 |
hxxp://www.uniblue.com/api/v1/geo/country-code | 176.34.97.132 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | 23.51.123.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.216.57 |
hxxp://update.uniblue.com/pm/version.txt?from=1.0.5.0 | 54.243.120.72 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.51.123.27 |
hxxp://download.uniblue.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe | 54.243.120.72 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | 23.51.123.27 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.216.57 |
hxxp://cdn.backupgrid.net/aff_setup.exe | 94.31.29.237 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= | 23.51.123.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1735fb5d02dddd2d | 87.245.216.19 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 301 Moved Permanently
Date: Sun, 19 Apr 2015 23:25:10 GMT
Server: Apache
Set-Cookie: SESSID=u5vgl1fc5an4fir3seo975ttd6; path=/; domain=.backupgrid.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:10 GMT; path=/; domain=.backupgrid.net
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:10 GMT; path=/; domain=.backupgrid.net
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.backupgrid.net
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.backupgrid.net
location: hXXp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 141
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.third_party_offer_not_shown","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:05 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:05 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 131
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_completed","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:12 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:12 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}..
GET /api/v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: uniblue.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Sun, 19 Apr 2015 23:25:09 GMT
Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code
Server: ngx_openresty
Content-Length: 178
Connection: Close
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=360157, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 03:30:03 GMT
Expires: Fri, 24 Apr 2015 03:30:03 GMT
Date: Sun, 19 Apr 2015 23:29:19 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`.Z8...JV...r@z...20150417033003Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q..%Qq.........w.O.....20150417033003Z....20150424033003Z0...*.H..............<.t.72.....&.Rtn....} ....-G....... ...9...E...M.I.E..:...M.=.8v..*.b.Êk...M=..Bu..S5c.s...i.Q...0......?....@c..T...p....[(j..K.t.d.....!.....j.....(f.C*. I.......N.....rU.x.U..9.9$..L..|(t.w-aR<.0,(..'L$ ...L..[.......v.......w{{.w)s...i.d~.....M...;~....0...0...0..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..150601235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y............8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Yu.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]...y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t....>.....j....
<<< skipped >>>
GET /api/v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: VVV.uniblue.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 200 OK
Cache-Control: max-age=7200
Content-Type: text/plain
Date: Sun, 19 Apr 2015 23:25:10 GMT
Server: ngx_openresty
Content-Length: 3
Connection: Close
UA...
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 132
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_included","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:10 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:10 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 130
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_shown","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:27 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:27 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 133
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_accepted","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:33 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:33 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 142
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_started","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:34 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 142
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:45 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:45 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}..
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 132
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_accepted","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:01 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:01 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 143
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_download_initiated","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:13 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 123
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:10 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:10 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 129
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_shown","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:27 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:27 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 122
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:33 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:33 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 144
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_completed","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:35 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:35 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1735fb5d02dddd2d HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sun, 19 Apr 2015 23:28:42 GMT
Connection: keep-alive
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
....
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache-Control: max-age=900..Date: Sun, 19 Apr 2015 23:29:13 GMT..Connection: keep-alive..
GET /v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: api.uniblue.net
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Sun, 19 Apr 2015 23:28:46 GMT
Location: hXXp://uniblue.com/api/v1/geo/country-code
Server: nginx/1.1.19
Content-Length: 161
Connection: Close
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx/1.1.19</center>..</body>..</html>....
GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: download.uniblue.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Sun, 19 Apr 2015 23:24:57 GMT
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe
Server: openresty/1.5.8.1
Content-Length: 166
Connection: keep-alive
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>openresty/1.5.8.1</center>..</body>..</html>..HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Date: Sun, 19 Apr 2015 23:24:57 GMT..Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Length: 166..Connection: keep-alive..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>openresty/1.5.8.1</center>..</body>..</html>....
GET /MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: cdn.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Sun, 19 Apr 2015 23:24:51 GMT
Content-Type: application/octet-stream
Content-Length: 1120161
Connection: close
x-amz-id-2: 6hUdvPx7FH7Yn0RQuWLnIKsEq/a4YnTzlbjOJCC 22WLHMJ7WoJPCGzbjqZgGzXUM7hvvJH4WDo=
x-amz-request-id: 478165AF27847D6C
Last-Modified: Sun, 19 Apr 2015 20:57:17 GMT
ETag: "89a093e37ca6953ebbe96f59310e11b7"
Server: NetDNA-cache/2.2
X-Cache: HIT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..........................P.......................................................p...............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata.......p...........................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: d21bsqatndqkg8.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 18839984
Connection: keep-alive
Date: Wed, 18 Mar 2015 10:47:04 GMT
Cache-Control: max-age=86400, public
Last-Modified: Wed, 18 Mar 2015 10:32:55 GMT
ETag: "6843e5f8e199b000decdb9ef0cb74b3f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 4469
X-Cache: Hit from cloudfront
Via: 1.1 640d3bc78d87dcf13f5ba92e326ec5e8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: NZ_Db36sruc6A7B2jZY-yonP_yCIxtNcED7dl3AFOm14yr-KKOPdLw==
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....WZR..................................... ....@..........................p...................@..................................................H`..h............................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@....................................@..@..................................................................................................................................................................@...AnsiChar............@...string(.@...AnsiString......@...............................@......... 9@.(9@..9@..9@..9@..9@..9@..9@.,8@.H8@..8@..TObject.%..A....%..A....%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A....%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A...S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....
<<< skipped >>>
GET /aff_setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: cdn.backupgrid.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 19 Apr 2015 23:24:48 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
x-amz-id-2: OavKHu0NQHzBLxdBIk3icse05Fm1ln40bMEXB8jjyGu8aUqtsgBSJMtcpkYTerjhnKifA0ZyjYY=
x-amz-request-id: F6085267AA27BD8A
Last-Modified: Sun, 19 Apr 2015 23:21:32 GMT
ETag: W/"8261a06c2664ace68b763ab096fcaca8"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Encoding: gzip
500a..............{|T..?...0...$. ...........@&....2...1..3.$f.....8....k{l....4...z...b....$(*...........i.......L@O{....{?..'......Z.Y.m=..w..yV0..`DPUA..........F..[^.-.........&.................u..q..A..V.Z..vY..Uzg...d.....e.<&V...&..........o...J<'.}.z ..y.'..... D.......%.$a....J...f.(]. <......y.........zm...t.C...*D...8....*....2.=AA.K..A..."./...a...G..$.&.....Cx=....1.g...f5T.K.........U......,.L.<.z.Da*.&.......U..<.....`........4.m.Z$...............%.....`c.Y..o..H....2-J..b..Zdt..E.SU..f.x..D.@2\n%....c...(Z...._.9R...Z^)......OP&..P7 ..y_.r.>...R.S...f..:..C.../.....P..Y.}KK./.3C...JPc.....r..%..p....L.}.Q.aG.3T<.f,B7AG.1.Hwj.......UNWO........7...|r.*y..s..%...A..DiL..<]...M].f.C.p.@.....PLNWrV".QOk....s.TQxt.r3*y..(...N.ID..Ym.<z..EP.d...........P[.GY.7...K.........(./P..>J..B.I1.t.%...I..Fi....-G%k.2.i.G).....Pg{/.Y.D5....X....F..^.L)1...W.P.2....5|......J.i.^..[.*%g.X.*2.ep$........LSx.N1..)>.r.SP..Fy.@.]2....N...g....$jA9....."G...`.. }.l.....R.=.....8.5xT.Zj..7L..m x.....I.aF.i.(.....6.....|cH2..b...!}Q............R.HZ..!Hn.s..G.O(....c.v&7Sz(.}.C.!j.......&.....%...w..x.x....?...U..M.V:.s.......MGx..7..{_J....A#.hm.....c6.Ja..%.8...P.@..M..^..X".@..HY..O9......".....:.........V...:.i..F{Ql.".m./.3.% U...%]xd.....Sx..e.m.e..s...S.......i....4~..Y.VP.[c.#..4.....jX5.....2$...s.sT!DM.2....&O.....U..S_.T).QJ.*.).A..>..R:?N1...........`..............*2.WV..3..2..gv.}..`:zV...G.......WPQ..V.r.r.[.t.iPS5....[6hn.j...a....#..}.*d.o.[\D.[..n............T\}.....z7
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=376305, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 08:00:00 GMT
Expires: Fri, 24 Apr 2015 08:00:00 GMT
Date: Sun, 19 Apr 2015 23:29:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150417080000Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150417080000Z....20150424080000Z0...*.H.............A..`.............Q.q..M....mq'.9.*..u..Y....TU..!T..J...i.Apu.q.e,.9.v...D......i...-.;.a.....e..z.)Et....x..4\j..<.....B[.........3......}..@<.6..:B"...^.....%.H.u4........{.B.M..].b....*..Q.8........_....C.fg.....Zs3.r....n|..t'..t..F...o....T.p...*3:..!...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
POST /v1/track HTTP/1.1
Accept-Encoding: identity
Content-Length: 111
Host: tracking.uniblue.com
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7
{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:49 GMT
Server: ngx_openresty
Content-Length: 20
Connection: Close
{. "status": "OK".}..
GET /latest_updates/application.txt HTTP/1.1
Accept-Encoding: identity
Host: pm.uniblue.com.s3.amazonaws.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 200 OK
x-amz-id-2: smCvET7EKdGL90gPQyS9ZYJV0oNnHzbqj5Br1xKWF4rjIH8UlcOmmOAZfaNZC9DP15rF9uRGt7g=
x-amz-request-id: 38C8E0ECA58FFA75
Date: Sun, 19 Apr 2015 23:25:10 GMT
Cache-Control: max-age=86400, public
Last-Modified: Tue, 24 Mar 2015 09:46:29 GMT
ETag: "7afc8227ca4783a30e4f834d1815a2fe"
Accept-Ranges: bytes
Content-Type: text/plain
Content-Length: 7
Server: AmazonS3
1.0.5.0..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=395989, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 13:24:57 GMT
Expires: Fri, 24 Apr 2015 13:24:57 GMT
Date: Sun, 19 Apr 2015 23:29:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0........C...4N...@..6...v...20150417132457Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150417132457Z....20150424132457Z0...*.H.............Y.4.<..&r.....&.>'.TqX.E...*...............Lp3.p.MU..^.....!e4.xN..1u.#.ox.....5.....j....&.....E...H=}..S....l..5{.........BO.......8[.~2:[}..W.SVd.y..%\f.x.op...]uE..W0.......}.. .S..Fp..".....:Iw ....M.....9l.>G.........;.#.>.B..... h...&.4.dARH..8(...r...50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.
<<< skipped >>>
HEAD /aff_setup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: cdn.backupgrid.net
HTTP/1.1 200 OK
Date: Sun, 19 Apr 2015 23:24:13 GMT
Content-Type: application/octet-stream
Content-Length: 159277
Connection: keep-alive
x-amz-id-2: OavKHu0NQHzBLxdBIk3icse05Fm1ln40bMEXB8jjyGu8aUqtsgBSJMtcpkYTerjhnKifA0ZyjYY=
x-amz-request-id: F6085267AA27BD8A
Last-Modified: Sun, 19 Apr 2015 23:21:32 GMT
ETag: "8261a06c2664ace68b763ab096fcaca8"
Server: NetDNA-cache/2.2
X-Cache: HIT
HTTP/1.1 200 OK..Date: Sun, 19 Apr 2015 23:24:13 GMT..Content-Type: application/octet-stream..Content-Length: 159277..Connection: keep-alive..x-amz-id-2: OavKHu0NQHzBLxdBIk3icse05Fm1ln40bMEXB8jjyGu8aUqtsgBSJMtcpkYTerjhnKifA0ZyjYY=..x-amz-request-id: F6085267AA27BD8A..Last-Modified: Sun, 19 Apr 2015 23:21:32 GMT..ETag: "8261a06c2664ace68b763ab096fcaca8"..Server: NetDNA-cache/2.2..X-Cache: HIT..
GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 301 Moved Permanently
Date: Sun, 19 Apr 2015 23:25:11 GMT
Server: Apache
Set-Cookie: SESSID=mmciag1jukjensg51tfbgv4nn7; path=/; domain=.mypcbackup.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: LC_CURRENCY=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Wed, 29-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: 748a7624422584634822bd3a2bf604ae=11a7adb1cd6b23f5b5ad8f60b8254981; expires=Mon, 17-Aug-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: intc=1; expires=Mon, 20-Apr-2015 23:25:11 GMT; path=/; domain=.mypcbackup.com
P3P: CP="We do not have a P3P policy"
location: hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe
Set-Cookie: aff_id=67333; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_name=MaxiDisk1; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_id=97175; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hash=5729abc4979b2fa22c9189cabaf59842; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: tid=PC-Mechanic; expires=Wed, 20-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: 9bf5853aunique=true; expires=Sat, 18-Jul-2015 23:25:11 GMT; path=/; domain=mypcbackup.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=458565, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 06:50:09 GMT
Expires: Sat, 25 Apr 2015 06:50:09 GMT
Date: Sun, 19 Apr 2015 23:29:17 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150418065009Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150418065009Z....20150425065009Z0...*.H..................3..9..A..A....kqk......".R.P.....A.......A.7.......WT...=p.m.b...az.K..#..`.j\...g...._..v.OV...Z.......yr...m..bi..}."......O.."3..4.......... l...e.[Y....6p..yh.....u..r]A....j...U..z...ae..'.7.'.7 ..../.......`|....$..DU.p......n. :.:.........n.-......0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=504664, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 19:40:18 GMT
Expires: Sat, 25 Apr 2015 19:40:18 GMT
Date: Sun, 19 Apr 2015 23:29:17 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150418194018Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150418194018Z....20150425194018Z0...*.H...............$c.!|..m..L.Z..N....u."%x..'.9.R...C.ZU3F.F:.J7.....F...X..?8..).H34< .-...q..w.F...%.*........1.b#GA`U*....H.e.p-.r....5..oK.1r...S.. *..H/83.b.1...`..(....c4.f...d\.>....aO>.4.%...a...`.;/.....hO%......"...O.......7............p.......4|U...p....s.P;.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>
POST /v1/track HTTP/1.1
Accept-Encoding: identity
Content-Length: 111
Host: tracking.uniblue.com
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7
{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:46 GMT
Server: ngx_openresty
Content-Length: 20
Connection: Close
{. "status": "OK".}..
GET /pm/version.txt?from=1.0.5.0 HTTP/1.1
Accept-Encoding: identity
Host: update.uniblue.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 302 Found
Cache-Control: max-age=600
Content-Type: text/plain
Date: Sun, 19 Apr 2015 23:25:09 GMT
Location: hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt
Server: openresty/1.5.8.1
Content-Length: 69
Connection: Close
hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt..
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?40cd6cf25a6e9807 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sun, 19 Apr 2015 23:29:13 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Sun, 19 Apr 2015 23:29:13 GMT..Connection: keep-alive..
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 438486457400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Sun, 19 Apr 2015 23:29:22 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=398696, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 14:10:10 GMT
Expires: Fri, 24 Apr 2015 14:10:10 GMT
Date: Sun, 19 Apr 2015 23:29:22 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150417141010Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150417141010Z....20150424141010Z0...*.H................c.8.c..d8..6_.S.O..~Q.0..biaE3.C......MY.W.J.'gu...5.U.X...........p..R.........7.ErNBD.....7.5..Z..k.8S.Y..=.h...]_.<...[t.?..D6...6(..@...C..rks.../A".....:.v....'.._.'.thz.}.e..W...RC..5.1f/.Z..61.~.7......F...>.FO...dw.G(5U'.[;;......T..`P. ... .......#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=487112, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 14:45:04 GMT
Expires: Sat, 25 Apr 2015 14:45:04 GMT
Date: Sun, 19 Apr 2015 23:29:23 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150418144504Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150418144504Z....20150425144504Z0...*.H.............cG..0.<.3....Z}.. .A.D.c.O.l5.%9|.;q..E..{d...3u~....4....Hw....,w..p.<H.I ....0..M....V...|DY....&.nP.sD..B......,D0.{....Bp.....'j......C1.7[..N..........]..w.R....^......`F..sd.i.....A....._.j..\.9.j..gV)e..nv8..<...|..Y....x.J.S.{ ..W......7...yC~..vnP....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=406544, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 16:24:47 GMT
Expires: Fri, 24 Apr 2015 16:24:47 GMT
Date: Sun, 19 Apr 2015 23:29:23 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150417162447Z0s0q0I0... ...................F....0.yV......{&.K......&.......8....t..............20150417162447Z....20150424162447Z0...*.H.............`..yl....C...e..2V.h.{_....6..7x.~.,..r......_....:..G.'..!..>*.....;..v.]..r...o.F..G....)..}.......n.....^P.=.....hIh_..........^...3...........c.B.}./.....h.`.f...1. ..._..................X..~....h.....'mE.N:..........zA.....=k1..0...*..u..G..6 d6.t..v.....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 130
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:05 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:05 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 129
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4250"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 19 Apr 2015 23:28:07 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Sun, 19 Apr 2015 23:28:07 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}..
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
pc-mechanic.exe_1464:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
tCPV
tCPV
USER32.dll
USER32.dll
MSVCR90.dll
MSVCR90.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
windows_exe
windows_exe
%s\%s
%s\%s
PYTHON27.DLL
PYTHON27.DLL
zlib.pyd
zlib.pyd
ZLIB.PYD
ZLIB.PYD
Not enough space for new sys.path
Not enough space for new sys.path
no mem for late sys.path
no mem for late sys.path
PY2EXE_VERBOSE
PY2EXE_VERBOSE
PyImport_ImportModule
PyImport_ImportModule
PyExc_ImportError
PyExc_ImportError
PyImport_AddModule
PyImport_AddModule
undefined symbol %s -> exit(-1)
undefined symbol %s -> exit(-1)
Importer which can load extension modules from memory
Importer which can load extension modules from memory
s#sss:import_module
s#sss:import_module
MemoryLoadLibrary failed loading %s
MemoryLoadLibrary failed loading %s
Could not find function %s
Could not find function %s
import_module
import_module
import_module(code, initfunc, dllname[, finder]) -> module
import_module(code, initfunc, dllname[, finder]) -> module
_memimporter
_memimporter
%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat
%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
%Program Files% (x86)\Uniblue\PC-Mechanic
%Program Files% (x86)\Uniblue\PC-Mechanic
pc-mechanic.exe
pc-mechanic.exe
library.dat
library.dat
windows_exet
windows_exet
.logc
.logc
The logfile '%s' could not be opened:
The logfile '%s' could not be opened:
See the logfile '%s' for details(
See the logfile '%s' for details(
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt
zipextimportert
zipextimportert
R$
R$
library.dats
library.dats
app.main(
app.main(
joint
joint
__import__t
__import__t
bootstrap_main.pyR$
bootstrap_main.pyR$
332222##
332222##
%%cxaax
%%cxaax
`>>>>=>`
`>>>>=>`
\4544545454545444
\4544545454545444
C.yLF
C.yLF
xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
1.0.5.0
1.0.5.0