Skip to main content

SearchProtectToolbar_pcap_5bd032c3d5


Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5bd032c3d5d4a28f624dbf49476077e6

SHA1: 977c2a4999c1383a56ede8d9db2444b81af01949

SHA256: 790b55bb7bb1bcdb0630c045acd0879dab965b25841c2fb5873519f2558605a3

SSDeep: 6144:FQqTbUzFxusbxMsk09N0cxtN60UD7ZqXJgN8/p6wIqnlPpKLVW uE9CTqM oUmb:P4z3usbxZltL3UhqXJg /p6clkhHmqMJ

Size: 356408 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:41

Analyzed on: Windows7Ada SP1 64-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

pcspeedup.exe:3936
install.exe:2612
PCSUService.exe:604
PCSUService.exe:3100
PCSUService.exe:3444
cvs_mystartsearch.exe:948
BaofengUpdate.exe:3384
BaofengUpdate.exe:2892
nssCF71.tmp:3176
ProtectWindowsManager.exe:3500
ProtectWindowsManager.exe:3460
PCSUSD.exe:4000
ProtectService.exe:3668
ProtectService.exe:3684
wpm_v20.0.0.2227.exe:3440
MSI106D.tmp:3272
pcspeedup.tmp:3952
VOPackage.exe:1780
XTab_Setup2253.exe:3544
HPNotify.exe:3756
coregen.exe:3664
coregen.exe:3576
coregen.exe:3472
coregen.exe:3460
coregen.exe:1132
coregen.exe:3624
coregen.exe:336
coregen.exe:3440
coregen.exe:3208
coregen.exe:3392
coregen.exe:3144
coregen.exe:1244
coregen.exe:2060
coregen.exe:3080
coregen.exe:1108
SpeedCheckerService.exe:3264
cmdshell.exe:3740
%original file name%.exe:2192
PCSUSpeedTest.exe:3468
regsvr32.exe:4004
regsvr32.exe:1072
nssCF72.tmp:3656
Skyhook.exe:912
Silverlight.exe:3240
PCSUNotifier.exe:3972

The Trojan injects its code into the following process(es):

MsiExec.exe:2188
DTLite4461-0327.exe:3840
SpeedCheckerService.exe:2188
nsissetup.exe:2868

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process pcspeedup.exe:3936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-PAARG.tmp\pcspeedup.tmp (50 bytes)

The process install.exe:2612 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SilverlightMSI.log (90000 bytes)
C:\135c1e3ab58ad80afdd7f364\install.res.dll (397 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Silverlight0.log (6780 bytes)
C:\135c1e3ab58ad80afdd7f364\Silverlight.msp (3692 bytes)

The process PCSUService.exe:604 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (13980 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService.log (1858 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService-Timer.log (99 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (3898 bytes)

The process PCSUService.exe:3100 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSUService.log (521 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (27960 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (7797 bytes)

The process PCSUService.exe:3444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSUService.log (4961 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (20970 bytes)
%Program Files% (x86)\PC Speed Up\PCSUSpeedTest.exe (16 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (9551 bytes)

The process cvs_mystartsearch.exe:948 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_1.ipk (37339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\quick_searchff#5.4.10.xpi (1209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe (19594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code2.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\2[1].zip (291497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\UninstallManager.exe (15958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BaofengUpdate.exe (1206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg.png (1209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\sweetsearch!1.0.0.1031.xpi (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tCE1709AA862C234DD936mp.tmp (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\DataBase (7769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\conf (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\535559167_198339_B48A115F[1].htm (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\428.json (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_2.ipk (28823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\428.db (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\1[1].zip (195558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe (3249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\scrollbar.bmp (37 bytes)

The process BaofengUpdate.exe:3384 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\428.db (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe (86 bytes)

The process BaofengUpdate.exe:2892 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\googlelogo.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\restoreprefs.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\properties.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bk_shadow.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\default_logo.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code5.jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A987.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\Thumbs.db (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es-419\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox_select.png (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg1.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en-US\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\last_tab.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\common.js (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\misc.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\search.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg.png (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pl\locale.properties (1 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\icon.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\google_trends.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\tr\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome.manifest (1 bytes)
%Program Files% (x86)\Mozilla Firefox\browser\searchplugins\mystartsearch.xml (565 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checked.png (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_bg.png (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\scrollbar.bmp (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\unchecked.png (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\style.css (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\stat.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\addonmanager.js (531 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\newtab.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\preferences.js (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code3.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code1.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\Thumbs.db (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\logo.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\js.js (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\close.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\ga.js (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\min.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code4.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\uninstallDlg2.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A998.tmp (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\vi\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\remoterequest.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\settings.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\misc.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code6.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\428.json (520 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\MessageBox.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\aes.js (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.xul (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\speed_dial.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe (14022 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox.png (545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\simple.css (4 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\fvd.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_light.png (139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code2.jpg (4 bytes)

The process nssCF71.tmp:3176 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\0[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84C9.tmp (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B6Z6HGT4.txt (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\0[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp (43 bytes)

The process ProtectWindowsManager.exe:3500 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)

The process PCSUSD.exe:4000 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\PC SpeedUp Service Deactivator.job (336 bytes)
%Program Files% (x86)\PC Speed Up\Sqlite3.dll (585 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (6990 bytes)
%Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db (8187 bytes)

The process ProtectService.exe:3668 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (876 bytes)

The process ProtectService.exe:3684 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ProgramData\IHProtectUpDate\update\conf (5 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (32 bytes)

The process wpm_v20.0.0.2227.exe:3440 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)

The process MSI106D.tmp:3272 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coregen.exe (69 bytes)

The process pcspeedup.tmp:3952 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\unins000.exe (49 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (1 bytes)
%Program Files% (x86)\PC Speed Up\is-SBV4J.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Silverlight.exe (1738736 bytes)
%Program Files% (x86)\PC Speed Up\is-0OS0F.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SNE55.tmp (20 bytes)
%Program Files% (x86)\PC Speed Up\is-29LNJ.tmp (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SG3HV.tmp (54589 bytes)
%Program Files% (x86)\PC Speed Up\is-F2546.tmp (31891 bytes)
%Program Files% (x86)\PC Speed Up\is-8PBKC.tmp (673 bytes)
%Program Files% (x86)\PC Speed Up\is-6KBMV.tmp (48 bytes)
%Program Files% (x86)\PC Speed Up\unins000.msg (864 bytes)
%Program Files% (x86)\PC Speed Up\is-3GVGP.tmp (3361 bytes)
%Program Files% (x86)\PC Speed Up\PCSULauncher.exe (81 bytes)
%Program Files% (x86)\PC Speed Up\is-IPS4T.tmp (23 bytes)
%Program Files% (x86)\PC Speed Up\is-8FSMN.tmp (2321 bytes)
%Program Files% (x86)\PC Speed Up\is-65J6L.tmp (1 bytes)
%Program Files% (x86)\PC Speed Up\is-PB612.tmp (601 bytes)
%Program Files% (x86)\PC Speed Up\is-RIIRJ.tmp (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PCSUNotifier.exe (2465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PopupNotification.dll (2321 bytes)
%Program Files% (x86)\PC Speed Up\is-V7JN2.tmp (6841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Sqlite3.dll (3361 bytes)
%Program Files% (x86)\PC Speed Up\SpeedCheckerService.exe (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\itdownload.dll (1489 bytes)
%Program Files% (x86)\PC Speed Up\App.config (3718 bytes)
%Program Files% (x86)\PC Speed Up\is-S2DD8.tmp (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\PC Speed Up\is-V94DR.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-S7P3F.tmp (28 bytes)
%Program Files% (x86)\PC Speed Up\is-BSQHS.tmp (2321 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService.conf (605 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-JF5OQ.tmp (1 bytes)
%Program Files% (x86)\PC Speed Up\is-EKJKL.tmp (265 bytes)
%Program Files% (x86)\PC Speed Up\is-QCKKO.tmp (889 bytes)
%Program Files% (x86)\PC Speed Up\is-3GHQ8.tmp (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\delete_me_reportInstall.txt (2 bytes)
%Program Files% (x86)\PC Speed Up\is-1IA04.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-26 #001.txt (585081 bytes)
%Program Files% (x86)\PC Speed Up\is-A5LBU.tmp (2105 bytes)
%Program Files% (x86)\PC Speed Up\uninstaller.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\WebBrowser.dll (2763 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-55LAA.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-C42T5.tmp (7 bytes)
%Program Files% (x86)\PC Speed Up\is-50NHH.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\Desktop\PC Speed Up.lnk (1 bytes)
%Program Files% (x86)\PC Speed Up\is-QOQI6.tmp (47 bytes)
%Program Files% (x86)\PC Speed Up\unins000.dat (53168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BA2BP.tmp (601 bytes)
%Program Files% (x86)\PC Speed Up\PCSUSD.exe (405 bytes)
%Program Files% (x86)\PC Speed Up\is-95IRN.tmp (601 bytes)
%Program Files% (x86)\PC Speed Up\is-0OSRR.tmp (7726 bytes)
%Program Files% (x86)\PC Speed Up\PCSUService.exe (446 bytes)
%Program Files% (x86)\PC Speed Up\is-MBUJ4.tmp (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MNGUG.tmp (4 bytes)
%Program Files% (x86)\PC Speed Up\is-LMJL1.tmp (12 bytes)
%Program Files% (x86)\PC Speed Up\is-1MP8Q.tmp (601 bytes)

The process VOPackage.exe:1780 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF41B.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD83B.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF611.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn8ABB.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEEDA.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy87EC.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp (3656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD53D.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF778.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\WmiInspector.dll (2840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd8944.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF2E2.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoFA58.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiD28C.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst900B.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8646.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst9192.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8480.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage\Configure.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\stats[1].htm (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD907.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD134.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\IpConfig.dll (3440 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD6E3.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\vnstF593.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy92EA.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd9442.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoD3E5.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEDA1.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\heu39T.nss (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\VOPackage.exe (1748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF1B9.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe (1336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF8D1.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd95C9.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\Uninstall.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\count_vn[1].htm (2888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF080.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyCD6E.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8E45.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\count_vc[1].htm (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp (7288 bytes)

The process MsiExec.exe:2188 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\SLMSPRBootstrap.dll (618 bytes)
%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll (65 bytes)

The process DTLite4461-0327.exe:3840 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ELL.dll (3406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\favicon.bmp (894 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHT.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupHelper.exe (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChrome.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LTH.dll (3722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageTrialInfo.ini (796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\RUS.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\License.rtf (814 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-header.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PTB.dll (5114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-wizard.bmp (7192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SLV.dll (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PLK.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageEmail.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ReinstPage.ini (478 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BIH.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\InstallOptions.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.bmp (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SVE.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll (165851 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SKY.dll (3410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ESN.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChromeIcon.bmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ITA.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ENU.dll (3722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HEB.dll (3402 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HRV.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ARA.dll (3402 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy51F.tmp (316027 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\AFK.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NLB.dll (3718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LVI.dll (1913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DAN.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ioSpecial.ini (8566 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\JPN.dll (2461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KOR.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FRA.dll (5123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\OCSetupHlp.dll (27504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DAEMON_Chrome.bmp (7192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHS.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\MountSpace.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPagePaidInfo.ini (7109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CAT.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\translate-icon.bmp (894 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gcapi_dll.dll (16424 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\share-icon.bmp (838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupWaitPage.bmp (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DEU.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Toolbar.exe (20624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FIN.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HUN.dll (3402 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gtapi.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\IND.dll (3722 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ROM.dll (3406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\license.bmp (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CSY.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\TRK.dll (2465 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KAT.dll (3726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\moutspace-bg.bmp (22552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NOR.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Chrome.exe (20624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DTSetupHelper.exe (6532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\GLC.dll (1917 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BGR.dll (5118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\WaitPage.ini (642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\UKR.dll (5110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SRL.dll (3730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\System.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageType.ini (9662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HYE.dll (3402 bytes)

The process XTab_Setup2253.exe:3544 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
%Program Files% (x86)\XTab\skin\btn.png (2 bytes)
%Program Files% (x86)\XTab\install.data (68 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
%Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
%Program Files% (x86)\XTab\conf (1638 bytes)
%Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
%Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
%Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\ver.txt (47 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
%Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
%Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
%Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
%Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
%Program Files% (x86)\XTab\CmdShell.exe (29 bytes)
%Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
%Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
%Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
%Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\main.xml (4 bytes)
%Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
%Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
%Program Files% (x86)\XTab\msvcr110.dll (21280 bytes)
%Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
%Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
%Program Files% (x86)\XTab\web\js\js.js (18 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\logo.png (5 bytes)
%Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
%Program Files% (x86)\XTab\web\main.css (19 bytes)
%Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
%Program Files% (x86)\XTab\skin\close.png (3 bytes)
%Program Files% (x86)\XTab\web\data.html (20 bytes)
%Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
%Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
%Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
%Program Files% (x86)\XTab\skin\about.png (4 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxE3BA.tmp\System.dll (23 bytes)
%Program Files% (x86)\XTab\skin\settings.png (5 bytes)
%Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
%Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
%Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
%Program Files% (x86)\XTab\web\js\common.js (2 bytes)
%Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
%Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
%Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
%Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
%Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
%Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
%Program Files% (x86)\XTab\msvcp110.dll (16990 bytes)
%Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)

The process HPNotify.exe:3756 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\conf (1498 bytes)
%Program Files% (x86)\XTab\BrowerWatchFF.dll (24 bytes)
%Program Files% (x86)\XTab\BrowerWatchCH.dll (24 bytes)
%Program Files% (x86)\XTab\IeWatchDog.dll (24 bytes)
%Program Files% (x86)\XTab\BrowserAction.dll (49 bytes)

The process coregen.exe:3664 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.ni.dll (8729 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.dll (32 bytes)

The process coregen.exe:3576 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll (932 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.dll (49 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.ni.dll (13798 bytes)

The process coregen.exe:3472 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll (17751 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.dll (49 bytes)

The process coregen.exe:3460 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll (940 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll (5844 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.dll (24 bytes)

The process coregen.exe:1132 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll (94223 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.dll (323 bytes)

The process coregen.exe:3624 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.ni.dll (123677 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.dll (520 bytes)

The process coregen.exe:336 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll (413065 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.dll (49 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll (612 bytes)

The process coregen.exe:3440 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll (652 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll (20039 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.dll (65 bytes)

The process coregen.exe:3208 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll (17059 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.dll (73 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll (922 bytes)

The process coregen.exe:3392 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll (460 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.dll (131 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.ni.dll (40448 bytes)

The process coregen.exe:3144 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll (616960 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coreclr.dll (291 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorrc.dll (12 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.dll (49 bytes)

The process coregen.exe:1244 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.dll (229 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll (70955 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll (579 bytes)

The process coregen.exe:2060 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll (224946 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.dll (561 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll (900 bytes)

The process coregen.exe:3080 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\system.dll (241 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll (544 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll (71603 bytes)

The process coregen.exe:1108 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll (1548 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.dll (438 bytes)
%Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll (106612 bytes)

The process SpeedCheckerService.exe:2188 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6B84D30E5F69CEB3278532D063D4504 (25 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (704 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
%Program Files% (x86)\PC Speed Up\Speedchecker.log (4481 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
%Program Files% (x86)\PC Speed Up\agsXMPP.dll (540 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6B84D30E5F69CEB3278532D063D4504 (324 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)

The process SpeedCheckerService.exe:3264 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallState (196 bytes)
%Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallLog (720 bytes)
C:\Windows\System32\config\SYSTEM (3355 bytes)
%Program Files% (x86)\PC Speed Up\InstallUtil.InstallLog (684 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4619 bytes)
%Program Files% (x86)\PC Speed Up\Speedchecker.log (50 bytes)
C:\$Directory (768 bytes)

The process cmdshell.exe:3740 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\XTab\HPNotify.exe (675 bytes)

The process %original file name%.exe:2192 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe (12626 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll (30 bytes)

The process PCSUSpeedTest.exe:3468 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\ManagedWifi.dll (36 bytes)
%Program Files% (x86)\PC Speed Up\SharpBrake.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)
%Program Files% (x86)\PC Speed Up\Skyhook.exe (184 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (848 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
C:\Windows\System32\config\SOFTWARE (116274 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
%Program Files% (x86)\PC Speed Up\Speedchecker.log (73491 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (848 bytes)
C:\Windows\System32\config (5376 bytes)
C:\$Directory (3840 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (160036 bytes)
%Program Files% (x86)\PC Speed Up\SpeedChecker.dll (94 bytes)

The process nsissetup.exe:2868 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part (5654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\index.html (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\dad4890a8fda856f77d8f153dc13db68\VOPackage.exe.part (20091 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\uifile.zip.part (1968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\index.html (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\progress.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\index.html (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe.part (903094 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\index.html (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\css\style.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\last.zip.part (1968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe.part (421975 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo.png50x50[1].jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\uifile.zip.part (2937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\noconnection.html (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\uifile.zip.part (2933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\uifile.zip.part (2933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\base.zip.part (1964 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\css\style.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress-bar.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\262bebb37d687dabfd48d85e0de76564\cvs_mystartsearch.exe.part (45604 bytes)

The process regsvr32.exe:1072 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\PCSUHelper.dll (286 bytes)

The process nssCF72.tmp:3656 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QGQ329ST.txt (106 bytes)

The process Skyhook.exe:912 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\PC Speed Up\wpsapi.dll (49 bytes)

The process Silverlight.exe:3240 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\135c1e3ab58ad80afdd7f364\silverlight.7z (100007 bytes)
C:\135c1e3ab58ad80afdd7f364\$shtdwn$.req (788 bytes)
C:\135c1e3ab58ad80afdd7f364\install.res.dll (6178 bytes)
C:\135c1e3ab58ad80afdd7f364\silverlight.msi (364 bytes)
C:\135c1e3ab58ad80afdd7f364 (4 bytes)
C:\135c1e3ab58ad80afdd7f364\install.exe (3678 bytes)

The process PCSUNotifier.exe:3972 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PopupNotification.dll (442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Sqlite3.dll (585 bytes)

Registry activity

The process install.exe:2612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "%Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework]
"DbgPackShimPath"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cvs_mystartsearch.exe:948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "64 D4 4F 80 CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "7B 16 12 A0 CE 7F D0 01"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BaofengUpdate.exe:3384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process BaofengUpdate.exe:2892 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Mozilla\Extends]
"AppID" = "quick_searchff@gmail.com"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%windir%\System32]
"ie4uinit.exe"",-738" = "Start Internet Explorer without ActiveX controls or browser extensions."

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Search Page" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Search_URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
"(Default)" = "%Program Files% (x86)\Mozilla Firefox\firefox.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"DisplayName" = "mystartsearch uninstall케猩u"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "mystartsearch"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Mozilla\Extends]
"UID" = "535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Start Page" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@""%systemroot%\system32\windowspowershell\v1.0]
"powershell.exe"",-111" = "Performs object-based (command-line) functions"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN]
"Default_Page_URL" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command]
"(Default)" = "%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe -ptid=cvsï¼€u"

[HKLM\SOFTWARE\Wow6432Node\mystartsearchSoftware\mystartsearchhp]
"Time" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files% (x86)\Google\Chrome\Application\chrome.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe http://www.mystartsearch.com/?type=sc&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\mystartsearchSoftware\mystartsearchhp]
"oem" = "cvs"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"
"Search Page" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"Publisher" = "mystartsearch"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"
"DisplayName" = "mystartsearch"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKCU\Software\Mozilla\Extends]
"ptid" = "cvs"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{33BB0A4E-99AF-4226-BDF6-49120163DE86}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.mystartsearch.com/?type=hp&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\mystartsearch uninstall]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe"

[HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
"quick_searchff@gmail.com" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\quick_searchff@gmail.com"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"DisplayName" = "mystartsearch"

The process nssCF71.tmp:3176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA C0 4D CF CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "EB 6E 2B EB CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process ProtectWindowsManager.exe:3500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00"
"DefaultConnectionSettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "20 E9 C3 CC CE 7F D0 01"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "20 E9 C3 CC CE 7F D0 01"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

The process ProtectWindowsManager.exe:3460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\eventlog\Application\WindowsMangerProtect]
"EventMessageFile" = "C:\ProgramData\WindowsMangerProê—“}"
"TypesSupported" = "7"

The process ProtectService.exe:3668 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\IHProtect]
"ptid" = "cvs"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process ProtectService.exe:3684 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"AutoConfigURL"
"ProxyServer"

The process wpm_v20.0.0.2227.exe:3440 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\supWindowsMangerProtect]
"ptid" = "cvs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process MSI106D.tmp:3272 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pcspeedup.tmp:3952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Icon Group" = "PC Speed Up"
"MajorVersion" = "3"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"affid" = "2380"

[HKLM\System\CurrentControlSet\services\kbdhid\Parameters]
"CrashOnCtrlScroll" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"UninstallString" = "%Program Files% (x86)\PC Speed Up\unins000.exe"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"UniqueID" = "BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"QuietUninstallString" = "%Program Files% (x86)\PC Speed Up\unins000.exe /SILENT"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"UniqueID" = "BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayIcon" = "%Program Files% (x86)\PC Speed Up\Icon.ico"
"Inno Setup: App Path" = "%Program Files% (x86)\PC Speed Up"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"AVList" = "&av=301"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayName" = "PC Speed Up"
"InstallLocation" = "%Program Files% (x86)\PC Speed Up\"
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Speedchecker Limited\PC Speed Up]
"UniqueID" = "BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"InstallDate" = "20150426"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"SpeedTest" = "RUN"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"InstallDate" = "20150426"
"CountryCode" = "uk"

"Uninstaller" = "%Program Files% (x86)\PC Speed Up\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"MinorVersion" = "9"
"Inno Setup: Language" = "uk"
"NoModify" = "1"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"CampaignID" = "ppi_2380_installer"

[HKLM\System\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Publisher" = "Speedchecker Limited"
"EstimatedSize" = "15320"

[HKLM\System\CurrentControlSet\services\PCSUService]
"Group" = "UIGroup"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"RequestID" = ""

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ConfigCountryCode" = "UA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"DisplayVersion" = "3.9.8.0"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "1"

[HKLM\SOFTWARE\Speedchecker Limited\PC Speed Up]
"keyword" = ""
"ApplicationPath" = "%Program Files% (x86)\PC Speed Up"
"CrashDumpEnabled" = "2"
"Installer" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"URLInfoAbout" = "http://www.pcspeedup.com"

[HKLM\System\CurrentControlSet\Control]
"ServicesPipeTimeout" = "60000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1]
"Inno Setup: Setup Version" = "5.4.3 (u)"
"NoRepair" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCSpeedUp" = "%Program Files% (x86)\PC Speed Up\PCSUNotifier.exe"

The process VOPackage.exe:1780 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "CA C0 4D CF CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"source" = "CO18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "7B 16 12 A0 CE 7F D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe"
"Publisher" = "CMI Limited"
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"stats" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"DisplayName" = "Remote Desktop Access (VuuPC)"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process MsiExec.exe:2188 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_IsFileSupportedName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPPutSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPGetSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPCreateIndirectData"

[HKLM\SOFTWARE\Microsoft\PlayReady]
"DataPath" = "C:\ProgramData\Microsoft\PlayReady"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPRemoveSignedDataMsg"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"DLL" = "c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}]
"FuncName" = "XAP_CryptSIPVerifyIndirectData"

The process DTLite4461-0327.exe:3840 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\DT Soft\DAEMON Tools Pro\View]
"Language" = "1033"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\DT Soft\DAEMON Tools Pro\Data]
"google_chrome_time"
"(Default)"
"google_chrome_res"
"google_toolbar_res"

The process XTab_Setup2253.exe:3544 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\XTab"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = "1"

[HKLM\SOFTWARE\Wow6432Node\supTab]
"ptid" = "cvs"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURL" = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02"
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0]
"(Default)" = "SupTabLib"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURL" = "http://www.bing.com/favicon.ico"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
"(Default)" = "IETabPage Class"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\XTab\SupTab.dll"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved]
"{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}" = ""

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"DisplayName" = "Bing"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconURL" = "http://www.google.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}"

[HKLM\SOFTWARE\Wow6432Node\SupDp]
"dir" = "%Program Files% (x86)\XTab"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconURL" = "http://do-search.com//favicon.ico"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"(Default)" = "{968EDCE0-C10A-47BB-B3B6-FDF09F2A417D}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"URL" = "http://do-search.com/web/?utm_source=b&utm_medium=&utm_campaign=install_ie&utm_content=ds&from=&uid=ST500DM002-1BC142_W2A27G6AXXXXW2A27G6A&ts=1420373293&type=default&q={searchTerms}"

[HKCR\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}]
"(Default)" = "IIETabPage"

[HKCR\Wow6432Node\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"TopResultURL" = "http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}]
"TopResultURL" = "http://www.mystartsearch.com/web/?type=ds&ts=1430017863&from=cvs&uid=535559167_198339_B48A115F&q={searchTerms}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"CheckedValue" = "PMIL"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback" = "http://www.bing.com/favicon.ico"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"DisplayName" = "Google"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}]
"DisplayName" = "e"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY]
"DefaultValue" = "PMIL"

[HKCR\Wow6432Node\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}]
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{E733165D-CBCF-4FDA-883E-ADEF965B476C}.ico"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
"AutoDetect"

The process SpeedCheckerService.exe:2188 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKU\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 F5 AD 0B CC"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\SpeedCheckerService_RASMANCS]
"FileTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates]
"F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"

The process SpeedCheckerService.exe:3264 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"AutoBackupLogFiles" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\services\eventlog\Application\SCService]
"EventMessageFile" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"

The process %original file name%.exe:2192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe -- %original file name%.exe 890 00000208 00000210 {3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{3F23AF0C-4D47-46C6-BBA3-EEDC83B4DAAB}]

The process PCSUSpeedTest.exe:3468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Progress" = "5"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_CountryCode" = "CH"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Ping" = "54"
"ST_Domain" = "151.236.26.173"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_TimeStamp" = "2015-04-26 03:12:24"

[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 F5 AD 0B CC"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Download" = "16618.204"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Status" = "Started"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_AvailableServers" = "SE;Stockholm;46.246.126.220|CH;Zurich;151.236.26.173|IT;Milano 1;149.154.157.241|"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Upload" = "27110.400"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCSUSpeedTest_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Server" = "Zurich"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Ping"

[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates]
"F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"

[HKLM\SOFTWARE\Wow6432Node\Speedchecker Limited\PC Speed Up]
"ST_Status"
"ST_TimeStamp"
"ST_Progress"
"ST_AvailableServers"
"SpeedTest"
"ST_Download"
"ST_Upload"
"ST_Server"

The process nsissetup.exe:2868 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"fdwSupport" = "1"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 02 00 00 00 32 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "64 D4 4F 80 CE 7F D0 01"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFormatTags" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"fdwSupport" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "25 CC 85 1E BF 72 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"cFormatTags" = "2"
"aFormatTagCache" = "01 00 00 00 10 00 00 00 31 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 11 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm]
"fdwSupport" = "1"
"cFormatTags" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 06 00 00 00 12 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process regsvr32.exe:4004 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\ProgID]
"(Default)" = "PCSU.SysUtils.1"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry]
"(Default)" = "RegistryHelper Class"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}]
"(Default)" = "SysUtils Class"

[HKCR\PCSU.SysUtils.1\CLSID]
"(Default)" = "{B89F5C49-51DB-4974-AB5A-E25901AA339C}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\PC Speed Up"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\ProgID]
"(Default)" = "PCSU.Registry.1"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\PC Speed Up\PCSUHelper.dll"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}]
"(Default)" = "RegistryHelper Class"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0]
"(Default)" = "PCSUHelperLib"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"(Default)" = "%Program Files% (x86)\PC Speed Up\PCSUHelper.dll"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\VersionIndependentProgID]
"(Default)" = "PCSU.SysUtils"

[HKCR\PCSU.SysUtils.1]
"(Default)" = "SysUtils Class"

[HKCR\PCSU.SysUtils]
"(Default)" = "SysUtils Class"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}]
"(Default)" = "IRegistryHelper"

[HKCR\PCSU.Registry\CurVer]
"(Default)" = "PCSU.Registry.1"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{3157E247-2784-4028-BF0F-52D6DDC70E1B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.SysUtils\CurVer]
"(Default)" = "PCSU.SysUtils.1"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\PCSU.Registry.1\CLSID]
"(Default)" = "{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}]
"(Default)" = "ISysUtils"

[HKCR\Wow6432Node\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}\InprocServer32]
"(Default)" = "%Program Files% (x86)\PC Speed Up\PCSUHelper.dll"

[HKCR\Wow6432Node\Interface\{6C42038D-817A-472C-8C2A-EF46F1DA576D}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}\VersionIndependentProgID]
"(Default)" = "PCSU.Registry"

[HKCR\Interface\{873C7DA8-195D-4D5A-B830-C5E2831901EA}\TypeLib]
"(Default)" = "{3157E247-2784-4028-BF0F-52D6DDC70E1B}"

[HKCR\PCSU.Registry.1]
"(Default)" = "RegistryHelper Class"

The process nssCF72.tmp:3656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA C0 4D CF CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
"WpadDecisionTime" = "A9 26 1D EB CE 7F D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
44a7a613955e6346114916eb3c117f3fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.VisualBasic.dll
2d30a65d2152d72a610f0fe655d01b3ac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.dll
d2e99a5ce4a6efa6bd95204f7ae1b823c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll
83b3db8c65d6c7652ddf49bf1c4d8c81c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.dll
8b89c45532b7b07cf713a7c0a3c883bac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll
48b41e220f21695c167fc14d3955588ec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.dll
62847c2c65e237ebbe43a996c5789778c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll
4924780102d2b69938c03068b7c0434cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\SLMSPRBootstrap.dll
c10d58e141182bc336b2f14e384a32d7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Silverlight.Configuration.exe
85559ad0709874a7549642e8e0f86b28c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\Silverlight.ConfigurationUI.dll
56c8a1037f2375349c1fbb901b851426c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.dll
276241c60d7362b1155b8883bad57504c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll
6c6de2aabcda5387f6aa7d54f3f73fefc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.dll
e5e29b8cdaa45c68fd4fd28982433b73c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll
ee74def85ed6a7481af475a5dc65d7c9c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.dll
d544ce7b48c5c48d205dfee0f8e9815bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll
2f012e35c12e683e913a50a59b8aedd8c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.dll
708454805d9182e135f3ab4642baa24ac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll
5e06acd3f66dd01700c89b61df135aa4c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.dll
c630e411a1c9a991c0e8543200f44656c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.ni.dll
eabad6b4b57655c9c8bb25970f32a964c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.dll
f5f5034e67d00fce80bd3f5c9df494dcc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.ni.dll
c9409e4b4c35f5720a572f4963471c0ec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.dll
a3f8a97c0b0efabc8213ddebc9230323c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.ni.dll
342288601aa90e1b270419249ec6e43bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.dll
e9eef35471cbef94e520a62d20efdd73c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.ni.dll
a937f6473a8db558ca1e2ba5351938c6c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.dll
d48ccdf3f666c7562029aa96628857a2c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll
15e78e524918f73f22b9a798eace9ae3c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.dll
3e947c88a7f04e4896928b58fd896af7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll
53d9b6167e73d48c94dd30d8d114ecdec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll
4ee7f6e2852c7afa7fbc95bc6d1da5cec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\agcore.dll
4315c405baf5bf92f92cf478dffc9ca5c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\agcp.exe
aead1b166e25e4794d47778e6af76dffc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\Microsoft.VisualBasic.resources.dll
4491868178049c94979fe1b92ce0e425c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\mscorlib.resources.dll
345e2d39fbfe27b8828b8ac42abe2435c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\mscorrc.dll
2faefe792fa8bb78d6f5ef20443bd673c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ar\system.resources.dll
18e30e5d7e9385a22881a9b21b67f1f6c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\Microsoft.VisualBasic.resources.dll
5f41f2f7487fd53388b522e798a27ddac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\mscorlib.resources.dll
a46bc4c044564141ae33dd6f531602b0c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\mscorrc.dll
264927cd33c64e23a84eaaa14b572655c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\bg\system.resources.dll
841d35b03c37cfaba9c079003a5afd92c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\Microsoft.VisualBasic.resources.dll
ac67be81d31b85f3d6296ad5ad7a6a0fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\mscorlib.resources.dll
4127e7f310e9e33027a53cf7ff8d461fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\mscorrc.dll
55e4488dd13515c21e808797e7dc2ecfc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ca\system.resources.dll
f769a78b415031fb8c62b64a4df70402c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\coreclr.dll
a6eb1d987243861267101e7a07a94cd6c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\coregen.exe
3f4e34200e3062cbad41d672e96b58bec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\Microsoft.VisualBasic.resources.dll
f1fbfd6acfcfa2ea15493f45ca6e8359c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\mscorlib.resources.dll
23ba8ffaac071f05bdb95c651122dd14c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\mscorrc.dll
8b5929a2e8f6f2f2f8dd14400bc6f15fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\cs\system.resources.dll
f31c8c869f1a5709da849bb658da7c1bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\Microsoft.VisualBasic.resources.dll
73708f057fddf619d99cfd8a0c29eed4c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\mscorlib.resources.dll
4f044fe5f71a79eb50be78c314216decc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\mscorrc.dll
bd2af65cfb0e30301dffecc06dfa03e7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\da\system.resources.dll
2319c9029c693d636ff96a47f327b624c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\Microsoft.VisualBasic.resources.dll
588858360fc177afea606f569b90e502c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\mscorlib.resources.dll
795da5b7057c9c268030690ee253e288c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\mscorrc.dll
784f0445fdda500cb8b834d67f5e175ac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\de\system.resources.dll
180c41dedde5bcdfdb3b817b76ed6803c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\Microsoft.VisualBasic.resources.dll
e9f11e43483e0dde9fa3f81f9bcf95e1c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\mscorlib.resources.dll
70cde4f000da32fe0ef5e629aaf64e84c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\mscorrc.dll
70a17515b2680d7f4494589c0313a939c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\el\system.resources.dll
09df8b997b28f189436064a26be6d992c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\Microsoft.VisualBasic.resources.dll
fe3dafda9a7f64fb55edfa5dc9db5763c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\mscorlib.resources.dll
5d17519c98e3667247d94ad450ade2fec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\mscorrc.dll
3474490c9110675524110d76ebff5388c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\es\system.resources.dll
e9294d118f6f7f901bdcad6ca413eb65c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\Microsoft.VisualBasic.resources.dll
10ed5feb6cdfc797446b4343e0e678bac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\mscorlib.resources.dll
447180e743e96e61726a2935bb6320acc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\mscorrc.dll
b90f99d3bd937b2d013939a353d033fec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\et\system.resources.dll
ac0608c0d022738f5bd28d9556309d5cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\Microsoft.VisualBasic.resources.dll
c55916d87f40793d84088365b9989326c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\mscorlib.resources.dll
96f9a1fa5ac8fab13401bda693dd87bac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\mscorrc.dll
f548d99f60c55eb0cb3ae769a1b5b0d7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\eu\system.resources.dll
a8318822f2b610798015442411be8219c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\Microsoft.VisualBasic.resources.dll
9361a64298ee0d54390afcbecd004bffc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\mscorlib.resources.dll
254757711a62fb942c331beba8b80a47c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\mscorrc.dll
0a3ebba35f4796a45a529e97810abdc4c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fi\system.resources.dll
4821acd9b8bfd6e7e8594e7d272bca9fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\Microsoft.VisualBasic.resources.dll
c09c612d1c02d171de368b4fcb3a1132c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\mscorlib.resources.dll
1fed4926c3f3f0a0a15ba69dc7132bb9c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\mscorrc.dll
0b5ed90dc3901e881a9d445e28bd0b54c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\fr\system.resources.dll
bea69ced18cfebf0f67007d0769d55f2c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\Microsoft.VisualBasic.resources.dll
18860994ab1d09ff10c059804bf02a2fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\mscorlib.resources.dll
2c589401d3fd26878caa33cb1d8b0400c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\mscorrc.dll
0a77717b4ec2f62b6d0f1aa9f20d563cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\he\system.resources.dll
28d60dc96ce0a9d22d0718a3b65b876cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\Microsoft.VisualBasic.resources.dll
549ff0dd051b70c441bd54691e4cc739c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\mscorlib.resources.dll
f0cc18d981ce20108d2c8f1a06c886c7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\mscorrc.dll
75e304bc278fe41f9bc3f90a2a000811c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hr\system.resources.dll
14e68af2041d601dc928f74ae9e36f6cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\Microsoft.VisualBasic.resources.dll
34489de23d4bfbf02f7381caa6eec6ecc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\mscorlib.resources.dll
4f86a4f6dfe5c6eca2a26604e0f5e1adc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\mscorrc.dll
4a47045e3db6b295792c03b91ce3cf60c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\hu\system.resources.dll
820edb415ccdc654b2202a1cc3d369f8c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\Microsoft.VisualBasic.resources.dll
a11cb549a8acbdaf5a9e25daf319c157c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\mscorlib.resources.dll
0ad56078008c35ea46e70e4753c9ba55c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\mscorrc.dll
9f899aec8f7d21c4ef05a1e40fcfb13fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\id\system.resources.dll
137677a2e5623b754ac4306589d7df52c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\Microsoft.VisualBasic.resources.dll
8c34a24d9d358cdec09438389ff74940c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\mscorlib.resources.dll
ff66d398dfff7b706661cacd91eb1d7cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\mscorrc.dll
bfb50b8c5d4673ec46003a5cf2e22ba7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\it\system.resources.dll
4016a5ae3fedc51a6e5b4f71a31ff476c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\Microsoft.VisualBasic.resources.dll
fc92e1abcf9a37c07d1f56a9d14a131ec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\mscorlib.resources.dll
6d4ef84a43957ed53e17076b49c25a49c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\mscorrc.dll
1014172ed25c43f771e370a272d89605c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ja\system.resources.dll
7cd93f2d2462d65e92eb75c5065662d5c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\Microsoft.VisualBasic.resources.dll
d3eec38f0735ea0546adf199f9a42d42c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\mscorlib.resources.dll
4c518a6e2967ef659e352a6c834bdc89c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\mscorrc.dll
20ff98ad45e7b1082295ff4d3655d7f3c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ko\system.resources.dll
fb1715aa866cab7db7e1fa6a75718e82c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\Microsoft.VisualBasic.resources.dll
7d3c2857974ff7043088b0b8d32243e7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\mscorlib.resources.dll
360b0cd903015fd1a443bce16d06d983c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\mscorrc.dll
351e338b52777247c7e62a2880de6a5bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lt\system.resources.dll
289aec20f98defd43fe7b16eea402fedc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\Microsoft.VisualBasic.resources.dll
3fc989186d7ed0da90f7da49e9baa874c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\mscorlib.resources.dll
16fc0902a1a7af7c76a8ddfa84f8ff57c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\mscorrc.dll
5ac55d999c52c254c5329b5347d297e9c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\lv\system.resources.dll
f458ff1a4c2d48254b24f44e3950c250c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\Microsoft.VisualBasic.resources.dll
b5680243f335b28af8473c1328c31584c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\mscorlib.resources.dll
ca502c22de889a9f28a29caacb9545d6c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\mscorrc.dll
1b45a994c693ba7d388d4b64050c63dfc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ms\system.resources.dll
1cb16e581e2355fbb86c78cde60ff3e3c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.dll
03a718e09ea1e561c261e1dd0ffd4afcc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll
756cfae0b81be30f903fde796267e368c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\mscorrc.dll
16e0ae792ed1b7814ad52c37587323bbc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\Microsoft.VisualBasic.resources.dll
54e38ff06897fc4bc27630a73a971e0bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\mscorlib.resources.dll
80268fbe25edb57486bfca9773cbb79cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\mscorrc.dll
dd90d0551aeea77ee44dcde76fe1715ac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\nl\system.resources.dll
87a905bafa19225e970d032971a5bb3cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\Microsoft.VisualBasic.resources.dll
df4bd2a6ad2f73b5015d93c6c3c228d5c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\mscorlib.resources.dll
7d0c626e2dc8f0376f13ce2d42608322c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\mscorrc.dll
d88b57a1b3e5da5ee33258721b1b16d5c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\no\system.resources.dll
893bf7d2261c56c24f813405d9d018e0c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll
8da2ed6b04ea33f2eae8ba883f903729c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
8162e6043daba4971f6b8bdf47968de3c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\Microsoft.VisualBasic.resources.dll
971562b310cf55a0405b811c57c06f7fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\mscorlib.resources.dll
10741b4b1d22fa77c2c77f2ca7d599bcc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\mscorrc.dll
facf9822ff983e641934fd0a12cfdabac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pl\system.resources.dll
ca29c362b39e008913aee94492410f69c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\Microsoft.VisualBasic.resources.dll
36ff74cc03c17b353413e51716f53cc5c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\mscorlib.resources.dll
8402aa257ae8c85544aedce3ca94e550c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\mscorrc.dll
7d6c1223a1b36af1091ece13e37e2c79c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt-BR\system.resources.dll
dcfe976a4e2b277820b1cd8118fbbce4c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\Microsoft.VisualBasic.resources.dll
792af39f32f13ea2eafc8e1415ce9af0c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\mscorlib.resources.dll
c0c215cdf31ba724d72a575dcfcd1cbac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\mscorrc.dll
e5fca8e93c103c44fce9e3782d33de81c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\pt\system.resources.dll
87517a204f53f92cbaede953464c2c44c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\Microsoft.VisualBasic.resources.dll
52f469cdf0c02fae4afc0efd433569a3c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\mscorlib.resources.dll
c687cf1bfba5c29100c7badfb70d6baec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\mscorrc.dll
fe910815fe7b7dfd59e2aa14492ca109c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ro\system.resources.dll
2b2eafc59ea959cfc4c3f0c5d11a43cdc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\Microsoft.VisualBasic.resources.dll
a11a0a637a17cbbc7ff7b194aeba1c72c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\mscorlib.resources.dll
3b504eba88b956c14279151f803b4a85c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\mscorrc.dll
809625ef867dfdfe8d3b7e0d1d27234bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\ru\system.resources.dll
8d1494e7e8a2f83e4d962f87259d22b8c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\Microsoft.VisualBasic.resources.dll
ee3a2d02aa33bd8e2ded883c870a71bcc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\mscorlib.resources.dll
3cd628af65cf85f0a02fab784c31595fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\mscorrc.dll
fabd9bf37e4471343b188ebfb5820f18c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sk\system.resources.dll
f47733116d55209cce9f9da10402ffa0c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\Microsoft.VisualBasic.resources.dll
a092710a007cbe654f8c987a8338201bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\mscorlib.resources.dll
dae6994e8ba5c665b72bd1adf0288db9c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\mscorrc.dll
28dd0107ed3238180063f3a3f41d11eec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sl\system.resources.dll
41b91f0782e500cf8b63ded7fbcd812fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\Microsoft.VisualBasic.resources.dll
2d0d3475f078db74be9eabb9ec1c6ac1c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\mscorlib.resources.dll
c9e6c96c732306cc9d871dcbcb357c93c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\mscorrc.dll
839e7abcdb6a058bbb1cce9161265f81c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Cyrl-CS\system.resources.dll
37b3eacf8145fafa57af5278378ce21fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\Microsoft.VisualBasic.resources.dll
39cc6097739bf44c14ef036cf1f310ccc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\mscorlib.resources.dll
f74ea592c35fc8ec9eaa4ed7897cf879c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\mscorrc.dll
40f8462e48da5dd64037a9107c634ea1c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sr-Latn-CS\system.resources.dll
419c5c54cfcf5af26d7dd5ce8321309ec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\Microsoft.VisualBasic.resources.dll
da25d839a93068d7ef2bf78e4b986519c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\mscorlib.resources.dll
4b82085a57061df5f4e5505d3c76880ac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\mscorrc.dll
516d1dc039a784e67f73c679416e8cc1c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\sv\system.resources.dll
9c641e70ad7f26f6ef006d0bc22875bec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\system.dll
073b16bd67f4b43a7736f6a728ce5b25c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\Microsoft.VisualBasic.resources.dll
75db1e8393968bfb2c86207f8eaf604ac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\mscorlib.resources.dll
e125316ed76cf593cedadddcc3e077d9c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\mscorrc.dll
c94daf3826915f9c67f889e2f938d19fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\th\system.resources.dll
3a5a482e5735c0cc0612f6ec585d1aabc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\Microsoft.VisualBasic.resources.dll
f1d96b7609c5a295d768a09a26ccca01c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\mscorlib.resources.dll
905d9bf18ea3365fbc18938cf9916551c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\mscorrc.dll
83da04138530cce3c46e8586445996b7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\tr\system.resources.dll
d9f7b2f82160cd2c77fee6a6b544e93bc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\Microsoft.VisualBasic.resources.dll
8edd44b943235871a720bd52baae189cc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\mscorlib.resources.dll
93ad5c3edd47fe400154ab70fe2f1029c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\mscorrc.dll
f5c3130a6532d8b620e428f2a61753dcc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\uk\system.resources.dll
73bf154dc7ec08897aeac36f768e62d2c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\Microsoft.VisualBasic.resources.dll
a258474d2b4ef33ac3fe2e26c7727adbc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\mscorlib.resources.dll
bb90c2f8c1ed522b924169f0e131884fc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\mscorrc.dll
255dcdf47229587046a8597d4e8af5afc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\vi\system.resources.dll
044312764bb4a8b842bb192c4f4216b4c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\Microsoft.VisualBasic.resources.dll
27e68fa359d4940aff22708fd10fbc2dc:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\mscorlib.resources.dll
34dda034e940f6adf325a430bd7cf5b7c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\mscorrc.dll
d499f0165528a2d08fa299ffd2792c63c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hans\system.resources.dll
edb4930390c4995447bebe75b5ae19dec:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\Microsoft.VisualBasic.resources.dll
7e9597fb7f0b7d15ef698601981da6bac:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\mscorlib.resources.dll
8e71d73c5dd196346fe580864c354231c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\mscorrc.dll
eddaf9f8b76b6c2355e24eab0825b057c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\zh-Hant\system.resources.dll
be0de0030a07c0e2adcb2d00c2b5bb1cc:\Program Files (x86)\Microsoft Silverlight\sllauncher.exe
cfbe6ac308ddcbcef06658a5a1b82948c:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll
0ecc954ab71b850e438d0b8526db9e01c:\Program Files (x86)\PC Speed Up\Common.Logging.dll
b42ca2d572854bb967800bba8b6e2e6bc:\Program Files (x86)\PC Speed Up\FileUploader.exe
49ca5298b7ffbe3e7a6310461dd146dac:\Program Files (x86)\PC Speed Up\ManagedWifi.dll
a0e65e9c544769db4f93fc5218360d00c:\Program Files (x86)\PC Speed Up\PCSUHelper.dll
265eeda920d608d7858a37a519b6e212c:\Program Files (x86)\PC Speed Up\PCSULauncher.exe
d909405a1af3faefec58113fb89a8fb4c:\Program Files (x86)\PC Speed Up\PCSUNotifier.exe
7d3cc1e5a02079da66a28dc636dcfd64c:\Program Files (x86)\PC Speed Up\PCSUQuickScan.exe
f45785ae72c6fa7e645597542e33cb19c:\Program Files (x86)\PC Speed Up\PCSUSD.exe
e6bd031b2eaf9c5e966d0535569e4f4ac:\Program Files (x86)\PC Speed Up\PCSUService.exe
3ceda9c3318d4e5aa13d64572bdfa09bc:\Program Files (x86)\PC Speed Up\PCSUSpeedTest.exe
a5d866d482a18d324492e7d1de9b57cac:\Program Files (x86)\PC Speed Up\PCSUUCC.exe
0744c4851a307a9258b6750fe8fd5872c:\Program Files (x86)\PC Speed Up\PCSpeedUp.sys
6f41ef91f5744f70a0bc59f6c0edff98c:\Program Files (x86)\PC Speed Up\PopupNotification.dll
4925c74a98afbaf271d6513599be7155c:\Program Files (x86)\PC Speed Up\SharpBrake.dll
94794cb85a65beca0c153528faa27bdfc:\Program Files (x86)\PC Speed Up\Skyhook.exe
b84604b780b136e5b81345b06d4d0551c:\Program Files (x86)\PC Speed Up\SpeedChecker.dll
7c8c94cb80a9a83f6dc04894d6e843c6c:\Program Files (x86)\PC Speed Up\SpeedCheckerService.exe
24d9f00e1604db8ff49f599dea248facc:\Program Files (x86)\PC Speed Up\Sqlite3.dll
0fbe91d8b0bb7f5784a31bd5c2875aa2c:\Program Files (x86)\PC Speed Up\agsXMPP.dll
a1e59cd38160bcdfc61f383741ba7adec:\Program Files (x86)\PC Speed Up\qs64.dll
6b2b214c4bc2dad2e86b1cc41f42ab92c:\Program Files (x86)\PC Speed Up\unins000.exe
916672bbbecfb618456cd1b99eb4399cc:\Program Files (x86)\PC Speed Up\wpsapi.dll
0183c88583bbf1c99d67acce017c9bebc:\Program Files (x86)\XTab\BrowerWatchCH.dll
fd0b82d24d162e240931cfd5540d3021c:\Program Files (x86)\XTab\BrowerWatchFF.dll
5785680870eff9ba7b4f58c726552013c:\Program Files (x86)\XTab\BrowserAction.dll
b124f96efd0010e4f7e262f08519e9e4c:\Program Files (x86)\XTab\CmdShell.exe
77ccf1c943665ececf9a5ce699560500c:\Program Files (x86)\XTab\HPNotify.exe
4a345a11cc64ab72cb09ff391611dad0c:\Program Files (x86)\XTab\IeWatchDog.dll
cc709fa63d5a536a2f8275c0cea39070c:\Program Files (x86)\XTab\ProtectService.exe
efa257c845943b84922117758c955434c:\Program Files (x86)\XTab\SupTab.dll
3e29914113ec4b968ba5eb1f6d194a0ac:\Program Files (x86)\XTab\msvcp110.dll
4ba25d2cbe1587a841dcfb8c8c4a6ea6c:\Program Files (x86)\XTab\msvcr110.dll
e29708f3781e5790424ca59a0fbb1bd3c:\Program Files (x86)\XTab\uninstall.exe
8a8f5ebe2fd9c2e6325723209b9cdf32c:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe
8a8f5ebe2fd9c2e6325723209b9cdf32c:\Users\All Users\WindowsMangerProtect\ProtectWindowsManager.exe
b3113668f356c345dd1efae531e257f8c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\count_vc[1].htm
f99ba617f06b2dfd62cd23ae7c9484fdc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\count_vn[1].htm
08caec472db03f5ea68e2b097fdfb502c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe
beb43f12e33b63594c924db62cfe7c3cc:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe
148bdbdcbac38fbf0b4d3c145e9b0199c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\262bebb37d687dabfd48d85e0de76564\cvs_mystartsearch.exe
64caebfbdca2ef8ec782c7ad90e20360c:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\dad4890a8fda856f77d8f153dc13db68\VOPackage.exe
f02155fa3e59a8fc48a74a236b2bb42ec:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll
4f88bef9204d347c0d1c99d7be7baae8c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DTSetupHelper.exe
67d8f4d5acdb722e9cb7a99570b3ded1c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\InstallOptions.dll
7062b63645101a612ce0f69e7453abbbc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Chrome.exe
35798a34ca30a4a4a37b635318d8c959c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Toolbar.exe
d932447f25f3a284fcf7191231867e55c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\AFK.dll
a41dbfb0724d40810e97726ba2bbb7cac:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ARA.dll
587017cdee10b1899638489737c04c0bc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BGR.dll
dc0b79c33d48466f5260ea87421b23cac:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BIH.dll
9d364f08d8d0a0271ece8dd3b26efd82c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CAT.dll
23b0a273336d3e55daf1bee481569dacc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHS.dll
56c05b61e6d34f64a86dd938746f0fe6c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHT.dll
13c02b3862d5f4df0a6d97fb04c192f6c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CSY.dll
780175961ed15067d17e2ca33102e040c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DAN.dll
9ccefd9de90dba00f2e87acb15f28257c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DEU.dll
31d21a47452ad4054de43ea84bf086a5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ELL.dll
64353d862197de70e813ea385c71cd70c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ENU.dll
425420280f09987b6354dcdaa70acbdac:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ESN.dll
903a1ba5bb47b9e70818d565004d14c7c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FIN.dll
3a5a4ac2f9d8b76fcaa0fcf477d66febc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FRA.dll
07c509d1d4298a59f3fc1f84bcc0adbdc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\GLC.dll
ed58d1766f15770175a94af2fdacfcffc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HEB.dll
219d08d6af054298d19d2f40ec7b57f0c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HRV.dll
85069620b785602b5721842bf4245dd8c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HUN.dll
50d93fbb149d210ce5132f6bec8dbd8fc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HYE.dll
ecdf1900557afaea53a458b21d826b41c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\IND.dll
10ca143d83a7655994af434cb19bb0d6c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ITA.dll
78f48e394542c0b5160f2c584672a3bbc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\JPN.dll
c443e20a057a8bfb968d05c99d2d5f14c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KAT.dll
8146c0f238fb5ea36e495cba62f9e83bc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KOR.dll
5991794939c6019129934beabb2df27ac:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LTH.dll
1bef1cce3a582cfdd7eee57d7cc4caefc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LVI.dll
45896e78ae455c17a9538b1cc8a8394dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NLB.dll
225b686f7985c10f529418a236ea7151c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NOR.dll
02172c552b7fac544f302a69c9d94655c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PLK.dll
4c4d4741f7499eecc4e73b925f8bbe82c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PTB.dll
4e2aefb336983043faf5a7434761fcc5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ROM.dll
096b3d2003c36b823f2185fd80f7c08fc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\RUS.dll
38acaf5e059d114d767468842d893ab2c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SKY.dll
5c8b4989bb0f17084916a0f7fc658fc3c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SLV.dll
3a3fb7287719e29415e1666c91c1c873c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SRL.dll
3499a25e08dd7ad84d699202e7f0fa21c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SVE.dll
adeeeecb5603b5ed7ba7a87926b5b510c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\TRK.dll
77c025ed15ff18b5f964008d238ffed5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\UKR.dll
243e820e072b7a0a8be07e736445408fc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\OCSetupHlp.dll
1323d01fc1b3ec2ac91365a37dc0be0cc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupHelper.exe
959ea64598b9a3e494c00e8fa793be7ec:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\System.dll
fc5b2ac8d68459ec61f653676d8bcd5dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gcapi_dll.dll
61bc40d1fad9e0faa9a07219b90ba0e4c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gtapi.dll
f7b92b78f1a00a872c8a38f40afa7d65c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\nsDialogs.dll
ad010a6d16dc872b9df1ae719d4255dbc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll
f99ba617f06b2dfd62cd23ae7c9484fdc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp
b3113668f356c345dd1efae531e257f8c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp
8b8a54e9f3416ba5f4f63fd210b9df40c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe
0d2c31cb2284ab5804e63b486aedf027c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll
3a30d6a48390fa807156aa161f6a8189c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll
e02f396387f8aa59fa7cc942638d67eec:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BaofengUpdate.exe
a5bfd6a87161d5dfa81cb5c2c6d29488c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\UninstallManager.exe
a96619564071df84cc892752df062a6dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe
e7b4b146a101093e11ce45d203dd907bc:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe
8a8f5ebe2fd9c2e6325723209b9cdf32c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe
c12e34c6137b6ae3cc141e81dccf0f84c:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\Uninstall.exe
64caebfbdca2ef8ec782c7ad90e20360c:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\vnstF593.tmp
c12e34c6137b6ae3cc141e81dccf0f84c:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe
64caebfbdca2ef8ec782c7ad90e20360c:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\VOPackage.exe
a5bfd6a87161d5dfa81cb5c2c6d29488c:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe
086bf9f68879020f08e62f33807f5842c:\Windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIconDll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    pcspeedup.exe:3936
    install.exe:2612
    PCSUService.exe:604
    PCSUService.exe:3100
    PCSUService.exe:3444
    cvs_mystartsearch.exe:948
    BaofengUpdate.exe:3384
    BaofengUpdate.exe:2892
    nssCF71.tmp:3176
    ProtectWindowsManager.exe:3500
    ProtectWindowsManager.exe:3460
    PCSUSD.exe:4000
    ProtectService.exe:3668
    ProtectService.exe:3684
    wpm_v20.0.0.2227.exe:3440
    MSI106D.tmp:3272
    pcspeedup.tmp:3952
    VOPackage.exe:1780
    XTab_Setup2253.exe:3544
    HPNotify.exe:3756
    coregen.exe:3664
    coregen.exe:3576
    coregen.exe:3472
    coregen.exe:3460
    coregen.exe:1132
    coregen.exe:3624
    coregen.exe:336
    coregen.exe:3440
    coregen.exe:3208
    coregen.exe:3392
    coregen.exe:3144
    coregen.exe:1244
    coregen.exe:2060
    coregen.exe:3080
    coregen.exe:1108
    SpeedCheckerService.exe:3264
    cmdshell.exe:3740
    %original file name%.exe:2192
    PCSUSpeedTest.exe:3468
    regsvr32.exe:4004
    regsvr32.exe:1072
    nssCF72.tmp:3656
    Skyhook.exe:912
    Silverlight.exe:3240
    PCSUNotifier.exe:3972

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-PAARG.tmp\pcspeedup.tmp (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SilverlightMSI.log (90000 bytes)
    C:\135c1e3ab58ad80afdd7f364\install.res.dll (397 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Silverlight0.log (6780 bytes)
    C:\135c1e3ab58ad80afdd7f364\Silverlight.msp (3692 bytes)
    %Program Files% (x86)\PC Speed Up\PCSpeedUp.s3db-journal (13980 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService.log (1858 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService-Timer.log (99 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUSpeedTest.exe (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\Thumbs.db (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_1.ipk (37339 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\quick_searchff#5.4.10.xpi (1209 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\XTab_Setup2253.exe (19594 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\2[1].zip (291497 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BFVUpdateM.dll (1137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FBFDE863-3C17-4B82-A5D1-9B8ED5BE6B40.tmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\UninstallManager.exe (15958 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\BaofengUpdate.exe (1206 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg.png (1209 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\sweetsearch!1.0.0.1031.xpi (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tCE1709AA862C234DD936mp.tmp (144 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\DataBase (7769 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\RegWrite.exe (1137 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\close.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\conf (83 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\535559167_198339_B48A115F[1].htm (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\428.json (520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\Man_2.ipk (28823 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\code\Thumbs.db (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\428.db (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\1[1].zip (195558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\tmp\wpm_v20.0.0.2227.exe (3249 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp-RunningMan\images\scrollbar.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WebDataJs (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\googlelogo.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\restoreprefs.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\properties.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bk_shadow.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\default_logo.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code5.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A987.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\Thumbs.db (27 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\xagainit.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\hotSearch.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es-419\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\mostgrid.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox_select.png (783 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CA\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery-2.1.0.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg1.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\jquery.autocomplete.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\en-US\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\index.html (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\last_tab.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-LU\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\common.js (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\misc.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\ru-MO\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\search.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\bg.png (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pl\locale.properties (1 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\icon.png (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\button1.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\google_trends.png (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\tr\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome.manifest (1 bytes)
    %Program Files% (x86)\Mozilla Firefox\browser\searchplugins\mystartsearch.xml (565 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checked.png (222 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_bg.png (159 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\pt-BR\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\scrollbar.bmp (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\unchecked.png (135 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\style.css (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\module\stat.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\it-CH\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\addonmanager.js (531 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-TW\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\newtab.ico (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\preferences.js (379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code3.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code1.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\Thumbs.db (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\logo.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\js.js (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\urlrequestor.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.ini (486 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\close.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-BE\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\zh-CN\locale.properties (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\pack\ga.js (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\min.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code4.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\uninstallDlg2.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\A998.tmp (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\popup_image_helper.js (693 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\vi\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\remoterequest.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\settings.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\misc.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code6.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\428.json (520 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\es\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\MessageBox.xml (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\modules\aes.js (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\quick_start.xul (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\speed_dial.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\UninstallManager.exe (14022 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\checkbox.png (545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\simple.css (4 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\js\lib\doT.min.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\defaults\preferences\fvd.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\skin\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\loading_light.png (139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\content\include\tools\about_blank_hook.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\1430017864_xpi\chrome\locale\fr-CH\locale.properties (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\mystartsearch\images\code\code2.jpg (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\0[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84C9.tmp (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B6Z6HGT4.txt (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\0[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp (43 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\up[1].htm (1 bytes)
    C:\ProgramData\WindowsMangerProtect\update\conf (1 bytes)
    C:\Windows\Tasks\PC SpeedUp Service Deactivator.job (336 bytes)
    %Program Files% (x86)\PC Speed Up\Sqlite3.dll (585 bytes)
    %Program Files% (x86)\XTab\msvcp110.dll (536 bytes)
    %Program Files% (x86)\XTab\msvcr110.dll (876 bytes)
    C:\ProgramData\IHProtectUpDate\update\conf (5 bytes)
    %Program Files% (x86)\XTab\CmdShell.exe (32 bytes)
    C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (2444 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coregen.exe (69 bytes)
    %Program Files% (x86)\PC Speed Up\unins000.exe (49 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\PC Speed Up.lnk (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-SBV4J.tmp (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Silverlight.exe (1738736 bytes)
    %Program Files% (x86)\PC Speed Up\is-0OS0F.tmp (2321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SNE55.tmp (20 bytes)
    %Program Files% (x86)\PC Speed Up\is-29LNJ.tmp (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-SG3HV.tmp (54589 bytes)
    %Program Files% (x86)\PC Speed Up\is-F2546.tmp (31891 bytes)
    %Program Files% (x86)\PC Speed Up\is-8PBKC.tmp (673 bytes)
    %Program Files% (x86)\PC Speed Up\is-6KBMV.tmp (48 bytes)
    %Program Files% (x86)\PC Speed Up\unins000.msg (864 bytes)
    %Program Files% (x86)\PC Speed Up\is-3GVGP.tmp (3361 bytes)
    %Program Files% (x86)\PC Speed Up\PCSULauncher.exe (81 bytes)
    %Program Files% (x86)\PC Speed Up\is-IPS4T.tmp (23 bytes)
    %Program Files% (x86)\PC Speed Up\is-8FSMN.tmp (2321 bytes)
    %Program Files% (x86)\PC Speed Up\is-65J6L.tmp (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-PB612.tmp (601 bytes)
    %Program Files% (x86)\PC Speed Up\is-RIIRJ.tmp (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PCSUNotifier.exe (2465 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\PopupNotification.dll (2321 bytes)
    %Program Files% (x86)\PC Speed Up\is-V7JN2.tmp (6841 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\Sqlite3.dll (3361 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedCheckerService.exe (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\itdownload.dll (1489 bytes)
    %Program Files% (x86)\PC Speed Up\App.config (3718 bytes)
    %Program Files% (x86)\PC Speed Up\is-S2DD8.tmp (55 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\_isetup\_setup64.tmp (6 bytes)
    %Program Files% (x86)\PC Speed Up\is-V94DR.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-S7P3F.tmp (28 bytes)
    %Program Files% (x86)\PC Speed Up\is-BSQHS.tmp (2321 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService.conf (605 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-JF5OQ.tmp (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-EKJKL.tmp (265 bytes)
    %Program Files% (x86)\PC Speed Up\is-QCKKO.tmp (889 bytes)
    %Program Files% (x86)\PC Speed Up\is-3GHQ8.tmp (4545 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\delete_me_reportInstall.txt (2 bytes)
    %Program Files% (x86)\PC Speed Up\is-1IA04.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-26 #001.txt (585081 bytes)
    %Program Files% (x86)\PC Speed Up\is-A5LBU.tmp (2105 bytes)
    %Program Files% (x86)\PC Speed Up\uninstaller.dat (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TRMF5.tmp\WebBrowser.dll (2763 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up\Uninstall PC Speed Up.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-55LAA.tmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-C42T5.tmp (7 bytes)
    %Program Files% (x86)\PC Speed Up\is-50NHH.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\PC Speed Up.lnk (1 bytes)
    %Program Files% (x86)\PC Speed Up\is-QOQI6.tmp (47 bytes)
    %Program Files% (x86)\PC Speed Up\unins000.dat (53168 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-BA2BP.tmp (601 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUSD.exe (405 bytes)
    %Program Files% (x86)\PC Speed Up\is-95IRN.tmp (601 bytes)
    %Program Files% (x86)\PC Speed Up\is-0OSRR.tmp (7726 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUService.exe (446 bytes)
    %Program Files% (x86)\PC Speed Up\is-MBUJ4.tmp (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp\is-MNGUG.tmp (4 bytes)
    %Program Files% (x86)\PC Speed Up\is-LMJL1.tmp (12 bytes)
    %Program Files% (x86)\PC Speed Up\is-1MP8Q.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF41B.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD83B.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF611.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn8ABB.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEEDA.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy87EC.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp (3656 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD53D.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF778.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\WmiInspector.dll (2840 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd8944.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF2E2.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoFA58.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiD28C.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst900B.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst8646.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst9192.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8480.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage\Configure.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\stats[1].htm (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD907.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdD134.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\IpConfig.dll (3440 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyD6E3.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\vnstF593.tmp (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy92EA.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd9442.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoD3E5.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstEDA1.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\heu39T.nss (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC0EF.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\VOPackage.exe (1748 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF1B9.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\VOPackage\Uninstall.exe (1336 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoF8D1.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd95C9.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\A0804D56-1430018013-6E51-A934-1069B2C7BDD2\Uninstall.exe (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\count_vn[1].htm (2888 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyF080.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyCD6E.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi8E45.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\count_vc[1].htm (5984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp (7288 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\SLMSPRBootstrap.dll (618 bytes)
    %Program Files% (x86)\Microsoft Silverlight\xapauthenticodesip.dll (65 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ELL.dll (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\favicon.bmp (894 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHT.dll (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupHelper.exe (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChrome.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LTH.dll (3722 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageTrialInfo.ini (796 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\RUS.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\License.rtf (814 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-header.bmp (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PTB.dll (5114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\modern-wizard.bmp (7192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SLV.dll (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\PLK.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageEmail.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ReinstPage.ini (478 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BIH.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\InstallOptions.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleToolbar.bmp (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SVE.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll (165851 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SKY.dll (3410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ESN.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\GoogleChromeIcon.bmp (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ITA.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ENU.dll (3722 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HEB.dll (3402 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HRV.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ARA.dll (3402 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy51F.tmp (316027 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\AFK.dll (29 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NLB.dll (3718 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\LVI.dll (1913 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DAN.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\ioSpecial.ini (8566 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\JPN.dll (2461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KOR.dll (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FRA.dll (5123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\OCSetupHlp.dll (27504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DAEMON_Chrome.bmp (7192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CHS.dll (1601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\MountSpace.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPagePaidInfo.ini (7109 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CAT.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\translate-icon.bmp (894 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gcapi_dll.dll (16424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\share-icon.bmp (838 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\SetupWaitPage.bmp (8184 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\DEU.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Toolbar.exe (20624 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\FIN.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HUN.dll (3402 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\gtapi.dll (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\IND.dll (3722 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\ROM.dll (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\license.bmp (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\CSY.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\TRK.dll (2465 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\KAT.dll (3726 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\moutspace-bg.bmp (22552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\NOR.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\JRYI-Chrome.exe (20624 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\DTSetupHelper.exe (6532 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\GLC.dll (1917 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\BGR.dll (5118 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\WaitPage.ini (642 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\UKR.dll (5110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\SRL.dll (3730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\System.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\RegPageType.ini (9662 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\Lang\HYE.dll (3402 bytes)
    %Program Files% (x86)\XTab\web\img\loading.gif (5 bytes)
    %Program Files% (x86)\XTab\skin\btn.png (2 bytes)
    %Program Files% (x86)\XTab\install.data (68 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-CN\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\en-US\messages.json (3 bytes)
    %Program Files% (x86)\XTab\HPNotify.exe (18514 bytes)
    %Program Files% (x86)\XTab\conf (1638 bytes)
    %Program Files% (x86)\XTab\ffsearch_toolbar!1.0.0.1031.xpi (15 bytes)
    %Program Files% (x86)\XTab\BrowerWatchFF.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-419\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\indexIE8.html (1794 bytes)
    %Program Files% (x86)\XTab\web\js\library.js (4216 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\ver.txt (47 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-BE\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\input_bk.png (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\pl\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-IT\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\conf_back.png (1623 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CA\messages.json (3 bytes)
    %Program Files% (x86)\XTab\uninstall.exe (1343 bytes)
    %Program Files% (x86)\XTab\skin\btn_apply.png (6 bytes)
    %Program Files% (x86)\XTab\skin\conf.xml (8 bytes)
    %Program Files% (x86)\XTab\web\indexIE.html (1 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru-MO\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit-ie8.js (4 bytes)
    %Program Files% (x86)\XTab\skin\about_bk.png (1436 bytes)
    %Program Files% (x86)\XTab\web\_locales\es-ES\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\main.xml (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon48.png (3 bytes)
    %Program Files% (x86)\XTab\BrowserAction.dll (33992 bytes)
    %Program Files% (x86)\XTab\skin\radio_2.png (3 bytes)
    %Program Files% (x86)\XTab\searchProvider.xml (8 bytes)
    %Program Files% (x86)\XTab\web\_locales\it-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\ProtectService.exe (5469 bytes)
    %Program Files% (x86)\XTab\web\js\js.js (18 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-CH\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\logo.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\xagainit2.0.js (4 bytes)
    %Program Files% (x86)\XTab\web\main.css (19 bytes)
    %Program Files% (x86)\XTab\web\_locales\vi-VI\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\_locales\ru\messages.json (4 bytes)
    %Program Files% (x86)\XTab\skin\close.png (3 bytes)
    %Program Files% (x86)\XTab\web\data.html (20 bytes)
    %Program Files% (x86)\XTab\web\img\logo32.ico (4 bytes)
    %Program Files% (x86)\XTab\web\img\icon128.png (9 bytes)
    %Program Files% (x86)\XTab\web\js\jquery.autocomplete.js (12 bytes)
    %Program Files% (x86)\XTab\skin\about.png (4 bytes)
    %Program Files% (x86)\XTab\BrowerWatchCH.dll (23 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-FR\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\img\icon16.png (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxE3BA.tmp\System.dll (23 bytes)
    %Program Files% (x86)\XTab\skin\settings.png (5 bytes)
    %Program Files% (x86)\XTab\web\js\jquery-1.11.0.min.js (4726 bytes)
    %Program Files% (x86)\XTab\web\_locales\fr-LU\messages.json (3 bytes)
    %Program Files% (x86)\XTab\web\js\ga.js (1568 bytes)
    %Program Files% (x86)\XTab\web\js\common.js (2 bytes)
    %Program Files% (x86)\XTab\web\_locales\tr-TR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\SupTab.dll (15928 bytes)
    %Program Files% (x86)\XTab\IeWatchDog.dll (20 bytes)
    %Program Files% (x86)\XTab\web\_locales\pt-BR\messages.json (4 bytes)
    %Program Files% (x86)\XTab\web\img\google_trends.png (7 bytes)
    %Program Files% (x86)\XTab\web\_locales\zh-TW\messages.json (3 bytes)
    %Program Files% (x86)\XTab\skin\rigth_arrow.png (2 bytes)
    %Program Files% (x86)\XTab\skin\radio_1.png (3 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.ni.dll (8729 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.RuntimeHost.dll (32 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.ni.dll (932 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Xna.ni.dll (13798 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.ni.dll (17751 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.ni.dll (940 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll (5844 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.Shaders.dll (24 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.ni.dll (94223 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Xml.dll (323 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.ni.dll (123677 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.dll (520 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.ni.dll (612 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\Microsoft.Xna.Framework.Graphics.dll (65 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.ni.dll (17059 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ServiceModel.Web.dll (73 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.ni.dll (922 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.dll (131 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Windows.Browser.ni.dll (40448 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.ni.dll (616960 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\coreclr.dll (291 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorrc.dll (12 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\mscorlib.dll (49 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Net.dll (229 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.ni.dll (579 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Core.dll (561 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.ni.dll (900 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\system.dll (241 bytes)
    %Program Files% (x86)\Microsoft Silverlight\5.1.30514.0\System.Runtime.Serialization.dll (438 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6B84D30E5F69CEB3278532D063D4504 (25 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (704 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
    %Program Files% (x86)\PC Speed Up\Speedchecker.log (4481 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
    %Program Files% (x86)\PC Speed Up\agsXMPP.dll (540 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6B84D30E5F69CEB3278532D063D4504 (324 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallState (196 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedCheckerService.InstallLog (720 bytes)
    C:\Windows\System32\config\SYSTEM (3355 bytes)
    %Program Files% (x86)\PC Speed Up\InstallUtil.InstallLog (684 bytes)
    C:\Windows\System32\config\SYSTEM.LOG1 (4619 bytes)
    C:\$Directory (768 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe (12626 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll (30 bytes)
    %Program Files% (x86)\PC Speed Up\ManagedWifi.dll (36 bytes)
    %Program Files% (x86)\PC Speed Up\SharpBrake.dll (49 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (1480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7 (727 bytes)
    %Program Files% (x86)\PC Speed Up\Skyhook.exe (184 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (848 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_87AABC5017C6189B392FD9DCB59F943F (471 bytes)
    C:\Windows\System32\config\SOFTWARE (116274 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 (312 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (848 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (160036 bytes)
    %Program Files% (x86)\PC Speed Up\SpeedChecker.dll (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part (5654 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\index.html (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\dad4890a8fda856f77d8f153dc13db68\VOPackage.exe.part (20091 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\uifile.zip.part (1968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\index.html (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\progress.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\index.html (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe.part (903094 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\262bebb37d687dabfd48d85e0de76564\index.html (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\css\style.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\last.zip.part (1968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\043f2a479dd1cbb7e630929e145583f8\pcspeedup.exe.part (421975 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\logo.png50x50[1].jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\uifile.zip.part (2937 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\noconnection.html (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\043f2a479dd1cbb7e630929e145583f8\uifile.zip.part (2933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\dad4890a8fda856f77d8f153dc13db68\uifile.zip.part (2933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\base.zip.part (1964 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\css\style.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\261dd182d36861fec9a217cc812a9f9a\img\progress-bar.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\262bebb37d687dabfd48d85e0de76564\cvs_mystartsearch.exe.part (45604 bytes)
    %Program Files% (x86)\PC Speed Up\PCSUHelper.dll (286 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QGQ329ST.txt (106 bytes)
    %Program Files% (x86)\PC Speed Up\wpsapi.dll (49 bytes)
    C:\135c1e3ab58ad80afdd7f364\silverlight.7z (100007 bytes)
    C:\135c1e3ab58ad80afdd7f364\$shtdwn$.req (788 bytes)
    C:\135c1e3ab58ad80afdd7f364\silverlight.msi (364 bytes)
    C:\135c1e3ab58ad80afdd7f364\install.exe (3678 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "PCSpeedUp" = "%Program Files% (x86)\PC Speed Up\PCSUNotifier.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409622738230404.45908c69726ed422d3dcfdec9731986daa752
.rdata28672449646083.59034a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data3686411045610243.20082e59cdcb732e4bfbc84cc61dd68354f78
.ndata1474563276800d41d8cd98f00b204e9800998ecf8427e
.rsrc18022415944163844.37926ea72fff0d02b00b8667f1681d6590832

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://dlg-configs-weu.cloudapp.net/
hxxp://dlg-configs-weu.cloudapp.net/config-from-production
hxxp://dlg-messages-weu.cloudapp.net/1/dg/3
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/base.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/progress.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/vuupc-single-text-en-us.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/last.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/websearches-single-text-en-us.zip
hxxp://cs1.wpc.v0cdn.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/pcspeedup-single-text-en-us.zip
hxxp://www.soft-ware.net/media/e5/65/4fd8d03e8d89a93218c9e565/images/resized/logo.png50x50.jpg148.251.96.144
hxxp://d2drfrdurj6mvo.cloudfront.net/liyan/cvs_mystartsearch.exe54.239.168.138
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=cvs.visit.mystartsearch&update1=ref,cvs&update2=identifier,installer&update3=version,6.3.7602.2124&update4=nation,us&update5=language,en65.255.35.150
hxxp://dzqx32c9j9ub.cloudfront.net/3493/154.239.168.165
hxxp://dlrkbt247pbk6.cloudfront.net/3493_bd05aad78249b1c64e2595545bff63b4/1.zip54.230.201.145
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.dlzip1.mystartsearch.finish,165.255.35.150
hxxp://log.very911.com/install.gif?bundle=mystartsearch&ptid=cvs&uid=535559167_198339_B48A115F184.173.191.224
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ds65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.hp65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.regok65.255.35.150
hxxp://download.dynect.mozilla.net/?product=firefox-34.0.5-complete&os=win&lang=en-US
hxxp://www.google.com/173.194.113.208
hxxp://www.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF173.194.113.216
hxxp://a1284.g.akamai.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.nt.ff.tab65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.finish65.255.35.150
hxxp://dzqx32c9j9ub.cloudfront.net/3493/254.239.168.165
hxxp://dlrkbt247pbk6.cloudfront.net/3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip54.230.201.145
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.wpm65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ient65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.RegWrite65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,cvs65.255.35.150
hxxp://xa.xingcloud.com/v4/sof-ient/535559167_198339_B48A115F?action1=install.cvs65.255.35.150
hxxp://p-rumo00.kxcdn.com/partners/pcspeedup.exe
hxxp://xa.xingcloud.com/v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.cvs&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,4.0.1.225365.255.35.150
hxxp://pcspeeduplog.com/log?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer
hxxp://a767.dscms.akamai.net/download/F/8/C/F8C0EACB-92D0-4722-9B18-965DD2A681E9/30514.00/Silverlight.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1
hxxp://a1284.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
hxxp://safedownloadapi.cloudapp.net/featurelimit.aspx?productID=1&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&requestID=&version=3.9.8.0&language=&campaignID=&QuickScan=0
hxxp://crt.comodoca.com/COMODORSAAddTrustCA.crt178.255.83.2
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI=178.255.83.1
hxxp://safedownloadapi.cloudapp.net/reportInstall.aspx?productID=1&version=3.9.8.0&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&affID=2380&keyword=installer&campaignID=ppi_2380_installer&requestID=
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8=178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8=178.255.83.1
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8d62786b8a611e50
hxxp://broadbandspeedchecker.cloudapp.net/Servers.svc
hxxp://a1284.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://151.236.26.173/random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=9T635656147234101936
hxxp://151.236.26.173/random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=8T635656147234101936
hxxp://151.236.26.173/random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=7T635656147234101936
hxxp://crt.comodoca.com/COMODORSACodeSigningCA.crl178.255.83.2
hxxp://151.236.26.173/upload.php
hxxp://54.235.117.243/
hxxp://23.97.200.175/SessionBot.svc/LogIn?uniqueID=bc8dd994-fd51-4d87-b86e-7bf4aab4fdc1&JID=143335088114301794224503@performancetests.pcspeedup.com/ua|1.0.14.0|bc8dd994-fd51-4d87-b86e-7bf4aab4fdc1|0|null&version=1.0.14.0&countryCode=ua
hxxp://95.211.189.17/SysInfo/count_vn.php?ch=test
hxxp://broadbandspeedchecker.cloudapp.net/TakenTests.svc
hxxp://pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=speedtest
hxxp://95.211.189.17/SysInfo/count_vc.php?ch=test
hxxp://95.211.189.17/SysInfo/glob.php?ch=test&sof=4
hxxp://ec2-54-235-117-243.compute-1.amazonaws.com/
hxxp://sstatic1.histats.com/0.gif?2920545&101208.43.241.181
hxxp://sstatic1.histats.com/0.gif?2920516&101208.43.241.181
hxxp://www.theviilage.com/searchprotect/up?ptid=cvs&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=050.97.33.37
hxxp://95.211.189.17/vuupc/stats.php
hxxp://www.soft-ware.net/media/e5/65/4fd8d03e8d89a93218c9e565/download/b148.251.96.144
hxxp://dt.web-search-home.com/getsettings?query=nS4a1/oVbU6Q99uIRNKVE+/vPOOkGCX04WBXR7pdK/UKcGWB+Rqy0NTAeyD4Sb/ziarEhWj7HN5nXXj2qWaNwxVXn6EikLycAMKB/i3j0PQE9RFK9YaMPY1tOXp7CoA5I0G8etbIuG9ofZP1IeMKZP4ShkeXaNCevjkr0AZe+vo=50.7.244.109
hxxp://a767.dscms.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a767.dscms.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?fb2283c00361ac01
hxxp://crl.globalsign.net/root-r3.crl108.162.232.196
hxxp://crl.globalsign.net/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ==108.162.232.196
hxxp://crl.globalsign.net/root.crl108.162.232.196
hxxp://crl.globalsign.net/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA==108.162.232.196
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc=72.167.239.239
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQD+rJ0jfxxchg==72.167.239.239
hxxp://crl.globalsign.net/gs/gscodesigng2.crl108.162.232.196
hxxp://sstatic1.histats.com/0.gif?2920547&101208.43.241.181
hxxp://sstatic1.histats.com/0.gif?2920520&101208.43.241.181
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://www.pcspeeduplog.com/log?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer212.71.248.160
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/vuupc-single-text-en-us.zip68.232.34.200
hxxp://crl.comodoca.com/COMODORSACodeSigningCA.crl
hxxp://pcspeedup-7ff.kxcdn.com/partners/pcspeedup.exe194.63.141.18
hxxp://livestatscounter.com/SysInfo/count_vc.php?ch=test
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=23.51.123.27
hxxp://clients1.google.com/ocsp216.58.209.174
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=23.51.123.27
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8=178.255.83.1
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/websearches-single-text-en-us.zip68.232.34.200
hxxp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar87.245.216.26
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/base.zip68.232.34.200
hxxp://dlg-configs.buzzrin.de/config-from-production
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=speedtest212.71.248.160
hxxp://download.microsoft.com/download/F/8/C/F8C0EACB-92D0-4722-9B18-965DD2A681E9/30514.00/Silverlight.exe87.245.216.35
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?fb2283c00361ac0187.245.216.19
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service212.71.248.160
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=23.51.123.27
hxxp://download.mozilla.org/?product=firefox-34.0.5-complete&os=win&lang=en-US63.245.217.36
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl87.245.216.33
hxxp://www.speedcheckerapi.com/TakenTests.svc137.116.198.61
hxxp://www.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer212.71.248.160
hxxp://ocsp2.globalsign.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA==108.162.232.204
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl87.245.216.33
hxxp://www.speedcheckerapi.com/Servers.svc137.116.198.61
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl87.245.216.33
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf187.245.216.19
hxxp://livestatscounter.com/SysInfo/count_vn.php?ch=test
hxxp://dlg-configs.buzzrin.de/
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8=178.255.83.1
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=23.51.123.27
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip68.232.34.200
hxxp://livestatscounter.com/vuupc/stats.php
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=23.51.123.27
hxxp://livestatscounter.com/SysInfo/glob.php?ch=test&sof=4
hxxp://www.pcsuapi.com/featurelimit.aspx?productID=1&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&requestID=&version=3.9.8.0&language=&campaignID=&QuickScan=0168.63.102.240
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/progress.zip68.232.34.200
hxxp://crl.globalsign.com/gs/gscodesigng2.crl108.162.232.196
hxxp://dlg-messages.buzzrin.de/1/dg/3
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/last.zip68.232.34.200
hxxp://ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ==108.162.232.204
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQD+rJ0jfxxchg==72.167.239.239
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/pcspeedup-single-text-en-us.zip68.232.34.200
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8d62786b8a611e5087.245.216.19
hxxp://www.pcsuapi.com/reportInstall.aspx?productID=1&version=3.9.8.0&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&affID=2380&keyword=installer&campaignID=ppi_2380_installer&requestID=168.63.102.240
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=23.51.123.27
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc=72.167.239.239
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=23.51.123.27
www.gstatic.com216.58.209.195
ssl.gstatic.com216.58.209.163
apis.google.com216.58.209.174
performancetests.pcspeedup.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 403

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:33 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:32 GMT

Connection: close

Content-Length: 0

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Sun, 26 Apr 2015 03:11:25 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Sun, 26 Apr 2015 03:11:25 GMT..Connection: keep-alive..

GET /gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEhhrE10BUs2OqNBLZ9KgzPNA== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:14:44 GMT

Content-Type: application/ocsp-response

Content-Length: 1474

Connection: keep-alive

Set-Cookie: __cfduid=d04b4fc2a5b979841552e18e098c02af51430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.com; HttpOnly

X-Powered-By: Servlet/3.0; JBossAS-6

ETag: 1db1d660627ce015fa77de973e5530ef2b8acbda

Expires: Sun, 26 Apr 2015 14:51:50 GMT

Last-Modified: Sun, 26 Apr 2015 02:51:50 GMT

Cache-Control: max-age=180, public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1dcf1e84624501b1-FRA

0..........0..... .....0......0...0......6.K....Z....a.B&Y.....20150426025150Z0u0s0K0... ........k..vY.d..X.R*.....C....n......>..t]..../Pz...!..5..,.....}*..4....20150426025150Z....20150426145150Z0...*.H............(...}...PZ..[G.b..y......7...M.\.........@2.^..#1z.k......_.......>.....`o0..3.....*,..g..i...'...Fj.*N.y...0.8..F......<.."...?>......<7.......a.j4.....c..lp?2_.M=........w....:.......e..-..:.......q{..M.;.....X.s...E.!.=M.).,..R..........8.....5A.[56..'....0...0...0...........!:.D.....3...7..(0...*.H........0Q1.0...U....BE1.0...U....GlobalSign nv-sa1'0%..U....GlobalSign CodeSigning CA - G20...150303092435Z..150603082435Z0}1.0...U....BE1.0...U....GlobalSign nv-sa1:08..U...1GlobalSign CodeSigning CA - G2 OCSP responder - 21.0...U....201503031024000.."0...*.H.............0...........z..N#.)I{6&_.f.. ..*.-W....Z....."......(.u:..9...ET...}.._Z.sr);:.....~.t..&4.~....d....- ...p{..7.E}......:C.. R../.J.w...Q.-.c....Y!.r:.."..X...V............&&z,K..Z...sg.PN.:C.....0f...o..(..w.s.6..%.}.ktU..HmK........!1hy`..(.w.`a......=s..,cYt6).-........0..0...U....0.0...U...........0...U.%..0... .......0... .....0......0...U......6.K....Z....a.B&Y...0...U.#..0....n......>..t]..../Pz0...*.H..............."...Y...f.=...d..........Q.n.S.....=..5[.F..F..=*.S..;....6.j...VNR|#.h.=..' ..T..PD.J.......k....3..h....s...y.'.?....m...k.....V.^..uynl....6....<.[....x..#.Q..9.P%s)-.I...m.?.j*.2..?;.P..X7w.........$.*.t.....5.p....4U.....R..Dc..q....'.e#uA*.FG].xz~...

<<< skipped >>>

GET /searchprotect/up?ptid=cvs&sid=IHProtectPlugin&ln=en_us&ver=4.0.1.2253&uid=535559167_198339_B48A115F&dp=0 HTTP/1.1

Host: VVV.theviilage.com

User-Agent: Mozilla/4.0

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:13:20 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.2.14p1

1..0..0..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=458926, public, no-transform, must-revalidate

Last-Modified: Fri, 24 Apr 2015 10:39:56 GMT

Expires: Fri, 1 May 2015 10:39:56 GMT

Date: Sun, 26 Apr 2015 03:14:53 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150424103956Z0s0q0I0... ...................F....0.yV......{&.K......&.......c.. ..T.............20150424103956Z....20150501103956Z0...*.H..............n..)........bWh...hI..W.j.&...{..{W.8...H........a.....z...r.I...#.E.e....PIgJ,..m..%".O ...............%....X..Hr..fIm..qQ......GR.$.....gl_.UI..f.T..C.T.e...Ir.^......./..B.q.yB..9.a.U.>..Z..([.......!m\.M.3.......f..JVm.B.m.y.......{..t.I.op..._ LCs.......0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.

<<< skipped >>>

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: WinHttpClient

Content-Length: 104

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceConnected":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:44 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /ocsp HTTP/1.1

Host: clients1.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Length: 107

Content-Type: application/ocsp-request

Connection: keep-alive

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./...1o..2. ..0.0... .....0...0... .....0..

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Sun, 26 Apr 2015 03:11:06 GMT

Expires: Thu, 30 Apr 2015 03:11:06 GMT

Cache-Control: public, max-age=345600

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

0..........0..... .....0......0...0......J......h.v....b..Z./..20150425191119Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./...1o..2. ....20150425191119Z....20150502191119Z0...*.H.............},.{.....Gj...;..C...0.......V.C.._.j}.:..8r...>....h8F.........h?W.......p..>@Bc.M...Sw_.d...,..#..R........Pv..yjv..gX|L:..b.T...<....5..7'R,..x,VU).S..tI*.-$p....e..oD.?.pM..U:e....;.c..O.!.....(.xTcE_......."R....&_..C{E.kS}ML.....a.....X0..*[.........HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Apr 2015 03:11:06 GMT..Expires: Thu, 30 Apr 2015 03:11:06 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..20150425191119Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./...1o..2. ....20150425191119Z....20150502191119Z0...*.H.............},.{.....Gj...;..C...0.......V.C.._.j}.:..8r...>....h8F.........h?W.......p..>@Bc.M...Sw_.d...,..#..R........Pv..yjv..gX|L:..b.T...<....5..7'R,..x,VU).S..tI*.-$p....e..oD.?.pM..U:e....;.c..O.!.....(.xTcE_......."R....&_..C{E.kS}ML.....a.....X0..*[.............

<<< skipped >>>

POST /ocsp HTTP/1.1

Host: clients1.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Length: 107

Content-Type: application/ocsp-request

Connection: keep-alive

0i0g0E0C0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..Tj!.T.w...0.0... .....0...0... .....0..

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Sun, 26 Apr 2015 03:11:07 GMT

Expires: Thu, 30 Apr 2015 03:11:07 GMT

Cache-Control: public, max-age=345600

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

0..........0..... .....0......0...0......J......h.v....b..Z./..20150425191657Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..Tj!.T.w.....20150425191657Z....20150502191657Z0...*.H...............Z.Y......W.V....H..h..36....WmO;r..[.....}..8...3..t.;r........i."...|_|..2?e^5.;b.d..'9..`gS...O..a..so.u...8=....H..Y|.s.......)=.Zgw...(..e....L.....|.,.]....v..f.W...@..'...9.Y...-....|..K.;.....9..(..H........(t.......b.j..[.'.u[$&:...!.....[F....HTHTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Apr 2015 03:11:07 GMT..Expires: Thu, 30 Apr 2015 03:11:07 GMT..Cache-Control: public, max-age=345600..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..0..........0..... .....0......0...0......J......h.v....b..Z./..20150425191657Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..Tj!.T.w.....20150425191657Z....20150502191657Z0...*.H...............Z.Y......W.V....H..h..36....WmO;r..[.....}..8...3..t.;r........i."...|_|..2?e^5.;b.d..'9..`gS...O..a..so.u...8=....H..Y|.s.......)=.Zgw...(..e....L.....|.,.]....v..f.W...@..'...9.Y...-....|..K.;.....9..(..H........(t.......b.j..[.'.u[$&:...!.....[F....HT..

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 417

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 388

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:07 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"LoadingPrerequisitesCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:10 GMT

Connection: close

Content-Length: 0

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/vuupc-single-text-en-us.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: h9NMolU10veq9lx9L2PUxg==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:09 GMT

Etag: 0x8D218DF91E231F0

Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 4731d885-0001-0032-38ce-7f3de0000000

x-ms-version: 2009-09-19

Content-Length: 43261

Connection: close

PK......../I.D"G..I....L......index.html.\.o#7v.y.......|...4I..m.k Y...a..[.EA.P..3C....;,p.A...%}_...4.:.....4C.=....H...W....w#.,........ .......L.K]f......^....B.:V?Uz}..4E...x.]..H..Y.T?.'H..H..:U.=L.?.../...Q.0..O....... ..rK...XZ5?....z:.Q'.2..zU.g...Gw...J......../.....]....`...........").).G.....ZZa.se..8..].f3...-d6....W..R....P.ee-l..g......i..N_..........8.`...pn....^w.L2.<F,z._<..Z...d...a..J..r...=.mR.R].e.Pio ...i.........2..Yi .)p.ki.V&...?Q d.`m.."I..$>z.A...HG:pK...1,|?.^.-.T.h.........,. .....u17.N...U..D...!s.K....|.&.M.s.l.i..[? ...$3Na..k.K.K[r.....8.s....P=......".Y.b.t.......h....7..R..=.l6xP.8......Nu.LUv0......O.....y..W/_.|.D$E......2Ds?.sL....Sx..:(......... k.*)..`...g._2_..d....."...._....Ge..\..Cl.x|$..=../..!b.kO:........Y`l.ei.=.?.......V....8V<.|B\t.z% 1....3.....o.]5s.....r ^}{$..D.G....../..,2PU....._..h..z.U.@$..7."U?.D...}.4^..Z.z..L..r.......$...C.'...q....{...k.....U....)..6OHgg..6g..UD.-.u..f7.~.. ....r..k..6.k........W.S..wr.'..g..,DF.K..nD^.2.h.O.z...1J1ae6.(....._?;*..2<.....I...Ne*)AM..T.......=x.Z.8......\...[.*S..I&.;.m,.^...%&.!...B..W..h ..:=.....RZ..z.|.U...eI......J.u.....,1.:....Ng...H.......qW`/.......W.*..:=..w%..lgw..ki.4 V..w..2<...9...~L..].~n.lL..............*.9.5.....*......*...hb....aA.D....yD..t>*R..`.k.(.pq....PK.3....i.......t|9..[.0....z..'........w..ft}.^\....x3..... .~.....n.C!.|.........X\\^...=?...._.........1..L/..q8.........o...0};.......@u >.>........]..l.......?......g......an..}....... 1...o.........[..,.....P...

<<< skipped >>>

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/last.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: fgXouqoJyZc91T1FRhXKXg==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:09 GMT

Etag: 0x8D218DF91AACE40

Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: f58d6015-0001-0021-28ce-7f0801000000

x-ms-version: 2009-09-19

Content-Length: 37851

Connection: close

PK........(h&F._.a....W.......index.html..]o.6.....8..d...b..E2...S..u.a..u..H.JRN...}GJ..G..v2`Q...}1......?...........M..2`i...V..f..~...X..l9./.X.t...i'7..(..WL-<...pEx.....y.~..m3...#...|n.%.......d...L.2......aM.l.....h..[3..R..L.....7a!dxk(.R.!.h..........%.1y.[.5.DW..,IL.,7pU....... '....p.xe..U'.....D4.FbI.F...A...5....Z.....;H.x..ht/d..C..Z.<de.....F...$[..SaJfy..m..9..*.....<W..k...i<..@...pG........5e-K..........&..^..jG.M....d...\6....._..z....5{......{E.._7....G.z...j.P..V..C..h.,.d.J{)...0)A...J.}5W)<us.....Lwv}e.X....OB..........,0H.>U.%h."d.."..N..B.2m..]......3.1....Ui\........1...}w(3.D=.3.i .OT.....p....vwF?."....R......0.y_..vQ|f....Q...4.Yu<....|3yVI.E...o..u..1.=..Z.8.d.X...GVo....W.w.....w...?v....... 0m.1Q...Q.@.......l..i....f.>..e.l..:..CD*.......kt....X..h....D...c$...".....V..f1..'..@.2..].Gr.`e....7.\..%..aQ....Gx.q."..#JfsU.9X.....1...........x...(.....QT.....8Y2y.....!.4...)..........=.......V7..^.Z.W..".Ui.....<%.3$...;.<..O.>uN.9w.-f..]RY..........J..r}J.J..="!...6...#h1.;..{.YW.V........5..p..K..%.....3...^t.Hs ..v5..{2.X.....F......ow...PK.........`=FX..8............css\style.css.V...0.}N....Q.....&M.[.....Xq.e.M...{.7.u....RX{....1)._..j..)x..t&M.K...v..?h.o..(.7.....R.Z..g,KZ'(<".......Z.Y-WK..3..L.:4.3U....d\bE9`..&.iR.."=......d.c....x.%l..7.....,.....*B.J%....& ..&..yN....J,.....j.q.pvQ..r.........F..~u...TJ.~...?/J..........H..!.....}....%[.Eq.&....g(,..b.9Z.P..7..g..i#.~M..u.....t.;.....aE..o/.} ..b{f....}...<.d..g.......... ..{..4

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 383

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:37 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductDownloadCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:13:37 GMT

Connection: close

Content-Length: 0

GET /random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=9T635656147234101936 HTTP/1.1

Host: 151.236.26.173

Cache-Control: no-store,no-cache

Pragma: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 26 Apr 2015 03:12:03 GMT

Content-Type: image/jpeg

Content-Length: 100101963

Last-Modified: Thu, 11 Sep 2014 08:52:17 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type

raw-nginx-upload: 1

Accept-Ranges: bytes

.....MExif..MM.*.............................b...........j.(...........1..... ...r.2...........i....................'.......'.Adobe Photoshop CS6 (Macintosh).2013:03:22 14:39:08............................ ........... ..............................."...........*.(.....................2...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch............IEC hXXp://VVV.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._...............\.....XYZ .....L.V.P...W..meas................................sig ....CRT curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|.........................................

<<< skipped >>>

GET /0.gif?2920547&101 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sstatic1.histats.com

Cache-Control: no-cache

Cookie: CountUid=5447eecb-9eym-433b-b267-e4aef67e236e

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:15:09 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

GIF89a.............!.......,...........D..;..

GET /reportInstall.aspx?productID=1&version=3.9.8.0&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&affID=2380&keyword=installer&campaignID=ppi_2380_installer&requestID= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: PCSUInstaller

Host: VVV.pcsuapi.com

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.0

Set-Cookie: ASP.NET_SessionId=rlmbshgtjzbsoaxrlrwnriuy; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:11:45 GMT

Content-Length: 2

UAHTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Server: Microsoft-IIS/8.0..Set-Cookie: ASP.NET_SessionId=rlmbshgtjzbsoaxrlrwnriuy; path=/; HttpOnly..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Sun, 26 Apr 2015 03:11:45 GMT..Content-Length: 2..UA..

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 406

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:59 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:58 GMT

Connection: close

Content-Length: 0

GET /install.gif?bundle=mystartsearch&ptid=cvs&uid=535559167_198339_B48A115F HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: log.very911.com

HTTP/1.1 404 Not Found

Server: Tengine/1.2.2

Date: Sun, 26 Apr 2015 03:11:05 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 671

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://log.very911.com:8080/install.gif?bundle=mystartsearch&ptid=cvs&uid=535559167_198339_B48A115F</td>..</tr>..<tr>..<td>Server:</td>..<td>us-pub00.v9.com</td>..</tr>..<tr>..<td>Date:</td>..<td>2015/04/25 22:11:05</td>..</tr>..</table>..<hr/>Powered by Tengine/1.2.2..</body>..</html>..HTTP/1.1 404 Not Found..Server: Tengine/1.2.2..Date: Sun, 26 Apr 2015 03:11:05 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 671..Connection: keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td&

<<< skipped >>>

GET /media/e5/65/4fd8d03e8d89a93218c9e565/images/resized/logo.png50x50.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.soft-ware.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:09:51 GMT

Content-Type: image/jpeg

Content-Length: 5887

Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT

Connection: keep-alive

ETag: "530494e7-16ff"

Expires: Tue, 26 May 2015 03:09:51 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR...2...2......]......IDATx..Yg.U...<_4.........K,.....(..4. `.BD,..A...,.4.: E:.u.af....rn9......}..........?w..g.{..........q....Q.-....B).S.U...Cv..|....2..X...\.2.....B..,.?...A.B.@.@.".l..0.....@.............,...=...........xP .@i~z....K.......#..m.8..K...4b....._.}....e<.......D.H.....O.6..\...[....|...X.A..@w...qM_".;....c.....AK^..pC>{.."..)j.m.r.Wb./..>I.^Pq...7..z..M....-c.f....g3...=.2!...0.].2.0D.A..UX.?..~Z.'l.....}..6....'.U.....b.J...X....f..o..G.D.....Z..S..w......}....#f.;V.$C..[3.eY.......z....e..._.E....lC2...}.._....2..2>..cT....9<..]Q...j..[..h.Zg-9-?. .. .Y..yEs.....G..].u..3?.....&..L....g.G.x..xH._..(....S.n.s.......g4. ..u.tH.i...Cy9?.......#.L..G.....#..<........C7........&.t....?...-^.Ht..3Yd.e...k....o..a../.....fM..M...J.dk..-..!.r..Ek....b&4.....2.lZ...............i...`...A3r&.v..Us {<^...r.....~.h._.v...?J$P."..m..MHD...U.mQ..}.....)^..V....La........B^!...K..-MG..~.[t8u...s.~.....b.....[.....2..c...d.4J..;......%ks#:.@..n`l.T.BP..,F..F..FN........~8w*..n.1......._..o4w6g..W....C.-.5'............{&.D..M..8....)?.r.ui.....Y'..5..y....R..|...i...#...P.PC%.......~.....r.,.v7..J.w.....P".T..u...Ve..\.....)..5..Fn...&...../...BJ.......3,..t8.BU...6.%z.....J..c.,....$.4&Ri.j..V...#J.Q.....O.8...><..;.\\...3^..YV./?!...(..Q.\..ZU..J.%iR.W...|/..19....`yJ.l<..$./.V....FS...O?<..WJ01...X..NR..B...'4..e.I....l.=.>...n.......].....{....g.(...a.Y=-.x..-B..I.*)....m.W.......8...z$....9.3,...9[........%~*......*.j*)r.e.....JQ..mY..l5..u...s.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=435192, public, no-transform, must-revalidate

Last-Modified: Fri, 24 Apr 2015 04:05:12 GMT

Expires: Fri, 1 May 2015 04:05:12 GMT

Date: Sun, 26 Apr 2015 03:14:51 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150424040512Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150424040512Z....20150501040512Z0...*.H................UJN.z...%sp.&.Wp..WX.W..D.R..Y..`.*A..4%....|,.8z.8.R.,....@..OJ.....zMp.$!..a..L......~^.y.. YB h..L.",.......7....3|......3L..M.F.........C. a.!{.&.T.....5..E.!vc.%j.....*)..01...fd..........67.....|.0w* ..9."...........b[..C.........m..K......v..........0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=493277, public, no-transform, must-revalidate

Last-Modified: Fri, 24 Apr 2015 20:15:13 GMT

Expires: Fri, 1 May 2015 20:15:13 GMT

Date: Sun, 26 Apr 2015 03:14:51 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150424201513Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150424201513Z....20150501201513Z0...*.H................'..n..........0.Z-(...H..L..@.kR...U..o*K..z..._>...M......h...:Z.....t?.1..`..@".9j.....G.p /1.l bH...Q3{."..j....Z.M.....l..}...M?.; H......3..<..].......J..W....j.......J..{.........X.v..y...Zl`f.D&[.oT....f..=.m^.,...6}k...(......6.....1Uu..%.X.x./....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 415

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:21 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:11:20 GMT

Connection: close

Content-Length: 0

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT

Accept-Ranges: bytes

ETag: "dde36a309c58d01:0"

Server: Microsoft-IIS/8.0

VTag: 438569342300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Sun, 26 Apr 2015 03:14:15 GMT

Connection: keep-alive

0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT

Accept-Ranges: bytes

ETag: "cf2633d6957d01:0"

Server: Microsoft-IIS/8.5

VTag: 438481415700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Sun, 26 Apr 2015 03:14:15 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..

GET /liyan/cvs_mystartsearch.exe HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: d2drfrdurj6mvo.cloudfront.net

Connection: Close

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 722528

Connection: close

Date: Fri, 24 Apr 2015 12:38:00 GMT

Last-Modified: Tue, 21 Apr 2015 02:41:57 GMT

ETag: "148bdbdcbac38fbf0b4d3c145e9b0199"

Accept-Ranges: bytes

Server: AmazonS3

Age: 52329

X-Cache: Hit from cloudfront

Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 5zwCg7nBKh-WABgusRJwcU7TYRxpKHnlkCxpN_qwzVzJiT9_qMBDGw==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|...8...8...8...^a$.&...^a9....../0.?....I:......I8.v....I9.....1.d. ...8.......^a8.5...^a>.9...8.`.9...^a;.9...Rich8...........PE..L...~..U..........................................@..........................@......1o....@.................................P........ ..................`....0..lV......8...........................P(..@...............T............................text...G........................... ..`.rdata..............................@..@.data...@u.......R..................@....rsrc........ ......................@..@.reloc.......0......................@..B..................................................................................................................................................................................................................................................................................................................~...F.r.......3.f..Aj\3.j..M..E......U.f.E...&..j.j..E.P...E......t*...}..r..u...o......M.d......Y^.M.3.. |....]..........Vj.QhD.H....P&.....u/.~...F.....r...3.Pf..R...>"..^.3...PRf...."..^...t.Pj....."..^..............A...t&.P.;.v".y..r......Q..\t.../t.3........2..h\.H..o.........U..j.h..G.d.....P..`.8.I.3..E.P.E.d.....RQ.M.......M..E......]z..3..E...H..E......E.....f.E.j.P.E.P.M..E...."...E..E..E..E.hLrI..E.P.E....{.....U..j.h..G.d.....PQVW.8.I.3.P.E.d........u...y...E......N.....H.3..A......A.....f...}..E...G.;.

<<< skipped >>>

GET /v4/searchprotect/535559167_198339_B48A115F?action=visit.heartbeat.cvs&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,4.0.1.2253 HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:20 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.37 ms","message":"store 2 action and 4 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:20 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.37 ms","message":"store 2 action and 4 update "}..0..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?8d62786b8a611e50 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT

If-None-Match: "80b4d90ca4fd01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT

ETag: "80b4d90ca4fd01:0"

Cache-Control: max-age=604800

Date: Sun, 26 Apr 2015 03:11:56 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Sun, 26 Apr 2015 03:11:56 GMT..Connection: keep-alive..

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ds HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:03 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:03 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.25 ms","message":"store 1 action and 0 update "}..0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.nt.ff.tab HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:10 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.43 ms","message":"store 1 action and 0 update "}..0..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: PCSUNotifier

Content-Length: 216

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","Silverlight":"Install","OK":1,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:40 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 409

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:59 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:58 GMT

Connection: close

Content-Length: 0

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 408

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:20 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:11:19 GMT

Connection: close

Content-Length: 0

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.ient HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.22 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:19 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.22 ms","message":"store 1 action and 0 update "}..0..

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 400

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:32 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferAccepted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:32 GMT

Connection: close

Content-Length: 0

HEAD / HTTP/1.1

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-configs.buzzrin.de

Content-Length: 0

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 11

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:57 GMT

Connection: close

GET /root.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.globalsign.net

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:14:44 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 649

Connection: keep-alive

Set-Cookie: __cfduid=d0ccd6d612d65033b9b993d2fd020301d1430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.net; HttpOnly

Expires: Wed, 15 Jul 2015 00:00:00 GMT

Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT

Cache-Control: public, max-age=6900316

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1dcf1e839e190f63-FRA

0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0...*.H.............&...f#...5.[4........{pV.#.F........:...*Q.....Mx9}....,.S.D.>@.Ju.[)c...`.?.j~...-..{.FHj.....#.C2.[.,`.......)...Bj2........n...........%......p.6......Q.....1..pd......F.........mJO.!y.W.......V.M).N.R.....V..|...7.ry. ..gy..I\.........j....... .z.E..".HTTP/1.1 200 OK..Date: Sun, 26 Apr 2015 03:14:44 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 649..Connection: keep-alive..Set-Cookie: __cfduid=d0ccd6d612d65033b9b993d2fd020301d1430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-age=6900316..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 1dcf1e839e190f63-FRA..0...0..m...0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..150323000000Z..150715000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U......../0-0...U......00...U.#..0...`{f.E....P/}..4....K0.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:11:58 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT

Expires: Wed, 29 Apr 2015 04:29:13 GMT

ETag: D60CF3FEA10920BFD9223C04D2095561967D1DBA

Cache-Control: max-age=263234,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp11

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0.........z4.&...&T....$.T...20150425042913Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T...'f.V.I....p...."....20150425042913Z....20150429042913Z0...*.H.............M.he.#b$...d.<....x.....8.n|..ak,....P..z...K....... .......,....qv..!...........s..........8&.D....>..$e..L,L.V..Z.......z........z...!..O..1....1>.%.F...\...m...7..[1.]..l..//B,.OG........Q.h..:b.~F_.\;..eb..~... .........TI*p........e0.C....).....b=..k...

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.regok HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:03 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.29 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:03 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.29 ms","message":"store 1 action and 0 update "}..0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.finish HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:10 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.21 ms","message":"store 1 action and 0 update "}..0..

GET /COMODORSAAddTrustCA.crt HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crt.comodoca.com

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:11:52 GMT

Content-Type: application/x-x509-ca-cert

Content-Length: 1400

Last-Modified: Tue, 30 May 2000 10:48:38 GMT

Connection: close

X-CCACDN-Mirror-ID: h6edcacrl6

Accept-Ranges: bytes

0..t0..\.......'f.V.I....p...."0...*.H........0o1.0...U....SE1.0...U....AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTrust External CA Root0...000530104838Z..200530104838Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO RSA Certification Authority0.."0...*.H.............0..........T...V...$...Dgt. 7.}#p.q.S...*..K..V..pr.a..K...=...a.......>..>\...4z..k......zv.q.......l......~..../O.....gCr......k,.......~..n.....$.Ckb.U....l........li..xH0E....<E`.2.Q'.g....k.F.. ...e.H...N...F7.....HCgNr*.\.L.(.\"{......Q...FNm>.....|3WA<.Q...\.,c..W.?..]...E...Z$...V=.o..IX........7.....:..CB...........`..(V......q....=...H.<...."L....V;....[..."R...i..Le...-pt...g.)iR....PjUF...(a.p....,!.G.(..Ev...'.....P.k.L.q0........@...B...3:.\.A..c..qk ....1\:jG..yY. ...j..r.WJ.K.....LA...=^(.....Q..G..S........0..0...U.#..0......z4.&...&T....$.T.0...U........~.=...<....8...22.0...U...........0...U.......0....0...U. ..0.0...U. .0D..U...=0;09.7.5.3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05.. ........)0'0%.. .....0...hXXp://ocsp.usertrust.com0...*.H.............d..._......)W..Z...>.v.n.Rp..<.M.tj...%...*]L....m.T.u..'.].y7@.w.....;.....4.~ .y..WE..(....P.....Wi}..R.s......nf.....-....Y.L...qL|G.;.....l.>\.........HM.....s...{#....MU.zaE..h.^@k#.yz...k..oF.{.=K....YZ.A$....`XG..nF...._......@...9.............;o.8o..

<<< skipped >>>

GET /3493_bd05aad78249b1c64e2595545bff63b4/1.zip HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: dlrkbt247pbk6.cloudfront.net

HTTP/1.1 200 OK

Content-Type: application/zip

Content-Length: 2170109

Connection: keep-alive

Date: Sat, 25 Apr 2015 20:53:09 GMT

Last-Modified: Sat, 25 Apr 2015 20:13:54 GMT

ETag: "8e00c35a80f9125823c5b5ced168308d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22672

X-Cache: Hit from cloudfront

Via: 1.1 b56fc979704f01acc351fd21f5c956db.cloudfront.net (CloudFront)

X-Amz-Cf-Id: u5KctQS9zOCmrAkDz0l3nM83-yxbCVgr4BjdLJFqrGZfYv1_Nbi-4Q==

PK...........F0D`.............428.json.....].jRYa..w.........L@.\...q...%.v..Q..~DO.M.|.Wj.N.........'?.}...n..0..5.^1.........#..z.n...t..#.1jq`....*.>#.............m..V.&.vc~.<.w.R.'xD....q..qQ|.H.P6....l..&3....g.t/....|7p.......3......~...B|..@.48.qu.I.}...P......^1........AO...t...HT,t.v.4.)......]._.u-g..f..M....:.x~.......vSM.Y....W]...~C..M...:]...{..-.e...8.i.2....aO...w...#i.^1......K........|~.k.........b......Nr.s.....!*l..5.D(L.w.J.kh.b..S...~..-..Y../.ap......q..j..%....a.M=E.k}.0....g.`.$SaH...u...I.*h.Y.0.3s~.......a.w...............7AP49piUPK...........Fg&`......<......uninstallDlg2.xml.[m..6..~@..........v.b.....4..Z..".%.fW&U......7.(Y...\s.].v.X.4.....3b..._%....r6...m!.".S..Z...gl.Lb...32..Hf..^.....)........O..;q-..T.....z6.......s.p1.>.........|....1..Y......%; t..xjI...Q...M.9N2.<;@.~.p....\..A....\..u.....Q%...u..e.... ..'9\........\~.. .!I......v....x.t_D.$Bw0.V.......4..8...Es....0L..lF..ET..8... p.k-x..qR.....~Kn.gK..'.d....%;...%GK..B.k.[.w....H.$y.Em.R...:Y.....l.v#..'.g...N3.u&........o..''..85....Cm..lE. .z.yQYH=.S.rJC........^.. .'...)..-..{..B{B$A......z.....^.....Oe*..Su.[.."...g6.<...t..dk......xj..?.....N.".T#..:.7.m~.......{...;.X......:.........PK..........KF.QN.............BFVUpdateM.dll...@TU.0~...``F.CE...B.E..?..@..D.I.I...h......b......l.v5k..mw...2c..4..c..-j..4lQ..I....s.0 ........._..s>....<...|....3*.a.`D.a.1./.....0.S_.f...y.!E......W.*l....7...........6..P\fH\.a.X^PxWPP@...}.W;.>?..lb...[Fbo. ..k...E...UJ..[...RN|.@...9.2.F}. .}.\Y..

<<< skipped >>>

GET /3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Connection: Keep-Alive

Host: dlrkbt247pbk6.cloudfront.net

HTTP/1.1 200 OK

Content-Type: application/zip

Content-Length: 2824344

Connection: keep-alive

Date: Sat, 25 Apr 2015 22:53:14 GMT

Last-Modified: Sat, 25 Apr 2015 22:10:55 GMT

ETag: "4c86938e51066bff5850c4d13bd04972"

Accept-Ranges: bytes

Server: AmazonS3

Age: 15477

X-Cache: Hit from cloudfront

Via: 1.1 b56fc979704f01acc351fd21f5c956db.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ToidNhpZRgQAOOlzz_9Ubx7rR0C8DCE6FOA8WzVaSXwUFehH9T4sPw==

PK...........Ft.`j............428.db...7..qD..'.....<..A#.<y....\...... ....<....g...R.gcsw(.xa..'.3g..EX.....'S.....a.K.s.|{W[.-...K....D2..^..^.Y.m.......N..(1...p1...b. 0......?......G.!;Q`......b....B.q....c.gnVp.................7AP49piUPK...........Fadb......$......wpm_v20.0.0.2227.exe..S.fO.7..m.....i...9.i..m..m....F..^.7..oco..Du.S'3OVfe./.!..I..........[*..qD]..g..A. ....M. .u?&............F..,.~T...p.// ...V..U`MY....T..Q................e..B....d...niB..06.a*..G.7.B.fK...-..945.....2=..........N.\...'.|3..z.4.*........7h.M.$H........ccC..l.p...;...Am........?......p7.}3pvE.x........}.Y......h.4..'....Ls......Z.e.l.... y..@....p.^L.].*..].. TV[`.}......\.!.j.2.Z......,.V.].q,.G....{L....BV....d.....&...K...z...0^C#.5.,..V.q............5\$..|$#........z~.s..xZW..=..%.p.W..;-.....C...t2.N....U...=B9#W...;w.....c>.......}JZ.}...l..=........u..D.......h....J...D..f..J7o$..;...\.sn....p.".O..L...'.....wW.y.M...((.Z.XE'.....N{........NxW.;.3.....s.f........A.. .......a)p....Ul....HN..?}....H?t...d...A.....B<..]....Y?...wF..#..e..Km...w@...9W..CBV..5.. .E>...9.........U...w..F.....]o}7....q..../7.....O.....=%O,.^..../...%...R6. r.g.[...q....sE......T..L...2P.3.5..f....E.K'aI.K.I..bu<`f...Ie.G...E......w]H.....9p.<....X<....q.p..^8..\L..K. w.]65u?.....*.m.G.:.c...=..e.8..G....yj.....GyC!.t.{ 5n.......N.,......./.Sg2.z.Zy.M.fk$N.\e..u`......l./.....@5V|0..!.?.;.Ia*.8.).VF/..~/G..>...(........d.....K..].b....'.' i.............X9..G....=.9.*.&.....=...?..oP.1.\`B.....5....*........J.

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 412

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:21 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:11:20 GMT

Connection: close

Content-Length: 0

GET /3493/1 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dzqx32c9j9ub.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

Date: Sun, 26 Apr 2015 03:10:27 GMT

Location: hXXp://dlrkbt247pbk6.cloudfront.net/3493_bd05aad78249b1c64e2595545bff63b4/1.zip

Server: nginx

X-Cache: Miss from cloudfront

Via: 1.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lfGEGgdK0mVn-5Kt_-UNdKN6mfUUHKOm62L8LbnjCXACsb2zakrfFQ==

HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Date: Sun, 26 Apr 2015 03:10:27 GMT..Location: hXXp://dlrkbt247pbk6.cloudfront.net/3493_bd05aad78249b1c64e2595545bff63b4/1.zip..Server: nginx..X-Cache: Miss from cloudfront..Via: 1.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)..X-Amz-Cf-Id: lfGEGgdK0mVn-5Kt_-UNdKN6mfUUHKOm62L8LbnjCXACsb2zakrfFQ==..nt>....

GET /3493/2 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dzqx32c9j9ub.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

Date: Sun, 26 Apr 2015 03:10:38 GMT

Location: hXXp://dlrkbt247pbk6.cloudfront.net/3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip

Server: nginx

X-Cache: Miss from cloudfront

Via: 1.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Im_8czHimjKnGAcNNfyGUj0qJz-0ENwcmi_8AuK2DU-NjYOPJ5OKWA==

HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Date: Sun, 26 Apr 2015 03:10:38 GMT..Location: hXXp://dlrkbt247pbk6.cloudfront.net/3493_819a0752ed22bbe95df8b308cb03ea5a/2.zip..Server: nginx..X-Cache: Miss from cloudfront..Via: 1.1 2d2eb60d814c8202a5a69fa957cd569d.cloudfront.net (CloudFront)..X-Amz-Cf-Id: Im_8czHimjKnGAcNNfyGUj0qJz-0ENwcmi_8AuK2DU-NjYOPJ5OKWA==..

HEAD / HTTP/1.1

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-configs.buzzrin.de

Content-Length: 0

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 11

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: WinHttpClient

Content-Length: 111

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceAction":"--install"

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:44 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1

Cache-Control: no-cache

Range: bytes=13927868-14682175

If-Match: "530494e7-e00840"

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.soft-ware.net

Connection: Close

<<< skipped >>>

GET /?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF HTTP/1.1

Host: VVV.google.com.ua

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 302 Found

Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=0b33c0232bbc0542:FF=0:TM=1430017866:LM=1430017866:S=fe1czZG40Qeq5D8J; expires=Tue, 25-Apr-2017 03:11:06 GMT; path=/; domain=.google.com.ua

Set-Cookie: NID=67=mqPMZDz1cCx0Pj-pvR1nwH-gbdP6DogTst7rrF7YMYiAhqkWKGa_ICVWoN0Cp0DIZ4jJ3xGo2QEc5d0q7mjxyEImReYryKsiuer_xpbFJsPlmWB462RCtdz4Oyhu4UH6; expires=Mon, 26-Oct-2015 03:11:06 GMT; path=/; domain=.google.com.ua; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Date: Sun, 26 Apr 2015 03:11:06 GMT

Server: gws

Content-Length: 276

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Set-Cookie: PREF=ID=0b33c0232bbc0542:FF=0:TM=1430017866:LM=1430017866:S=fe1czZG40Qeq5D8J; expires=Tue, 25-Apr-2017 03:11:06 GMT; path=/; domain=.google.com.ua..Set-Cookie: NID=67=mqPMZDz1cCx0Pj-pvR1nwH-gbdP6DogTst7rrF7YMYiAhqkWKGa_ICVWoN0Cp0DIZ4jJ3xGo2QEc5d0q7mjxyEImReYryKsiuer_xpbFJsPlmWB462RCtdz4Oyhu4UH6; expires=Mon, 26-Oct-2015 03:11:06 GMT; path=/; domain=.google.com.ua; HttpOnly..P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."..Date: Sun, 26 Apr 2015 03:11:06 GMT..Server: gws..Content-Length: 276..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF&gws_rd=ssl">here</A>...</

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 377

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ApplicationStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=372324, public, no-transform, must-revalidate

Last-Modified: Thu, 23 Apr 2015 10:40:21 GMT

Expires: Thu, 30 Apr 2015 10:40:21 GMT

Date: Sun, 26 Apr 2015 03:14:57 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150423104021Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150423104021Z....20150430104021Z0...*.H..................o.}"^O8.[....i...8..o4.....|..aJ.J...U..E[.../...\ .%.o..;.,r~.0....xgZ...8..K..V.CQ..U...F1..D1..VwQ....<h~.*#........ .R@.s...-.6Y,Be...l*?.e@g.........u......*.0.`U.U4...?_......>r..H.......q...f..0.BD.w.m..-.f.@.%...LH.7..{........AV5......E.%.c.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 377

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:07 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ApplicationVisible","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:10 GMT

Connection: close

Content-Length: 0

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1552

content-transfer-encoding: binary

Cache-Control: max-age=369998, public, no-transform, must-revalidate

Last-Modified: Thu, 23 Apr 2015 10:00:09 GMT

Expires: Thu, 30 Apr 2015 10:00:09 GMT

Date: Sun, 26 Apr 2015 03:15:11 GMT

Connection: keep-alive

0..........0..... .....0......0...0........C...4N...@..6...v...20150423100009Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150423100009Z....20150430100009Z0...*.H..............{...M...p.....?.T.}....;.. .....P...}....b.Q.)6.{....`;........23.P|9.S....C.......B.....?....k..N>........B..t6.$.o...(.@.x.=......P...I.lm.J.M.}[`.@...P..h.a.G3.o-#5.6si..M]...m.9....m.0.0..Tkf.....t...hx...\...Q.#...YE.p....W. .4.7-.k...g..b..\.k..0.N....50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f...3

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=433884, public, no-transform, must-revalidate

Last-Modified: Fri, 24 Apr 2015 03:44:50 GMT

Expires: Fri, 1 May 2015 03:44:50 GMT

Date: Sun, 26 Apr 2015 03:15:11 GMT

Connection: keep-alive

0..........0..... .....0......0...0......%bn.$..5.......?'4....20150424034450Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150424034450Z....20150501034450Z0...*.H.............t........=..O...i...9....... .J.5.]... ...[r.$M.!.bD...z....o...30^.u..l...6.N!.K.C......S.,'2......4.....l.... ....I..2.}.&..x../C2..x?$n..`.....-l.2..'.>9@.V..iYp......$.x.....A.;....)U*R..r..i.[]..T....5Q......t..R6..4.7u....3..`..c..xLk....i|.S....1.~.....0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:..R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (........%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0...0...U....0.0....U. ...0..0......

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 381

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:35 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductDownloadStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:13:35 GMT

Connection: close

Content-Length: 0

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:11:45 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT

Expires: Wed, 29 Apr 2015 04:29:13 GMT

ETag: 24EB23ED03882CA15E50420D66220C73B4B82DDC

Cache-Control: max-age=263247,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp11

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0........~.=...<....8...22...20150425042913Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8...22....|....JR......4.....20150425042913Z....20150429042913Z0...*.H................|.....4........o&E.L.?oP........k9f.....j....m....}...%...%l#....z...%.G...bf.Ks2v.,F..F..|g...v....)...T..{.>^.....!P.bg"............7..s.....*....)d....jp...iLF.'..[H|.F....a.....t.....X*.j.. .8......3..<'q......X...2\;9..R......3.....VmD-C.....<.....%S.P...g..!.`../(.V...?..!s.Y.2w.........i..)]8..r.jI.uk."....K`.c..2h..`t....j..G..j............w1`.GG....BM`&,.... \NA.8..t.6x....'.u.@.G....\.Q.:...XR:..Z......<....=..U.0\........YWM._.....z~.e..2.......0..H..q..RRc..7~....:....%.[H...9S..5`1.....@......

GET / HTTP/1.1

Host: VVV.google.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF

Content-Length: 260

Date: Sun, 26 Apr 2015 03:11:06 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=1

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF..Content-Length: 260..Date: Sun, 26 Apr 2015 03:11:06 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=1..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=Slc8VYfXDM2DNMm7geAF">here</A>...</BODY></HTML>....

POST /upload.php HTTP/1.1

Content-Type: multipart/form-data; boundary=8d24dff12ad36c6

Host: 151.236.26.173

Cache-Control: no-store,no-cache

Pragma: no-cache

Content-Length: 104857685

Expect: 100-continue

Connection: Close

HTTP/1.1 100 Continue

....

GET /random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=8T635656147234101936 HTTP/1.1

Host: 151.236.26.173

Cache-Control: no-store,no-cache

Pragma: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 26 Apr 2015 03:12:03 GMT

Content-Type: image/jpeg

Content-Length: 100101963

Last-Modified: Thu, 11 Sep 2014 08:52:17 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type

raw-nginx-upload: 1

Accept-Ranges: bytes

.....MExif..MM.*.............................b...........j.(...........1..... ...r.2...........i....................'.......'.Adobe Photoshop CS6 (Macintosh).2013:03:22 14:39:08............................ ........... ..............................."...........*.(.....................2...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch............IEC hXXp://VVV.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._...............\.....XYZ .....L.V.P...W..meas................................sig ....CRT curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|.........................................

<<< skipped >>>

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: PCSUNotifier

Content-Length: 329

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","ReportInstall":"affID=2380|keyword=installer|campaignID=ppi_2380_installer|uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1|requestID=","Error":1,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:45 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

POST /Servers.svc HTTP/1.1

Content-Type: text/xml; charset=utf-8

SOAPAction: "hXXp://tempuri.org/IServers/GetServers"

Host: VVV.speedcheckerapi.com

Content-Length: 797

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/pcspeedup-single-text-en-us.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: MRI81vfcQ vh8/lDL LOAg==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:08 GMT

Etag: 0x8D244DC9EE7A8CA

Last-Modified: Tue, 14 Apr 2015 15:12:56 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 1a704b88-0001-0013-33ce-7f50d1000000

x-ms-version: 2009-09-19

Content-Length: 42673

Connection: close

PK...........D.........D......index.html.\...Gv......fa.V..d...if.j......$....A..H....]U=.. .....H.$.y..@^!....H.H.B.\..,........S.9....g...Fb......:..>8^).....^.L......(W^.._... }{.;3.W.?.mJ....;.y...!.g"YI..?...8.C..d........s=aUv.s~.).R......I.......:b...........;...J......../....?..p...S.....,."..........[i.Y,....D.u.....S...@...).r..).\*.VY.[~.3..R.<....N.1a..o.z../.. .{8X..r....}.d:.i..8|p.S...x%....R.J...........^..d.Ti./...i.i.p_.t...2x.m..E.~.....fH..j....f^.I.JO|...6/..tK.ne..0.....D..M...P.."^..}b...V..2....2..., ...>......^w...i...8..f...x.w...(..S.#..........Gt8....i..T.....3\...T1.u.......h..../6..N....l.N9..fX...;..2....G..6.........o.<~...$")...H..m.h..|...'..W.0..Y)..w...o....U...`. ..t.d.....3..."q........;e..\.......C.H...G..!.......j1.m...%.V..=....G..U.HW..".p..7....nt) 1...-2.....o.\5w..by../....89.=.q..G.3.-.Yf.S.....B..P....jt.>.\.$..HTt_$..7."Uo.......k<~&.8.k.2U,...=z..D..........8.Zj.{.Y.h.g...U........O....5.(...J.Q.-..q.W...v..C.b|1...|7>...7..K.....D.)>..*...0:..5p...R.......W.".TK...jec...z.en.D.....n.s.gA[U....g.&< ..F....^P;Q......7Hue......4.....s0...^'U&.8...r.L.....wzW..l.Cp...EZ.(..J`..=...F...b*..l8..../9>F-./N.....x6.6.......f4.C....G...d...v.Vs...cZa.ws[.O4 ......Z. .@.F]xd...B.J.a..7.T......*...:..b ..,..5. d.C._.;..!.".m~AV53. VD\.uV... .,...9...J...B[........=..X..66..&...%.{.....9..z1..@#3C.a* ....1dC.(...v!.U@.6..;.Nu...:q*]....v.....IN..H...e.H".C..v. ..${\1.m.>..Zs.%...`=8......%.aq.."gdp@...-...M...........d.t.B..H%,........L....Oq

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS/pT9HLfNNK8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:12:03 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT

Expires: Wed, 29 Apr 2015 04:29:13 GMT

ETag: 24EB23ED03882CA15E50420D66220C73B4B82DDC

Cache-Control: max-age=263229,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp11

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0........~.=...<....8...22...20150425042913Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8...22....|....JR......4.....20150425042913Z....20150429042913Z0...*.H................|.....4........o&E.L.?oP........k9f.....j....m....}...%...%l#....z...%.G...bf.Ks2v.,F..F..|g...v....)...T..{.>^.....!P.bg"............7..s.....*....)d....jp...iLF.'..[H|.F....a.....t.....X*.j.. .8......3..<'q......X...2\;9..R......3.....VmD-C.....<.....%S.P...g..!.`../(.V...?..!s.Y.2w.........i..)]8..r.jI.uk."....K`.c..2h..`t....j..G..j............w1`.GG....BM`&,.... \NA.8..t.6x....'.u.@.G....\.Q.:...XR:..Z......<....=..U.0\........YWM._.....z~.e..2.......0..H..q..RRc..7~....:....%.[H...9S..5`1.....@......

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 417

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

GET /v4/sof-installer/535559167_198339_B48A115F?action1=xa.geoip&action2=visit&action3=cvs.visit.mystartsearch&update1=ref,cvs&update2=identifier,installer&update3=version,6.3.7602.2124&update4=nation,us&update5=language,en HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: xa.xingcloud.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:10:59 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

Content-Encoding: gzip

57.............V*.I,)V.R..V.Q*..M....LL.r......... .....T........<.....S......T..Z.]. .H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:10:59 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..57.............V*.I,)V.R..V.Q*..M....LL.r......... .....T........<.....S......T..Z.]. .H.....0......

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.dlzip1.mystartsearch.finish,1 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: xa.xingcloud.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:01 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

Content-Encoding: gzip

56..............A..0....,9.XO.o..R$...$..z....2d.v. ,n.i..x.p....`...........3 ..~.P6>H.....0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:01 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..Content-Encoding: gzip..56..............A..0....,9.XO.o..R$...$..z....2d.v. ,n.i..x.p....`...........3 ..~.P6>H.....0..

GET /COMODORSACodeSigningCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.comodoca.com

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:12:13 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 25839

Last-Modified: Sat, 25 Apr 2015 08:50:59 GMT

Connection: close

X-CCACDN-Mirror-ID: h6edcacrl6

Accept-Ranges: bytes

0.d.0.c....0...*.H........0}1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limited1#0!..U....COMODO RSA Code Signing CA..150425085059Z..150429085059Z0.b.0".......,i....P.'.7...130725153017Z0"......6(...U..)V.6...130731153941Z0!.._#..I..$.d..$%....140105072902Z0!..H.2...@.N...d.....140130091916Z0!.......~...}....*...140327125438Z0!..xtW.u....tf. T.h..140407130614Z0!..^uc..'.....p......140407130622Z0!..2..v.s..f..3#.'...140414130006Z0"....R|..Z.I...U47....140429145655Z0!..h..&.Oe..j.L.}....140502134858Z0!..R.x ..c\.;.-n.j...140505165508Z0!..6...Ci.WM.........140519192807Z0!..e..IJ... .[.C.....140520152605Z0"......>.-.n..f]...(..140526042357Z0"....,b...3fP.}...d...140527111014Z0!..o.K....'.U..KH.-..140527152547Z0".........%.....<.....140528165921Z0!.....~2.....f$j.....140530162719Z0"....4q....e[.........140602104040Z0!..*...ox..BTt..R!...140605144057Z0!......y.j*......1...140606161714Z0"....W..~....l........140606190404Z0".......|BP[...5L ....140606190440Z0"........1(...v...>a..140610185012Z0!..AI..y}I...v.......140610185029Z0!..4..k...,G.DJH.N...140610210158Z0"....T.q..i.1....T....140611033025Z0!..f.<.M]@......9.|..140616152648Z0!.......O*<R..SHx.C..140620190555Z0"......oU.fU..........140623111824Z0!../,V..r.&.uNn..*...140707151821Z0!..O..].9/.M;........140711123959Z0".........i[.....a{...140723190533Z0!..).'..\.H....z.pP..140725193446Z0"....__.H....Y...B.|..140729143516Z0"....v.>.D.D..g`#.@e..140731221657Z0!...J.>j.1K/..Qt.....140801080058Z0!..pc.yB..,.w.J..

<<< skipped >>>

GET /0.gif?2920516&101 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sstatic1.histats.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:13:08 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

Set-Cookie: CountUid=5447eecb-9eym-433b-b267-e4aef67e236e; domain=.histats.com; Max-Age=31536000; Expires=Wed, 13-May-2015 03:53:37 GMT

GIF89a.............!.......,...........D..;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:12:09 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Fri, 24 Apr 2015 22:51:17 GMT

Expires: Tue, 28 Apr 2015 22:51:17 GMT

ETag: 9EE11AD5AC8713D60F5AFA8AE83EEB12ACE092D7

Cache-Control: max-age=242947,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp11

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0......).`..M....j....K.I....20150424225117Z0s0q0I0... .........w....;.i.4.U.B.......).`..M....j....K.I....wY.^Z.....U[R../....20150424225117Z....20150428225117Z0...*.H.................7.a(..p..-^o9v.m...bJ...g.$o&.1.,.X.I.fO].W.......#..o.....M.....P...pV.....e,.......a.7aji...$..q..n._.....t..Mb....WY..........E/.....u..%..Z.U..a..7.k.....k&.Q...:.D*...4.....B....6$ZN)..A.@.=..qd..( oGw........'.o...\K(.pl..........Svs..i.y]._..q0F..

POST /upload.php HTTP/1.1

Content-Type: multipart/form-data; boundary=8d24dff12ad36c6

Host: 151.236.26.173

Cache-Control: no-store,no-cache

Pragma: no-cache

Content-Length: 104857685

Expect: 100-continue

Connection: Close

--8d24dff12ad36c6

Content-Disposition: form-data; name="data"

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 26 Apr 2015 03:12:13 GMT

Content-Type: text/plain

Content-Length: 14

Connection: close

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type

raw-nginx-upload: 1

size=104857685....

GET /featurelimit.aspx?productID=1&uniqueID=BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1&requestID=&version=3.9.8.0&language=&campaignID=&QuickScan=0 HTTP/1.1

Connection: Keep-Alive

User-Agent: PCSUService

Host: VVV.pcsuapi.com

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.0

Set-Cookie: ASP.NET_SessionId=qetcfykw3vkgigcqmryiy12j; path=/; HttpOnly

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:11:44 GMT

Content-Length: 1

6HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Server: Microsoft-IIS/8.0..Set-Cookie: ASP.NET_SessionId=qetcfykw3vkgigcqmryiy12j; path=/; HttpOnly..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Sun, 26 Apr 2015 03:11:44 GMT..Content-Length: 1..6..

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.hp HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:04 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.19 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:04 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.19 ms","message":"store 1 action and 0 update "}..0..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=speedtest HTTP/1.1

Content-Type: text/plain

Host: VVV.pcspeeduplog.com

Content-Length: 485

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 420

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckSuccessful","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: evzyomLfdykbHeHg wF1rg==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:08 GMT

Etag: 0x8D218DF91BA1080

Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 7a5ce9f7-0001-0009-57ce-7f7fbe000000

x-ms-version: 2009-09-19

Content-Length: 47048

Connection: close

PK........t.GE........>.......index.html.Wmo.6.......W.6:Kq[.C".H......I7..@I'..E.$e....w.$G..4...6.;.=..K....g..\....b..OQ.K.....v...[..(l~{..,C.......cz...i....(I.]L-...i8!i......~?......o...-.j.%.DL...0........i.?..W..cR. K.Nczc...5..|.,..WA.epc(......$..'/.y-S..........bJ....D.t..*..tv..N..T...'....l...&@&....UU.`.`....$[..2n*f....N..,.=......JV.=&..G...<.}..PY.....c.J.v.,M.6....u.,..i..L.....IL.&}.^....2...V.jA;%<'.=.>.....]....s.n.v{.M....v....yD.'&..x.3J.o;.W...p..X...........P.U.3'{.s........H..m/x..]?r...*.S .?.z.>..4_u.}R....B.a{. .o..6...0...9.......'&a_..U..,T.k.!.J."f..RL*....8!.%.....Q.s..Wk...:. .^{...m......X..[k...$g.t'...f.1...w....R....5I.3&....b......" .......3"..,...aP2[...7.8._....]..q..9..xf.7.T....2J...U..Sz....F(..s....`.0G."..........Z..._,F(....XEl...VL....u.-.....T'Y...|..J.......z..u...lL.!.T....D.h.V.......L.1.c`.Ey).a7O..o...(pP`...I W..~?>qY..b.......(b.......%X......D0.of.7....f.....|.4..lXa.2![%ty...i..1....Jf..K..}...s..{#..@3..D...5....h.*......(.......T...5.c.zqT...}..,^..%K...Tk.;.R..&.....V...9...Kh.@....t..A...w@5.....p.../......PK........CK.D-.b.....C.......css\style.css.V...0.]'R..mT.]..y4%......Xq.e...^..;~....TP..3...9.'.. z[-.\..U...ipI...O....."..bqG........{..eI...'$p.....W....j.=~....Z..r...U...K.(......M*.B....{.s"........r..}.M...c..$..:....RI(.'....o..h...dcn....!xC-?N.....\n4WU....s.h{..N......;p..qU..?q.$n..c"I...2 .n.-.g. ..(.S.8.e..@c...........I..."..`.5A..%.R...I.....$.;..|....I...w...K..A.....^=...BY.u.....A}v........A..*z.x.]...y|...).

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 406

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:58 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferAccepted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:57 GMT

Connection: close

Content-Length: 0

GET /v4/sof-ient/535559167_198339_B48A115F?action0=xa.geoip&action2=visit&update0=ref,cvs&update1=nation,us&update2=language,en&update3=version,2.8.8.2102&update4=chptid,cvs HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.36 ms","message":"store 3 action and 5 update "}..0......

GET /v4/sof-ient/535559167_198339_B48A115F?action1=install.cvs HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.66 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:19 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.66 ms","message":"store 1 action and 0 update "}..0..

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 397

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:20 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:19 GMT

Connection: close

Content-Length: 0

GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.soft-ware.net

Connection: Close

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:13:16 GMT

Content-Type: application/octet-stream

Content-Length: 14682176

Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT

Connection: close

ETag: "530494e7-e00840"

Expires: Tue, 26 May 2015 03:13:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................d.......B..K5............@...........................3......`................................................3.P)...........................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....f..........................@....ndata....,..............................rsrc...P)....3..*..................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

GET /0.gif?2920520&101 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sstatic1.histats.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: CountUid=5447eecb-9eym-433b-b267-e4aef67e236e

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:15:09 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

GIF89a.............!.......,...........D..;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:11:45 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sat, 25 Apr 2015 04:29:13 GMT

Expires: Wed, 29 Apr 2015 04:29:13 GMT

ETag: D60CF3FEA10920BFD9223C04D2095561967D1DBA

Cache-Control: max-age=263247,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp11

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0.........z4.&...&T....$.T...20150425042913Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T...'f.V.I....p...."....20150425042913Z....20150429042913Z0...*.H.............M.he.#b$...d.<....x.....8.n|..ak,....P..z...K....... .......,....qv..!...........s..........8&.D....>..$e..L,L.V..Z.......z........z...!..O..1....1>.%.F...\...m...7..[1.]..l..//B,.OG........Q.h..:b.~F_.\;..eb..~... .........TI*p........e0.C....).....b=..k...

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=487986, public, no-transform, must-revalidate

Last-Modified: Fri, 24 Apr 2015 18:45:16 GMT

Expires: Fri, 1 May 2015 18:45:16 GMT

Date: Sun, 26 Apr 2015 03:14:52 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150424184516Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150424184516Z....20150501184516Z0...*.H.............|.k`.#..:..."...8....:Hu%.....Pf...sS.!.Og.....4.......R.Y..e......mG.-.&.Q....}..*.S......!.^.. .&S.)..o...ij.2.....^4.D.Y..N...a...a.-".p_E]..M....c..9.!8.%..u<...)........z}......R.j3B..l.................@...!......=m....<.Ep.....,...|......1.BwP.9"........0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=433801, public, no-transform, must-revalidate

Last-Modified: Fri, 24 Apr 2015 03:44:53 GMT

Expires: Fri, 1 May 2015 03:44:53 GMT

Date: Sun, 26 Apr 2015 03:14:52 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150424034453Z0s0q0I0... ...................F....0.yV......{&.K......&..........'pB.....@j.......20150424034453Z....20150501034453Z0...*.H.............$S....KNR".3....>E..y..c.C.=......{Z..=bOT....f...5...eE.........<....I..:..'....T.JI.;..&:p...'TQ.9J.zg/B...Y ...}X9.K.>..R.../Z.o].3"..l....}..;.%.."D.tm..B...7UKV.......D...r..o|..e......&...........6...../xV.*p..T.._......!x..G...C...d....l...yIaQCi.......0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 403

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:45 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:45 GMT

Connection: close

Content-Length: 0

GET /gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY//t2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc+oCMMmsCEhEhJz1lhSyxS2RYZQVJ48M2bQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:14:44 GMT

Content-Type: application/ocsp-response

Content-Length: 1493

Connection: keep-alive

Set-Cookie: __cfduid=d7f9e022abe6711ba67b77f3cb2fa0be01430018084; expires=Mon, 25-Apr-16 03:14:44 GMT; path=/; domain=.globalsign.com; HttpOnly

X-Powered-By: Servlet/3.0; JBossAS-6

ETag: e1d3bf0704693f9610586c5ad76eac842e52e7bd

Expires: Sun, 26 Apr 2015 11:19:01 GMT

Last-Modified: Sat, 25 Apr 2015 23:19:01 GMT

Cache-Control: max-age=180, public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1dcf1e8163e21595-FRA

0..........0..... .....0......0...0.......9e.K.....__..........20150425231901Z0u0s0K0... ........)...nd.@.N....f........J.Z.M1...^./.....2k...!'=e.,.KdXe.I..6m....20150425231901Z....20150426111901Z0...*.H...........A...Xh8....S.]P..9...=..h... !......%.>.o...B..Yg%f....o.z.........._..."$C...H.gl.h)..3.......u...H/..W..!.Va.......c....-.g.n...`.......i-._..%....a..zR._.\..:</...!.I.....u..U.'.5..0.{...=..>...].a..}...M7....].......l....e...(...f.... [q_..W|.ma.(...hI....0...0...0...........!J .v...._......60...*.H........0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G20...150324152349Z..150624142349Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1C0A..U...:GlobalSign CodeSigning CA - SHA256 - G2 OCSP responder - 11.0...U....201503241623000.."0...*.H.............0.........8..|Z.....|j......q..*d....Q...{.;G....%.!(9.gD...k.. ....(....~&.(........a'.o...%..ap...x...5*.........Vx.......55.....7..5....kL..E1M...L....?...s....#...,n........../...'..:...z..R.....w...Fw.n...nd.e....0v.^.......">G..}|..z.Y*<:./.D&.j.9.)../...rD.A........0..0...U....0.0...U...........0...U.%..0... .......0... .....0......0...U.......9e.K.....__........0...U.#..0....J.Z.M1...^./.....2k0...*.H................}[...xH..t-N..e...cSd..0.4.&.m......2J...r.....4.d..m... .>..uS.w...4.>.(...A.....h...:=..\q.l.hf.t"...=........=..Z...Z.....K.v...Y. ........'B.C...U3........h?....b...!1.<h.%4...o.h.{..!.!Y.G....."...H.Q.q.>..a.<.......G.7..X.OM..>7|b.....i.q....u..kF..

<<< skipped >>>

GET /download/F/8/C/F8C0EACB-92D0-4722-9B18-965DD2A681E9/30514.00/Silverlight.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: PCSUInstaller

Host: download.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Wed, 14 May 2014 07:41:33 GMT

Accept-Ranges: bytes

ETag: "3a12baed476fcf1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6958304

Date: Sun, 26 Apr 2015 03:11:22 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K...K...K.......D...K...!......._.......J.......J...RichK...................PE..L...Hn.@.................x...........X... ........... ................................k.......... .......................... .........................i..<...........!............................................... ...............................text...`w... ...x.................. ..`.data................|..............@....rsrc............ri..~..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................n...D...4...................................Z...............|...................................&...2...:...T...n...........................................&...:...P...n...x...........................................>...L...f...~..............................."...<...R...h.......N...\...8...(.......................................b...........>...&...................n...:...H...T...`...................................................................................Hn.@.............&..............

<<< skipped >>>

GET /partners/pcspeedup.exe HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: pcspeedup-7ff.kxcdn.com

Connection: Close

HTTP/1.1 200 OK

Server: keycdn-engine

Date: Sun, 26 Apr 2015 03:11:20 GMT

Content-Length: 6929152

Connection: close

Last-Modified: Mon, 13 Apr 2015 09:48:40 GMT

ETag: "552b90f8-69bb00"

X-Edge-Location: rumo

Content-Type: application/octet-stream

Content-Disposition: attachment

Accept-Ranges: bytes

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......N.................P..........xd.......p....@..................................>j..........@..................................................8.i.............................................................P...L............................text....C.......D.................. ..`.itext.......`.......H.............. ..`.data........p.......T..............@....bss.....W...........b...................idata...............b..............@....tls.................r...................rdata...............r..............@..@.rsrc................t..............@..@.....................&..............@..@..................................................................................................................................................................@...AnsiChar............@...string(.@...AnsiString......@...............................@.........p9@.x9@..:@..:@..:@..:@..:@..:@.L8@.h8@..8@..TObject..@...TObject..@........System...%..A....%..A....%..A....%..A....%..A....%..A....%|.A....%..A....%x.A....%..A....%..A....%..A....%..A....%..A....%..A....%..A....%..A....%..A....%..A....%..A....%t.A....%..A....%..A....%..A....%h.A....%d.A....%`.A....%..A....%..A....%X.A....%T.A....%P.A....%..A....%..A....%..A....%..A....%..A...S..........$D...T.J....D$,.t.

<<< skipped >>>

GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1

Cache-Control: no-cache

Range: bytes=11255344-14682175

If-Match: "530494e7-e00840"

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.soft-ware.net

Connection: Close

HTTP/1.1 206 Partial Content

Server: nginx

Date: Sun, 26 Apr 2015 03:13:17 GMT

Content-Type: application/octet-stream

Content-Length: 3426832

Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT

Connection: close

ETag: "530494e7-e00840"

Expires: Tue, 26 May 2015 03:13:17 GMT

Cache-Control: max-age=2592000

Content-Range: bytes 11255344-14682175/14682176

|.zv.y...3..O .K.&Xh^T)......k\.$..........._.).#.l.X..VFe....`......=.Dz.Q.L....@.9....6.E ...Y.......9.. h......(.}.#*"bD..c.z*....R&c.U]^o,<lB...DG.....bB1DR...........O]..%..>{3~.....y...)....e..|.*u.....X...2....*.}..Ek..Y.N#..v?.".";Ltx...N....BT.f..X....*.&...3...R.h.7 ..n@.v..lqL.)..C..L.#<.z.?....L=.!...l.U.L3.?.....,..M8..9.N~..../.>...K...<..O..?.?.!.....8.<.m.Hc.8..d....U[.E..p..#..f.?...!.kt..r...L[..A..}....M.AF...........=.SdTcd-....p......T...p;:.......%>.I.d..32..5$W..E5.......[......L...S.O.E.Q...q.h.I.@..C.S........<.z.R.yln...h...8.T......d^.T.9.I'.I......|.;.U..&..0....,.....tpz{k.....o#..6t.cO..4......b..}..a..BKN....U1..U..........9......[.....*Y..>d..T........i.\.r.l...:......"......66.A.....N..R.x&...b...../j..... 3.O.h...{.9{ ...{.g. g..!.....ZYz...@...`=..q;..tJ....M..zOm....@.Yg..e@..8.,G.......J.v.Z... -......>3.y\ ..1vg.j......,..Lj..HI...T......Z.j\.{..1..PiE..<..6O......?.....v....d(h....b..|./..a..$\.TU.....C.|8(&v...g..qw.".Rn#..Im........"^8...|.S....M{P....*r.]^.......:%......U.M...B..'So.V..r....... hQ9.Z...ps......,G................v..S,...T.?Kc..y.t.,.j. ...^..t.|%.S.?N|.92.5U"U....Q..j..o.\..hpiq.G..... ..s.7..85vo...KG...N..h... ..i.d.^S..........*.p.@i...Vl.r..1P.:.. ..n.......e.b..:c....zU..]..k.....R|b...3.%...7LX..........S...].......$..9NO#w.mA@....SQ6..%..........Xz......Mb......'T.nay.........J.........%r>.....Y^,.U.d..]R..."..Q....>'.V....HKt&.j.}(.d......,.[. .W.....r..C....w..# .'.L$.. ...M..:uq...C...vr...0.I{....R.6....q

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 411

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: PCSUNotifier

Content-Length: 219

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","Silverlight":"Download","OK":200,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:23 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:14:57 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=116023, public, no-transform, must-revalidate

Last-Modified: Sun, 26 Apr 2015 01:10:27 GMT

Expires: Mon, 27 Apr 2015 13:10:27 GMT

ETag: "c30fade8d543f5204181f6438f822d3f1b5d2cff"

Content-Length: 1741

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G2..20150426011027Z0d0b0:0... .........#o..K......#..... ...:....g(.....An ............20150426011027Z....20150427131027Z0...*.H.............f...>N../_..*........*.......#.....a.......2.....&jB3.!!9s/o.(3.....-.z....).*.k..n..'<Q.../..I.....G.U~.V.E5 .......2...e... . .!)(L.<pf.......-........\ .1.1(..|.....0..?.>...4y..W.!..0l.Qd).....iN$:>&..O.m.s... ....N.........!.le......|.D.. ....#Dv|y.......0...0...0..q..........t....o0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...150316070000Z..160316070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;....C)...(..T........XA-N....k1 .....ag...,4.L{.I..hEKb..K......!.(...7....p.O...X.._........8.B..k[4...........e.../....^.S..7A.b.oB..\......2%.|c...A....Fk.T..24.0B...p.........0..0...U.......0.0...U...........0...U.%..0... ......... .......0...U.......O........f...e..r..0... .....0......0@..U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. .C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H.............bW%D.2.X..U[0d..........|.BaG.Y.?.u.

<<< skipped >>>

GET /random10.jpg?guid=938a2fae-271d-42f8-b7a6-73a7e588e39f&ticks=7T635656147234101936 HTTP/1.1

Host: 151.236.26.173

Cache-Control: no-store,no-cache

Pragma: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 26 Apr 2015 03:12:03 GMT

Content-Type: image/jpeg

Content-Length: 100101963

Last-Modified: Thu, 11 Sep 2014 08:52:17 GMT

Connection: keep-alive

Access-Control-Allow-Origin: *

Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type

raw-nginx-upload: 1

Accept-Ranges: bytes

.....MExif..MM.*.............................b...........j.(...........1..... ...r.2...........i....................'.......'.Adobe Photoshop CS6 (Macintosh).2013:03:22 14:39:08............................ ........... ..............................."...........*.(.....................2...................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.iec.ch............IEC hXXp://VVV.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._...............\.....XYZ .....L.V.P...W..meas................................sig ....CRT curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|.........................................

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 407

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:58 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:58 GMT

Connection: close

Content-Length: 0

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: PCSUNotifier

Content-Length: 204

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","installerStart":1,"silent":1,"affID":"2380","srcExe":"pcspeedup.exe","OS":"6.1.7601-SP1","ShowUSBCache":1,"noBrowser":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:21 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg/4pN+uv5pmq4z/nmS71JzhICEHdZvl5azuWSrxlVW1KM5y8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:11:45 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Fri, 24 Apr 2015 22:51:17 GMT

Expires: Tue, 28 Apr 2015 22:51:17 GMT

ETag: 9EE11AD5AC8713D60F5AFA8AE83EEB12ACE092D7

Cache-Control: max-age=242971,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: h6edcaocsp11

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0......).`..M....j....K.I....20150424225117Z0s0q0I0... .........w....;.i.4.U.B.......).`..M....j....K.I....wY.^Z.....U[R../....20150424225117Z....20150428225117Z0...*.H.................7.a(..p..-^o9v.m...bJ...g.$o&.1.,.X.I.fO].W.......#..o.....M.....P...pV.....e,.......a.7aji...$..q..n._.....t..Mb....WY..........E/.....u..%..Z.U..a..7.k.....k&.Q...:.D*...4.....B....6$ZN)..A.@.=..qd..( oGw........'.o...\K(.pl..........Svs..i.y]._..q0F..

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 148

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3530\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3531\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:05 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 183

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3532\",\"guid\": \"\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:05 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:05 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 219

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3533\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:06 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:06 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 219

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3220\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:06 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:06 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3412\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=1&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:06 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:06 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3413\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=2&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:07 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:07 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3414\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=3&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:08 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:08 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3415\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=4&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:08 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:08 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3416\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=5&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:09 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 249

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3650\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=9&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:09 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 250

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3652\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=10&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:09 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:09 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 266

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3654\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=12&command_parameters=/start /ch=CO18&vostage=main&reason=00:50:56&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:24 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:24 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 250

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3655\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=13&command_parameters=/start /ch=CO18&vostage=main&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:25 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 257

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3675\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"dloc_stage=21&command_parameters=/start /ch=CO18&vostage=main&dloc=1&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:25 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"2066\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:26 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3510\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:26 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3534\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:26 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3638\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:32 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:32 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3637\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:32 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:32 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3502\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:32 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:32 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3503\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:33 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3504\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:33 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3505\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:33 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:33 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3506\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:34 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3507\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:34 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:34 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 188

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3508\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:35 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Sun, 26 Apr 2015 03:13:35 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 223

Connection: Keep-Alive

Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"3527\",\"guid\": \"A0804D56-A87A-6E51-A934-1069B2C7BDD2\",\"channel_id\": \"CO18\", \"utm_addition\":\"command_parameters=/start /ch=CO18&pr=vo&v=26&civ=2&pac=\"}"}

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Sun, 26 Apr 2015 03:13:35 GMT

X-Powered-By: Express

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}..

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/progress.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: fJIiuJo 0/ih6f3fHKFgHw==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:08 GMT

Etag: 0x8D218DF91A5C530

Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 01583424-0001-0048-20ce-7f57ad000000

x-ms-version: 2009-09-19

Content-Length: 85732

Connection: close

PK..........=F..?.....F.......index.html..io.6....?0\..H-...$..6M..k. ...).J.-:2.R.. ...#uQ...i;..h..|.)g...g..\..@....O....q.J.|..K&C:q...XXPI.....S..c|.qI..\...#/.5..~.C...y.......o..a.X..-....{I.....'...I@..(.t:..6......d.O.X.Dxc<O..O).w..=:......<..K.....c.{..4..d....^O....!.E4.4I.KD6.$...K..DR4FR....*....$.......h...v"....n....}H....F._.}....*.... .^1_.V........9....K..X..x..4....}E.!q.bSd.zW.=Ae*x.....a.^].cP#`>...0.@.F Da. ZU......?..^F..&..^..1...0Q.4a6.k......0....Q.......5.. G-.2G..!:xz....c[.j.....8..........X1.G .(P.Ih.8........l8..,..2.%..K.....D.!....@4...}.7.#.r.N..>F....L..."...G..vPtR.O.@.....2.s..T."...wbln.-.hfA0...:.m......J.........4.......%.eR...K...V\..W>....j.,.......u.k.O..jc.@>S...%2.=..]......R..TaP_s.. sZGzX.$..B.W.m...3...b...&X.U....Y..E.8.....U...u/.."Z.....:.WFjIy....9..ut......d{.U2...6...;p.W....m._./.Lw@v._......[.!..M|...@G..._G .F./,..7..K.Gq.p.`.1W...p.....TK........'...t.-....c.#..,../..En].D...|G...%.......Y...N...t....!.3.@.ya..:[.<I.D..u.T(.......v......0...8.|..8...../*..D..me.1.%...GXu..n.0...9......).;......."R:NW.[.[z.[....5...........n........p..#.[.Pn..lFs..F.RPL.m.rv..).......Q.....%;...>BC...Q.yKe..m}O...0.._l*....yd......9.~.....v.Ot-<..*.........v..e........,.#........bH...c.Y.s.c....S.........a<N%..1V..b..1..=..z.n..g..73.1.=2...NT.B..pr.S./.....p..g.i..I@...:....qe.u=Z.c..E.6..).K|T. ..p^li=....U{.o..%E.`.!...^..T14..b.Vi..c[. .?.. .X...F-.T.W|7...f.e..Wd.y-..h|.7..7 .1k.#.p^..=..Fm..s#<K..(.-Y...k.. ..."..Y..7{.....wk....o..

<<< skipped >>>

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: WinHttpClient

Content-Length: 113

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceAction":"--speedtest"

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:44 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /COMODORSAAddTrustCA.crt HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crt.comodoca.com

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:11:45 GMT

Content-Type: application/x-x509-ca-cert

Content-Length: 1400

Last-Modified: Tue, 30 May 2000 10:48:38 GMT

Connection: close

X-CCACDN-Mirror-ID: h6edcacrl6

Accept-Ranges: bytes

0..t0..\.......'f.V.I....p...."0...*.H........0o1.0...U....SE1.0...U....AddTrust AB1&0$..U....AddTrust External TTP Network1"0 ..U....AddTrust External CA Root0...000530104838Z..200530104838Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO RSA Certification Authority0.."0...*.H.............0..........T...V...$...Dgt. 7.}#p.q.S...*..K..V..pr.a..K...=...a.......>..>\...4z..k......zv.q.......l......~..../O.....gCr......k,.......~..n.....$.Ckb.U....l........li..xH0E....<E`.2.Q'.g....k.F.. ...e.H...N...F7.....HCgNr*.\.L.(.\"{......Q...FNm>.....|3WA<.Q...\.,c..W.?..]...E...Z$...V=.o..IX........7.....:..CB...........`..(V......q....=...H.<...."L....V;....[..."R...i..Le...-pt...g.)iR....PjUF...(a.p....,!.G.(..Ev...'.....P.k.L.q0........@...B...3:.\.A..c..qk ....1\:jG..yY. ...j..r.WJ.K.....LA...=^(.....Q..G..S........0..0...U.#..0......z4.&...&T....$.T.0...U........~.=...<....8...22.0...U...........0...U.......0....0...U. ..0.0...U. .0D..U...=0;09.7.5.3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05.. ........)0'0%.. .....0...hXXp://ocsp.usertrust.com0...*.H.............d..._......)W..Z...>.v.n.Rp..<.M.tj...%...*]L....m.T.u..'.].y7@.w.....;.....4.~ .y..WE..(....P.....Wi}..R.s......nf.....-....Y.L...qL|G.;.....l.>\.........HM.....s...{#....MU.zaE..h.^@k#.yz...k..oF.{.=K....YZ.A$....`XG..nF...._......@...9.............;o.8o..

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 413

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:11:20 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferDownloadStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:11:19 GMT

Connection: close

Content-Length: 0

GET /media/e5/65/4fd8d03e8d89a93218c9e565/download/b HTTP/1.1

Cache-Control: no-cache

Range: bytes=7599136-14682175

If-Match: "530494e7-e00840"

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.soft-ware.net

Connection: Close

HTTP/1.1 206 Partial Content

Server: nginx

Date: Sun, 26 Apr 2015 03:13:16 GMT

Content-Type: application/octet-stream

Content-Length: 7083040

Last-Modified: Wed, 19 Feb 2014 11:26:31 GMT

Connection: close

ETag: "530494e7-e00840"

Expires: Tue, 26 May 2015 03:13:16 GMT

Cache-Control: max-age=2592000

Content-Range: bytes 7599136-14682175/14682176

..<.`.n..B5..C........:..........S..k...~...>B%U./|...`..I.ll..P.u...iB..|..W..P...k.3..t..ADD{..n@A.[...T.#N.....%.......<*Q..L....(.2._...:..`........q.u.W^=....O...r...,h......t.....P!X...C{.n...#N.y.i'...1(........5c=TGpD.....^.B..`......\.\..d..{z.l..0.vh..B.Pn..h.JYM....=`.....z.IW..\....n.T!GR.......iP...1...fo.......aR....y..X]..EG..A'.N"D....m..?..M.N.[N.f...kQ[m......].[..;.......0.............lL..Bv. ..B<yp.-.."..7.....f...&wO$..{(@ .z:.T5.R.{d.v..m....kM..~...'...~.?4..).Bd......].P..%..T*....l..[.....R........~..g.......J...H...~tT0....V.j.)3......rd._..E=H...h:..1...Ez!.Jp.u..**F .l(........S/a....EU.(/.c....{..5..T....-3...........q...1l....JT.@B!.q..Q. ..6pYr...G%...X..*.5..".8.'1...q....F;(.....=...3.....L ..i.MG.]..U..L.].....Lh.S...X.].4.1..X......m8.$iPLu..[.q..9.{`..6.k.FY.r.uy....)....s..K..@...w.*n......Ql..lx..7...bD..)...!.`{..<../8E&T.rz.&...]........R..!. .....m.l.r..].y.g ..b..Tv..t..S.$.&...F..<...w.i!.y.....|..0&....,.I...$...c.......9wV....p..wQ]\s...).....D=...._.. X.....tx:..*_...hw.....~...4...0..G$s..W..o?.8=X|_...(........x:u,jR$[&S.7.@?..-up...#.b...h:]R.5)...H.y......[./R...*.=..E'..^....q..... N..h.(o=.....b....ls..................{...W..=.....g..\;...c.|.#.k..............wH 4.r.g.]....K.... ...Rr.h?.sn..#...1^S.......U.G...v..~.a.v..O,Z&..|....[...p..Vz...ej.q.g.q..iJ..'!.. .qa.F...e.n......]c..Rm........V&.,..`..n..p..G%.).z.C2VW_....m.j.....0..8.m.......QD..l#.R...R..r..DO..A..m.Wj...........d...>.S.a.......SNc........g.g....l..[.z..q..3DT..6`..X...

<<< skipped >>>

GET /getsettings?query=nS4a1/oVbU6Q99uIRNKVE+/vPOOkGCX04WBXR7pdK/UKcGWB+Rqy0NTAeyD4Sb/ziarEhWj7HN5nXXj2qWaNwxVXn6EikLycAMKB/i3j0PQE9RFK9YaMPY1tOXp7CoA5I0G8etbIuG9ofZP1IeMKZP4ShkeXaNCevjkr0AZe+vo= HTTP/1.1

Connection: Keep-Alive

Host: dt.web-search-home.com

HTTP/1.1 200 OK

Server: nginx/1.0.15

Date: Sun, 26 Apr 2015 03:13:39 GMT

Content-Type: text/html; charset=utf-8

Connection: close

X-Powered-By: PHP/5.3.15

Set-Cookie: PHPSESSID=8n9t762i99mdunrqb7q2iha045; path=/; domain=web-search-home.com

Content-Length: 54060

BgJdlSPe24tHz9J/E97T4BDe92S9A71i36gQ4DJZdX/LSknzlGjR/9vR6FQP0845 X23TGNFYdAq3iFB2MfphSIxDQg31SyUxnsLWO 7aROBtZTruqkvJxlmWeGchDnnqJLV7uuu8/h5AEbsejilcUz7bBSksdFi7TD1J1i103mGwvcrc9hwjq9W5YT E PihjARI43nSNiUCGeNk mnRJ4kR1zhx2tcxZaP vFyIzEkV6oKiAsqJH8gM68vrY7uaHGR2/OtPCwEstfg/UZuWvO4f8A 1fHXKMZ9tizYnVK5m8t h6ns7qVYlR5wHxxMN68hnOuJvMvArTFd2gDrolt7Luh02q7C19zw4 c8RKJY2tJ8AUmtuLuOf/aBf0nOa/QeGoao6WCxbouws0vWZgRMVxqXqyjQ9/gqNu8Dyudeke/oqGNM5/tM0CT73NE 0xlWZzjS1JXeLn9FfDkCBauaBDQXa41mXhhcmaxznd5vmvjoEeEO9qfiYMmyo/LTbyQ5p4hjWR2IMzVAQ9oWyG5jcmoBBQVtfgdDJo59UnXy5pkvS8RgrCIpBiOgK9fgc2Rh4DjN6HR4hBGAIzb91vlZEOZz9FSdEQhx4/fYbJlN3eFqkH7bDyuPvtjjbfW3TNq5aJAyKBlJEJ9Pr3JW/JJliOz zJfmHrpjlXHhXRBpk9BGFlOm7BCorwFBWFiqa3lMXW5Mo6ZRzkevDI834hNO7jFmRXv3FYmIplgndkFRvQ1wn42J0LTSyfuVeJOQ6lQHy1ySUvt2N 4FJxwmgzsZ6zT RPSE2Mjq1 1miOXmzK8FhHP2EUn IzlUCVdF7FxM4lM0153021acbhFgLvcY5J87g9mld2VEm0tQKbEkvjZBN876/LQ86A2Ppdmj4vm997Z9W64XIiP7MpaSt6qcdUz0Uffj3QD9rm9K6glVFL0fRddPJ4JhlRS8uGEH20ZfegHLBMYroeHfR7faDkhkn3bo1e9CD4H2x tq1kunUEW4dngu4rOecZ/HbnZYrYeNNtFowc8gHoobe 7pKRvCx n9PIyNygVgJ7TAuR903AkT3s LUzMRNuPj7DA/JD/LgxdisER/bjphGwWPKrsA9j0mO3iNWo0x4xd9PtGYlKMHINdZppsdQfCIGLgrudhZ2yBGVklUy44OGcoJigk14nuTqS2IyngQHr2mBsuP8O4eGZKBVIdoHTL39qRLHQ2YsLVrkdFr2xjaGmo2h1Mjd8QLgWzWgeit48Ug7jnjM5o2BKKse4tqRqIGQuTI2gQCX8f15bwT0qL8QMBXDP2Ed9pDpRFcLBAHd6kYjTwIGA5d1WYNJrdKZzejzMKm6nGz3tANZTKcft1j0B iV6FkW0vL3SCjeN0HWrHfRDh QMx2Rxd/VPoE1oX9ecx7Ft iZP7lMtKyuFbYzyYsqrLhiYS8Gm8RBP1IwjbGSk9LClw2Dp1jM6ciTrf9syQORFUWcEYFSzFpxHltm2NmhYTwQhmpfHKTL 3XAl/1IiT/7WRKR319gZK7YPwXTTr

<<< skipped >>>

GET /root-r3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.globalsign.net

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:14:43 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 594

Connection: keep-alive

Set-Cookie: __cfduid=da63f65db910aeeeb6637ef4c2b031fa41430018083; expires=Mon, 25-Apr-16 03:14:43 GMT; path=/; domain=.globalsign.net; HttpOnly

Expires: Wed, 15 Jul 2015 00:00:00 GMT

Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT

Cache-Control: public, max-age=6900317

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1dcf1e8011e715d7-FRA

0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141125000000Z0.0...U.......0*........%..@...141125000000Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t.T_.....Y.R......p OS..2.s........(C.e.x3.#.d6L.d=.UI.;T..G...mx....... .......-........-.....J....$.Ko.e#......3....*..3.s...0.........N..W?'.U...f..h..e...m.9.HTTP/1.1 200 OK..Date: Sun, 26 Apr 2015 03:14:43 GMT..Content-Type: application/x-pkcs7-crl..Content-Length: 594..Connection: keep-alive..Set-Cookie: __cfduid=da63f65db910aeeeb6637ef4c2b031fa41430018083; expires=Mon, 25-Apr-16 03:14:43 GMT; path=/; domain=.globalsign.net; HttpOnly..Expires: Wed, 15 Jul 2015 00:00:00 GMT..Last-Modified: Mon, 23 Mar 2015 00:00:00 GMT..Cache-Control: public, max-age=6900317..CF-Cache-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 1dcf1e8011e715d7-FRA..0..N0..6...0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign..150323000000Z..150715000000Z0..0*........1..F...141125000000Z0.0...U.......0*........%..@...141125000000Z0.0...U.......0*........%..D...141125000000Z0.0...U......../0-0...U.......0...U.#..0.....K...E$.MP.c.......0...*.H...............Z.v..&...B.....x)....'.u.}.r8.. ..i.......-..........@.:.5.v..?.. ....~V.=....R. .....rS....t

<<< skipped >>>

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: WinHttpClient

Content-Length: 104

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","SpeedTest":"Silent"

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:45 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/base.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: yfeb6HeSX7QcohHPlnHtCg==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:09 GMT

Etag: 0x8D218DF9198F3F0

Last-Modified: Tue, 17 Feb 2015 15:43:11 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: e4e619cd-0001-004c-62ce-7fa22f000000

x-ms-version: 2009-09-19

Content-Length: 34496

Connection: close

PK.........`nEP...............index.html.VQ..8.~...a..........&=q.Ew.`.....M..wS;........N....p.....=.?.3cO...W..O....y1~.(n.A.#..F.[a.....>~.....r2...?W.!a.%-J;.Y.. ......F5...9..m.........B..%.f~j...E..].hrD. .8M..E.7.gE. pDM.Ei..4aw&..\.^....a.,.....F.......k..*[.AL5.#|u].Bd6...g......Q.r;....}..}kW.,.r6.ac5.z&.h.1..v..../.V2.BI.R....k.3.Vs.5...,.n...;.1......H`!d..!I.Z.".e..5.9...o.....0...{ga..5.m&U.q.. ..z.k)..Z...I..RQ.It..jN......."#....zwRM.v...B.\-...bo..%uk.@......}....l1.....$...I@.f.....e....2v.I.....r..J.9-..#.w...........G.:9P.X.-............>4.........;.............g} p..G5O._...d.t#`..e..|O.H.vE..VZ....[?...@#................Ai......q#..*....,j.wY.......O....).0.i....H...e........v..N.o.J.7.gn..\U.;3... v7....Y..Eu......H.n.].T...P.....g...1au..|9.Jb.N.........-l0B....\...*.9n...Q.JSp..{.z..Q9...%.....0..W..ug......q.G.L....]%lg6.<qD<v............k%_j....TMc.....2...G....{.T7..k...C2.'.9....T..Tj...:N.C.M..?..C.DD=...mR:.uD.Ymd9..qYp..qSz.J&_>.J.>.V.-?......U:C..!...*..$B..uA.5...PK.........`nE....m...5.......css\style.css...n.0...C... .@aLZw.a..&..H.(...../M...].............4q.......n..YXL...x4k....g<z..v..X.,.(...q3*.7&./M.2T..P.,-H.....L)YT.....y].>.p......)Y.....|.) U.oCp&..Y./....EL...q..m........C....s..;.e2.@...x..6....>..=5..".....9...5O.d.;d7K..h;.aUH.'.. ..K-.u.s4nX'. ...W.|...6.W.W........?#...............Q.^..y.h.m...n.4L_.i=.....................R._A....W.... sC.1]V...PK.........`nE.H}.1....k......js\jquery-1.10.2.min.js..i....0.}....D4m@.f...'.]....N....;

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=364887, public, no-transform, must-revalidate

Last-Modified: Thu, 23 Apr 2015 08:35:12 GMT

Expires: Thu, 30 Apr 2015 08:35:12 GMT

Date: Sun, 26 Apr 2015 03:15:10 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150423083512Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150423083512Z....20150430083512Z0...*.H.............._J.r.R......~..^'r...w..H-C3.].Y....1.X.j .........Dd..........z.*.B/...V....WB.q..9....mY.<.$...]........r.D'.....mm.....lHp.......@..............nQ.w>.......R..'.!.........i..^......h...AB.....IJI.......).8~...dC*7*.?....l.....C.'Lb...,...N....;../W.......#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQD+rJ0jfxxchg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:14:58 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=121159, public, no-transform, must-revalidate

Last-Modified: Sun, 26 Apr 2015 02:40:34 GMT

Expires: Mon, 27 Apr 2015 14:40:34 GMT

ETag: "3111f9e04d8ebef8ea6a55fe00deee5518579974"

Content-Length: 1788

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G2..20150426024034Z0l0j0B0... ..........._lkv...8..f..R34N..@..'..4.0.3..l...,........#..\.....20150426024034Z....20150427144034Z0...*.H...............Q.D1..f...@h;R.|.O......CO*...P.<...v..6.q.........^..r...!o...yk.t>65h.z.7k....O...].5t*.E......"$d.[...H'A...G%b.C.k;=|..{;*sqi......i..S.}..A.7..... @./}.j.3E.P.~\... ....b..y"...y.J...w!..Ea{..5....Vir...ih.}..[......J..Su.....V......5.e..A..q..[uB^*....0...0...0..........,.z.Hl..0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20...150316070000Z..160316070000Z0x1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Validation Authority - G20.."0...*.H.............0.........xo(....QQ.`L.~...&...a.F.=.....d=....."......?...\..........b.D....l=.HS.N......A..;HTTP/1.1 200 OK..Date: Sun, 26 Apr 2015 03:14:58 GMT..Server: Apache..Content-Transfer-Encoding: Binary..Cache-Control: max-age=121159, public, no-transform, must-revalidate..Last-Modified: Sun, 26 Apr 2015 02:40:34 GMT..Expires: Mon, 27 Apr 2015 14:40:34 GMT..ETag: "3111f9e04d8ebef8ea6a55fe00deee5518579974"..Content-Length: 1788..Connection: close..Content-Type: application/ocsp-response..0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizona

<<< skipped >>>

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.wpm HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"0.61 ms","message":"store 1 action and 0 update "}..0..

GET /0.gif?2920545&101 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sstatic1.histats.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:13:08 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

Set-Cookie: CountUid=b3ea9fc7-f8pi-4cbb-9ea2-8658212e6140; domain=.histats.com; Max-Age=31536000; Expires=Wed, 13-May-2015 03:53:37 GMT

GIF89a.............!.......,...........D..;..

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: WinHttpClient

Content-Length: 100

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceStart":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:44 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /v4/sof-installer/535559167_198339_B48A115F?action=cvs.installer.mystartsearch.RegWrite HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Pi/3.1415926

Host: xa.xingcloud.com

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 26 Apr 2015 03:11:18 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

xa-api-version: v4

48..{"stats":"ok","time":"1.23 ms","message":"store 1 action and 0 update "}..0..HTTP/1.1 200 OK..Server: nginx/0.7.67..Date: Sun, 26 Apr 2015 03:11:18 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.3..xa-api-version: v4..48..{"stats":"ok","time":"1.23 ms","message":"store 1 action and 0 update "}..0..

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 414

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckSuccessful","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"elex/websearches/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 378

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:58 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"DownloadScreenShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:58 GMT

Connection: close

Content-Length: 0

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT

Accept-Ranges: bytes

ETag: "2711f7277076d01:0"

Server: Microsoft-IIS/8.5

VTag: 791500626200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Sun, 26 Apr 2015 03:11:25 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT..Accept-Ranges: bytes..ETag: "2711f7277076d01:0"..Server: Microsoft-IIS/8.5..VTag: 791500626200000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Sun, 26 Apr 2015 03:11:25 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t...

<<< skipped >>>

GET /pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar HTTP/1.1

Host: download.cdn.mozilla.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=900000-1199999

Connection: keep-alive

HTTP/1.1 206 Partial Content

Last-Modified: Wed, 26 Nov 2014 16:59:55 GMT

ETag: "4b1e700-2dc5623-508c5f506dac8"

Server: Apache

X-Backend-Server: ftp3.dmz.scl3.mozilla.com

Content-Type: application/octet-stream

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

X-Cache-Info: cached

Cache-Control: max-age=110518

Expires: Mon, 27 Apr 2015 09:53:04 GMT

Date: Sun, 26 Apr 2015 03:11:06 GMT

Content-Range: bytes 900000-1199999/47994403

Content-Length: 300000

Connection: keep-alive

d,.f.\s..H.vB9..b.I`.b..8%..g..m....x..*.....{....?..u;f....._nU._......y q....].~..N...=....c.:..wuz. g...O?....*-..U..,..]u.iE...9..s.gN..5.A.v....;BK..H.....>.J..T.n.#. .......^:...9.giR..h.s..dX[:..D..3...I.`.5..pb.s.-..........P...M.3.,.Z.....t.&Z$nJ."o'.\..O.h.B,Y.......W.........!<.eu.BWsJ.=...Z.l....~..l'...l..9l|....d.x....Fw.B.Gv8....2.XJ.Ed..r...V.J.%.$.~^..N..b.....!..w h-..3.......C[m......R.*/.@.mJg..L.......t.#A....X......D.B.....w.d...$6....8.I....GP..e...o\.UJ.u..yX.I....c..<KG..T......L..mT..,7rA..g..".?....../.&...dI......&.. .k..p.....s..J\..J..p....!.1(...U...A=.......D.....{.H.....v..5!..w.......&.s|......=...V...Ig..Dp..@k..*...o".......Q..r..l]u.u/...(.i......(..j........1.g7..f._N..eVm..~...)%.hX0Zm............z.w...R.".^.hI.Q..nZ@..|....@l4....z...f..ll..._.....(!$....gR..;O.$$#...w.{.k.hB.4.?.....u.$...&}.......Od.. ....".......;[.7@.......n....h$.n.[...B?n......$.\%2........!S...l.(.k...:......c...h.f/...x..VZ..A..R*~....dHh.....9...I.m IW..a1.$u8..o..@........h<...i.v./-.\-......d..~h..H. ..6.M..0....Z.A.T....N..K @....j%....U:.^..z...~.I.....F"..J...`.......1F$...s.D......x$O6....;r.P./.es4.*......n.{g._.U..R?(......|.....B.......m.N....p&.Z......*..ZQ..VR..[..8@".1xy.P..........z.n^.<....^...n3...1...'Ki../...n.A.........cs...0n@Zh.W....B..<.M$..2..|.v.n/6...V........lE/......w8-........-R..\e...WA...756.H.]/d.....-......'......... ..4J@.<.S.4....Fu6%...du.iP.....*>........%/..>#..}....._...c.b.f..!...D%L...../.......,...o&u...#..1...Ex.k.P.. .S.J/......

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 414

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:35 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferInstallCompleted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:13:35 GMT

Connection: close

Content-Length: 0

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 420

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:06 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"RequirementsCheckSuccessful","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"clickmein ltd/vuupc fs/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 0

POST /1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service HTTP/1.1

Connection: close

Content-Type: text/plain

User-Agent: WinHttpClient

Content-Length: 102

Host: VVV.pcspeeduplog.com

"uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","productID":1,"version":"3.9.8.0","serviceRunning":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:44 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /SysInfo/count_vn.php?ch=test HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:12:24 GMT

Content-Type: text/html

Content-Length: 45438

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.21

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......p...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc........p.......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /SysInfo/count_vc.php?ch=test HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:12:39 GMT

Content-Type: text/html

Content-Length: 98816

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.21

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.<.2mR.2mR.2mR.]..."mR.]....mR.]...QmR.;...5mR.2mS.fmR.]...1mR.]...3mR.Rich2mR.........................PE..L......T.....................r......pH....... ....@.......................................@.................................L[..P....................................!..............................8L..@............ ..D............................text...{........................... ..`.rdata...B... ...D..................@..@.data...@1...p.......T..............@....rsrc................f..............@..@.reloc..l............h..............@..B........................................................................................................................................................................................................................................................................................................................................................U.............rA.3...$....S... A.VW3...JA.9~.u9h.....D$.j.P. ........Qh.KA..T$..L...h.JA..L$............h.........;=..A.v...$...._^[3.3..a4....]................U...M..E.PQjdR..5.....].........3...............U...E..V....dKA.t.V..3.......^]..........j.j.j.j.P..8!A..]..u...........t).N........u..........F........u....B......E...u...t).N........u..........F........u....B......E...u...t).N........u..........F........u....B......M.Q.E......1...2........t).V........u..........N........u....P......E...u...t).F.

<<< skipped >>>

GET /SysInfo/glob.php?ch=test&sof=4 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:12:54 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.21

0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 26 Apr 2015 03:12:54 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..0......

GET /vuupc/stats.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 26 Apr 2015 03:13:31 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.21

e..21430018110LP7..0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 26 Apr 2015 03:13:31 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5.21..e..21430018110LP7..0..

GET /?product=firefox-34.0.5-complete&os=win&lang=en-US HTTP/1.1

Host: download.mozilla.org

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Range: bytes=900000-1199999

Cookie: optimizelySegments={"245617832":"none","245875585":"direct","245677587":"ff","246048108":"false","869421433":"true"}; optimizelyEndUserId=oeu1401956287616r0.2603029596469415; optimizelyBuckets={}; __utma=150903082.1617578787.1401956289.1401956289.1401956289.1

Connection: keep-alive

HTTP/1.1 302 Found

Server: Apache

X-Backend-Server: bouncer4.webapp.phx1.mozilla.com

Cache-Control: max-age=60

Content-Type: text/html; charset=UTF-8

Date: Sun, 26 Apr 2015 03:11:02 GMT

Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar

Keep-Alive: timeout=3, max=489

Content-Length: 0

Connection: Keep-Alive

X-Cache-Info: cached

HTTP/1.1 302 Found..Server: Apache..X-Backend-Server: bouncer4.webapp.phx1.mozilla.com..Cache-Control: max-age=60..Content-Type: text/html; charset=UTF-8..Date: Sun, 26 Apr 2015 03:11:02 GMT..Location: hXXp://download.cdn.mozilla.net/pub/firefox/releases/34.0.5/update/win32/en-US/firefox-34.0.5.complete.mar..Keep-Alive: timeout=3, max=489..Content-Length: 0..Connection: Keep-Alive..X-Cache-Info: cached..

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT

If-None-Match: "a1132b8ef65d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT

ETag: "a1132b8ef65d01:0"

Cache-Control: max-age=900

Date: Sun, 26 Apr 2015 03:11:56 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache-Control: max-age=900..Date: Sun, 26 Apr 2015 03:11:56 GMT..Connection: keep-alive..

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 371

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:07 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductShown","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:10 GMT

Connection: close

Content-Length: 0

POST /config-from-production HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-configs.buzzrin.de

Content-Length: 219

Connection: Close

{"os":"WinNT","osver":"6.1.7601 (Service Pack 1) SP: 1.0","lang":"en-US","uid":"c0322acd-5e5d-42f0-b163-c591ee6ff5b9","prod":"soft-warenet/1.0/campaigns/product website/","expiresOn":"2115-04-17T05:29:59.9719135 00:00"}

HTTP/1.1 200 OK

Content-Type: text/plain

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:08 GMT

Connection: close

Content-Length: 10123

{"certificate":"cyberservices","productSetup":"downloadguide/temp/e4b8f397-103f-4dc2-b462-a5bf20471890/DoNothing.exe","windowHeight":389,"windowWidth":506,"product":{"version":"1.0","displayName":"Soft-WareNet","installCodeJs":"","installTest":"true","files":[{"url":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/exe/DoNothing.exe","localFile":"DoNothing.exe","cmdParametersJs":"","fileType":{"name":"Product","assemblyQualifiedName":"Freemium.Domain.Campaign.Product, Freemium.Domain"},"etag":null,"hash":null,"isExternalFile":false,"region":"default","version":"1.0","id":"donothing/1.0/default","name":"DoNothing","isEncoded":false}],"uiFile":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/soft-warenet-flow-5-text-en-us.zip","logo":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/DoNothing.png","installationPath":"","infoText":"<p>We will not save either your IP address or other user data. We will only evaluate anonymised statistics for the optimization of the usability and our product. By using the downloader you agree to the usage of such data according to our strict privacy policy guidelines. Please read our detailed licence agreement (EULA) as well.</p><p>In order to finance our service we permit software producers to advertise their products in the downloader. Before the integration every product of our

<<< skipped >>>

GET /public-source/downloadguide/soft-warenet/1.0/default/campaigns/product website/ui/websearches-single-text-en-us.zip HTTP/1.1

Cache-Control: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: az687722.vo.msecnd.net

Connection: Close

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=3600

Content-MD5: t5d9xFrjre0T4zeVhcBpwg==

Content-Type: application/octet-stream

Date: Sun, 26 Apr 2015 03:10:09 GMT

Etag: 0x8D2292EAEAAFDBD

Last-Modified: Tue, 10 Mar 2015 09:49:48 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 4587b7e4-0001-003a-71ce-7f2693000000

x-ms-version: 2009-09-19

Content-Length: 40632

Connection: close

PK........'f[F..U...... ......index.html.Z.n.Ir.[...}...u.(.... J.%.6.K.Dj.'....&..pf.{.4....I.....(y.|U.=.R?,....Lr......=...bx>.p...r....?u..^w.dB_....Su.=t..h.J.-eq..\..It.g......P......T..Cby,..4V.'........Tgw...O.[........T..Re$.FMO".....Q.:.66.(.5.I...~.s.....s......Y......5.....Z.*.K.g.}..~...F...2.D.....|..8e2.vdQt...B.l...Ty^......Z.Tk..\::9v...?......2...;.<.lk....8..]..G...(...K....$.....}z.......:..l...-...$.9(....l)...JS......,...z...er...a...*J..1.&.g.n......h.......}...f....S...l.......u6......Ee.,.k..!.Z...?_f.X...9[..V.T..>..q.[E5r..B.Y.-..O..........=...M.$.: .. '.>.!..D.P...8..:Q..r...v .....s.z...|..W.....m........^.|.,.H.z.Y..w....R.9.OT.......I......|C[.<.....D....~.t.6s$.r}.&A...o`D~.E....\...G....".....!...^tpAm....i>..*...".?H...BL...=....O6.P........xn.. *...V.V.[...Z/...O...DDDq...4g....,.....~U..zA!.. ..K.5.%[r3&2...qexe.%..N.....!......evR...9..x....v.....zA........<......(yW...j.6&....d..88j......ai.......c..5..y.@7..6..M..&G........OL...s!4.z!........k..|./.....e....F}.$2..E.....q.$.V..4;..'.....#.@..*...~......o.,U.........U..~..?;.Rb8mEt....!...N.......m.4e?..y..[....5.UZ..|e.!..x1..L....Z.b..6.......;....3.R..H7S.D[.#.&F..[...O.Be.....H.R....$Z.(..[.ZI...z1;.k{]..:9.....HR.O.?.[$.J..%..[v......{.U........;9..P=7...ic.....2i<...HU...=.8.H.......yQ..._.......zu_...O.a..A.........k..U..s.X...,1.U..o[$.....Y"2....t....{.%:.Fhw~t:..\..........f.8.~...........}......"..{7.....}.g....>..Wo.c0...g..........|x5....X.]....~...5....~.J./.D..,Gd..;...J:........!.

<<< skipped >>>

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 406

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:10:45 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"OfferAccepted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"speedchecker/pcspeedup/1.0/default","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:10:45 GMT

Connection: close

Content-Length: 0

POST /1/dg/3 HTTP/1.1

Cache-Control: no-cache

Content-Type: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: dlg-messages.buzzrin.de

Content-Length: 380

Connection: Close

{"BuildId":"5b3bffc2-063e-4276-ac76-962e903512c2","Client":"freemium","DlgVersion":"3.1.0.197","Culture":"en-US","LocalTime":"2015-04-26T03:13:37 03:00","SessionId":"605fd6a5-e52b-46e1-aac0-e9001bb68656","MessageName":"ProductInstallStarted","Product":"soft-warenet","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Sun, 26 Apr 2015 03:13:37 GMT

Connection: close

Content-Length: 0

GET /gs/gscodesigng2.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.globalsign.com

HTTP/1.1 200 OK

Date: Sun, 26 Apr 2015 03:15:01 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 3023

Connection: keep-alive

Set-Cookie: __cfduid=d4aa5625df3b911142708b6d8e18392451430018101; expires=Mon, 25-Apr-16 03:15:01 GMT; path=/; domain=.globalsign.com; HttpOnly

Expires: Sun, 03 May 2015 01:00:00 GMT

Last-Modified: Sun, 26 Apr 2015 01:00:00 GMT

Cache-Control: public, max-age=596699

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 1dcf1eeb52e00f75-FRA

0...0......0...*.H........0Q1.0...U....BE1.0...U....GlobalSign nv-sa1'0%..U....GlobalSign CodeSigning CA - G2..150426010000Z..150503010000Z0...0#...!......{O...f...D..120801152402Z0#...! ......eq.8.\..v..121119212403Z0#...!.#.... ...;.h..8..121119212406Z0#...!....:...#f5&u..i..121119212410Z0#...!...J~.^.t.........121119212413Z0#...!r.y.....5=..h([I..121119212416Z0#...!...T.}......td.n..121119212419Z0#...!.e....U.G.........121119213604Z0#...!qiS13S... ny...#..121119222403Z0#...!U. !..QQ....~..'..121119222411Z0#...!...ta..mXks.`7....121119222413Z0#...!....:,.opI>...b...121119222415Z0#...!i...d..........X..121119222417Z0#...!..........-..'....121119222419Z0#...!.{U.s.J..|.G;.....121119222422Z0#...!....7M........./..121119222425Z0#...!......tu.......-..121119222427Z0#...!..........m.......121119222430Z0#...!.pj@.i(S<....k....121119223603Z0#...!H....{.....>......121119223613Z0#...!_...Lg....s-.k....121119224803Z0#...!......iS...2{..A..121119224807Z0#...!....E.i...E.\I ...121119224809Z0#...!....j.Y....%u..d..121119224811Z0#...!S......c.......,..121119224814Z0#...!I.d.6..q..........121119224816Z0#...!.7T..T..E.........121119224818Z0#...!.8V...|.c.1.<..$..121119224821Z0#...!..5H..A.PA".......121119224823Z0#...!..9|....p..A...~..121119224825Z0#...!...z..g{g.Mt..G...121120180003Z0#...!5....u.H.5.n..K...121121154803Z0#...!a. ..5.Q.....g.Y..121127202406Z0#...!.9...^............130118021202Z0#...!.g.|.d..-,...A....130201163603Z0#...!......R..B.....h..130212223046Z0#...!....oL$Ds.|...IN..130327184808Z0#...!,oYM;.

<<< skipped >>>

POST /upload.php HTTP/1.1

Content-Type: multipart/form-data; boundary=8d24dff12ad36c6

Host: 151.236.26.173

Cache-Control: no-store,no-cache

Pragma: no-cache

Content-Length: 104857685

Expect: 100-continue

Connection: Close

HTTP/1.1 100 Continue

....

POST /log?index=cc9534a2adc111e286841231390e9c34&sourcetype=installer HTTP/1.1

Connection: close

Content-Type: text/plain; Charset=UTF-8

Accept: */*

User-Agent: PCSUInstaller

Content-Length: 124

Host: VVV.pcspeeduplog.com

"productID":1,"version":"3.9.8.0","uniqueID":"BC8DD994-FD51-4D87-B86E-7BF4AAB4FDC1","Start":1,"OS":"6.1.7601-SP1","silent":1

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 26 Apr 2015 03:11:21 GMT

Content-Type: text/plain

Content-Length: 17

Connection: close

Last-Modified: Mon, 12 Aug 2013 21:11:59 GMT

ETag: "52094f9f-11"

Accept-Ranges: bytes

log completed: OK..

GET /msdownload/update/v3/static/trustedr/en/D69B561148F01C77C54578C10926DF5B856976AD.crt?fb2283c00361ac01 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Content-Type: application/x-x509-ca-cert

Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT

Accept-Ranges: bytes

ETag: "05934e1494dd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 867

Date: Sun, 26 Apr 2015 03:14:43 GMT

Connection: keep-alive

0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.....[...`.I.(.i;...(....aW7.t..t.:.r/.......=...3.. .S.:.s..A. :......O..2`.W....hh.8&`u..w..... I..@.H..1a.^....w.d.z._....b..l.Ti....n...qv.i.........B0@0...U...........0...U.......0....0...U........K...E$.MP.c.......0...*.H.............K@..P.......TEI....A.....(.3.k.t...-..........sgJ..D{x..nlo.).39E....Wl.....S.-.$l..c..ShgV>...5!..h....S......]F...zX(./....7A..Dm.S(.~.g.........L'.L.ssv.....z..-....,.<.U...~6..WI...-|`..AQ.#...2k.....,3.:;%..@.;,.x.a/....Uo.....M.(.r..bPe.....1....GX?_HTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e1494dd01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 867..Date: Sun, 26 Apr 2015 03:14:43 GMT..Connection: keep-alive..0.._0..G.............!XS..0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...090318100000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0.........%v.y.x".......(...v....r.F.C....._$..K.`.F.R...Gpl.d...,...=. .......y.;..w...I.jb/.^..h..'.8...>..&Y.s....&.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2192:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

rs\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll

rs\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\setup_plugin.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp

h-g}j

h-g}j

vT%SJLAu

vT%SJLAu

.reloc

.reloc

GetProcessHeap

GetProcessHeap

setup_plugin.dll

setup_plugin.dll

/.yy\\

/.yy\\

{{ssHH

{{ssHH

7;;??##'' //

7;;??##'' //

12::""**

12::""**

1266::>>""&&**..

1266::>>""&&**..

2377;;??##'' //

2377;;??##'' //

=>::6622..**&&""

=>::6622..**&&""

34

34

4511==99%%!!--))

4511==99%%!!--))

78

78

9:>>2266**..""&&

9:>>2266**..""&&

>?;;7733// ''##

>?;;7733// ''##

9:22**""

9:22**""

23;;##

23;;##

=>66..&&

=>66..&&

0199!!))

0199!!))

8911))!!

8911))!!

;

;

.NP,"

.NP,"

u%c$#

u%c$#

|%Sp&

|%Sp&

L-3}c

L-3}c

nssD02B.tmp

nssD02B.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp

c:\%original file name%.exe

c:\%original file name%.exe

%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nssD02A.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nssD02A.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

)-.Yln

)-.Yln

Nullsoft Install System v2.46

Nullsoft Install System v2.46

nsissetup.exe_2868:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

8%uEP3

8%uEP3

?.uEW

?.uEW

operator

operator

GetProcessWindowStation

GetProcessWindowStation

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

RegDeleteKeyExW

F3.1.0.197

F3.1.0.197

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHLWAPI.dll

SHLWAPI.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

%s '%s' [err=%d]

%s '%s' [err=%d]

%s [f='%s']

%s [f='%s']

%s [n=%d] -> hr=0xx

%s [n=%d] -> hr=0xx

%s [f=0x%p,t=%u]->id=%u

%s [f=0x%p,t=%u]->id=%u

%s -> watch for self-living object 0x%p

%s -> watch for self-living object 0x%p

%s -> self-living object 0x%p has finished the work -> wait when it is done

%s -> self-living object 0x%p has finished the work -> wait when it is done

%s -> drop self-living object 0x%p as it is done

%s -> drop self-living object 0x%p as it is done

- got tag of %d bytes

- got tag of %d bytes

%s [id=%u,call=%d]

%s [id=%u,call=%d]

- hr=0xx

- hr=0xx

DLG ENTRY v%s WIN%d.%d.%d ÛIT IE%d.%d

DLG ENTRY v%s WIN%d.%d.%d ÛIT IE%d.%d

).uE(

).uE(

{P:d T:d S:%d D:d.d.d} %s

{P:d T:d S:%d D:d.d.d} %s

!>%s [

!>%s [

name='%s'

name='%s'

%s, f='%s'

%s, f='%s'

%s [f='%s',len(d)=%d]

%s [f='%s',len(d)=%d]

%s [id=%s,type=%s]

%s [id=%s,type=%s]

- size: %d

- size: %d

%d.%d

%d.%d

kernel32.dll

kernel32.dll

user32.dll

user32.dll

wininet.dll

wininet.dll

DeleteUrlCacheEntryW

DeleteUrlCacheEntryW

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

InternetCrackUrlW

InternetCrackUrlW

urlmon.dll

urlmon.dll

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

shlwapi.dll

shlwapi.dll

oleaut32.dll

oleaut32.dll

advapi32.dll

advapi32.dll

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

psapi.dll

psapi.dll

%s [this=0x%p]

%s [this=0x%p]

JsFileExecution::JsFileExecution

JsFileExecution::JsFileExecution

JsFileExecution::~JsFileExecution

JsFileExecution::~JsFileExecution

JsFileExecution::doWorkRoutine

JsFileExecution::doWorkRoutine

- queue #%d: %d items, add 0x%p

- queue #%d: %d items, add 0x%p

- queue #%d: %d items, run 0x%p

- queue #%d: %d items, run 0x%p

- request start: this=0x%p (v=%d)

- request start: this=0x%p (v=%d)

- request end: this=0x%p, hr=0xx

- request end: this=0x%p, hr=0xx

- drop cache for '%s'

- drop cache for '%s'

this=0x%p,f='%s',d='%s'

this=0x%p,f='%s',d='%s'

- DefWinProc -> %d

- DefWinProc -> %d

%s [this=0x%p,show=%d]

%s [this=0x%p,show=%d]

%s [file='%s']

%s [file='%s']

%s [this=0x%p, root=lx, path='%s', f=0xlx] -> %d

%s [this=0x%p, root=lx, path='%s', f=0xlx] -> %d

- ID:='%s'

- ID:='%s'

len(code)=%d

len(code)=%d

f='%s'

f='%s'

%s, count=%d

%s, count=%d

%s, name='%s'

%s, name='%s'

Eval, len(expr)=%d, ns='%s', hr=0xx

Eval, len(expr)=%d, ns='%s', hr=0xx

CScriptSiteObj::GetItemInfo, name='%s'

CScriptSiteObj::GetItemInfo, name='%s'

- unpack `this`, hr=0xx

- unpack `this`, hr=0xx

%s [this=0x%p,main=%d,url='%s']

%s [this=0x%p,main=%d,url='%s']

%s [url='%s']

%s [url='%s']

%s, hwnd=0x%p

%s, hwnd=0x%p

- enum http_response_headers: '%s' (0xx)

- enum http_response_headers: '%s' (0xx)

- enum http_response_headers '%s' -> '%s'

- enum http_response_headers '%s' -> '%s'

- start a %sloader at %lu

- start a %sloader at %lu

HTTP/1.1

HTTP/1.1

- request range %lu-%lu by '%s'

- request range %lu-%lu by '%s'

%s, this=0x%p

%s, this=0x%p

%s, this=0x%p, auto=%d

%s, this=0x%p, auto=%d

- send, counter=%d

- send, counter=%d

- status: %d

- status: %d

- stop on range write, hr=0xx

- stop on range write, hr=0xx

- read %lu bytes by %lu portions

- read %lu bytes by %lu portions

- has etag: %s

- has etag: %s

%s, this=0x%p, handle=0x%p, status=%d

%s, this=0x%p, handle=0x%p, status=%d

^-- server IP is '%s'

^-- server IP is '%s'

^-- host is '%s'

^-- host is '%s'

i)%UUUUUU\

i)%UUUUUU\

(h(%UU

(h(%UU

-1N}wZ

-1N}wZ

X.saN

X.saN

wQ.SsD

wQ.SsD

M.uix

M.uix

0$0(0,0|0

0$0(0,0|0

5,585\5|5

5,585\5|5

4$4,484\4|4

4$4,484\4|4

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

KERNEL32.DLL

KERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

Advapi32.dll

Advapi32.dll

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

scriptMain.js

scriptMain.js

ScriptInterfaces.tlb

ScriptInterfaces.tlb

.part

.part

http_response_headers

http_response_headers

SupportsRange

SupportsRange

Range%d

Range%d

http_response_status

http_response_status

http_response_body

http_response_body

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssD02B.tmp\nsissetup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLGD123.tmp

ProtectWindowsManager.exe_3500:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

j.Yf;

j.Yf;

_tcPVj@

_tcPVj@

.PjRW

.PjRW

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

SHELL32.dll

SHELL32.dll

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

GetProcessWindowStation

GetProcessWindowStation

operator

operator

SHLWAPI.dll

SHLWAPI.dll

%dYeArdMoNthdDaY

%dYeArdMoNthdDaY

URLDownloadToFileA

URLDownloadToFileA

file_url

file_url

ShellExecuteExW

ShellExecuteExW

SHDeleteKeyW

SHDeleteKeyW

GetWindowsDirectoryA

GetWindowsDirectoryA

GetProcessHeap

GetProcessHeap

GetSystemWindowsDirectoryW

GetSystemWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegCreateKeyExW

RegCreateKeyExW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

ReportEventW

ReportEventW

ADVAPI32.dll

ADVAPI32.dll

PSAPI.DLL

PSAPI.DLL

USERENV.dll

USERENV.dll

VERSION.dll

VERSION.dll

GetCPInfo

GetCPInfo

zcÁ

zcÁ

263f3k3z3

263f3k3z3

=>>_> ?`?}?

=>>_> ?`?}?

5 5$5(5,5

5 5$5(5,5

? ?$?(?,?0?4?8?

? ?$?(?,?0?4?8?

:$:,:8:\:|:

:$:,:8:\:|:

%s_%s

%s_%s

\\.\Phys

\\.\Phys

..\Src\json\src\json_value.cpp

..\Src\json\src\json_value.cpp

..\Src\json\src\json_reader.cpp

..\Src\json\src\json_reader.cpp

xxxx

xxxx

..\Src\json\src\json_writer.cpp

..\Src\json\src\json_writer.cpp

kernel32.dll

kernel32.dll

mscoree.dll

mscoree.dll

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- floating point support not loaded

- floating point support not loaded

USER32.DLL

USER32.DLL

portuguese-brazilian

portuguese-brazilian

WindowsMangerProtect

WindowsMangerProtect

SOFTWARE\supWindowsMangerProtect

SOFTWARE\supWindowsMangerProtect

xa.geoip

xa.geoip

visit.heartbeat

visit.heartbeat

ProtectWindowsManager.exe

ProtectWindowsManager.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

TypesSupported

TypesSupported

%s is already installed

%s is already installed

%s installed

%s installed

%s failed to install. Error %d

%s failed to install. Error %d

%s is not installed

%s is not installed

Could not remove %s. Error %d

Could not remove %s. Error %d

WindowsProtectManger

WindowsProtectManger

Advapi32.dll

Advapi32.dll

/c ping 127.0.0.1 -n 2 > nul && del

/c ping 127.0.0.1 -n 2 > nul && del

"%s" %s

"%s" %s

psapi.dll

psapi.dll

Explorer.exe

Explorer.exe

urlmon.dll

urlmon.dll

update.exe

update.exe

Assertion failed: %s, file %s, line %d

Assertion failed: %s, file %s, line %d

WindowsMangerProtect Service

WindowsMangerProtect Service

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe

C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe

WindowsMangerProtect service

WindowsMangerProtect service

SysTool PasSame LIMITED

SysTool PasSame LIMITED

Windows SysTool Svr

Windows SysTool Svr

20.0.0.2227

20.0.0.2227

Windows SysTool.exe

Windows SysTool.exe

ProtectService.exe_3684:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

GET %s%s%s HTTP/1.1

GET %s%s%s HTTP/1.1

Host: %s

Host: %s

%sUser-Agent: Mozilla/4.0

%sUser-Agent: Mozilla/4.0

POST %s HTTP/1.1

POST %s HTTP/1.1

%sContent-Type: %s

%sContent-Type: %s

User-Agent: Mozilla/4.0

User-Agent: Mozilla/4.0

Content-Length: %u

Content-Length: %u

%*s %d %*s

%*s %d %*s

%*[ ]%[^

%*[ ]%[^

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

file_url

file_url

E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb

E:\supsoft\SupSearchProtectV4\SearchProtect\Bin\Release\ProtectService.pdb

GetProcessHeap

GetProcessHeap

GetSystemWindowsDirectoryW

GetSystemWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegOpenKeyW

RegOpenKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

MSVCP110.dll

MSVCP110.dll

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

SHLWAPI.dll

SHLWAPI.dll

MSVCR110.dll

MSVCR110.dll

_crt_debugger_hook

_crt_debugger_hook

__crtUnhandledException

__crtUnhandledException

__crtTerminateProcess

__crtTerminateProcess

_calloc_crt

_calloc_crt

__crtGetShowWindowMode

__crtGetShowWindowMode

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

__crtSetUnhandledExceptionFilter

__crtSetUnhandledExceptionFilter

WinHttpCloseHandle

WinHttpCloseHandle

WinHttpOpen

WinHttpOpen

WinHttpSetTimeouts

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpConnect

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpSetOption

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpSendRequest

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

WinHttpGetProxyForUrl

WinHttpWriteData

WinHttpWriteData

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReadData

WINHTTP.dll

WINHTTP.dll

SensApi.dll

SensApi.dll

VERSION.dll

VERSION.dll

PSAPI.DLL

PSAPI.DLL

USERENV.dll

USERENV.dll

.?AVCHttpClient@@

.?AVCHttpClient@@

.?AVCTcpipSocket@@

.?AVCTcpipSocket@@

2-2v2

2-2v2

hXXp://

hXXp://

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

http=

http=

WinHttpClient

WinHttpClient

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) in my heart of heart.

hXXp://xa.xingcloud.com

hXXp://xa.xingcloud.com

xxxx

xxxx

%u_%u

%u_%u

%s_%s

%s_%s

%s_X

%s_X

\\.\PhysicalDrive%d

\\.\PhysicalDrive%d

UpDateProcess.exe

UpDateProcess.exe

hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s

hXXp://VVV.theviilage.com/searchprotect/up?ptid=%s&sid=%s&ln=%s_%s&ver=%s&uid=%s&dp=%s

g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}

g{2EFFE99D-743D-44D0-BBF2-F9DDDEA2F92D}

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

Report HeartBeat

Report HeartBeat

cmdshell.exe

cmdshell.exe

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=visit.heartbeat.%s&update0=ref,%s&update1=nation,%s&update2=language,%s&update3=version,%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action0=xa.geoip&action1=visit&action2=install

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=uninstall

explorer.exe

explorer.exe

Advapi32.dll

Advapi32.dll

"%s" %s

"%s" %s

psapi.dll

psapi.dll

Explorer.exe

Explorer.exe

json_value.cpp

json_value.cpp

ljson_reader.cpp

ljson_reader.cpp

ProtectSvc.exe

ProtectSvc.exe

4.0.1.2253

4.0.1.2253

HPNotify.exe_3756:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

wszUrl

wszUrl

strUrlTemp

strUrlTemp

hKEY

hKEY

strSelUrl

strSelUrl

strUrl

strUrl

strConfUrlTemp

strConfUrlTemp

strDsUrl

strDsUrl

strHpUrl

strHpUrl

strCmdLine

strCmdLine

tCPW

tCPW

%UUUU

%UUUU

e_GetBrowserCurrentHpUrl

e_GetBrowserCurrentHpUrl

e_GetBrowserCurrentDsUrl

e_GetBrowserCurrentDsUrl

URLDownloadToFileW

URLDownloadToFileW

URLDownloadToFileW ret:0XX

URLDownloadToFileW ret:0XX

Error : %d

Error : %d

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.1.3

1.1.3

monochrome

monochrome

unsupported bit depth

unsupported bit depth

`'\%D,3

`'\%D,3

Run-Time Check Failure #%d - %s

Run-Time Check Failure #%d - %s

%s%s%p%s%ld%s%d%s

%s%s%p%s%ld%s%d%s

%s%s%s%s

%s%s%s%s

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

del /s/q %1\*.*

del /s/q %1\*.*

%suninstall.bat

%suninstall.bat

E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb

E:\supsoft\SupSearchProtectV4\SearchProtect\bin\Release\HPNotify.pdb

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

ShellExecuteA

ShellExecuteA

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

MSVCP110.dll

MSVCP110.dll

MSVCR110.dll

MSVCR110.dll

_calloc_crt

_calloc_crt

_CRT_RTC_INITW

_CRT_RTC_INITW

__crtGetShowWindowMode

__crtGetShowWindowMode

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

_crt_debugger_hook

_crt_debugger_hook

__crtUnhandledException

__crtUnhandledException

__crtTerminateProcess

__crtTerminateProcess

__crtSetUnhandledExceptionFilter

__crtSetUnhandledExceptionFilter

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

IMM32.dll

IMM32.dll

DeleteUrlCacheEntryW

DeleteUrlCacheEntryW

WININET.dll

WININET.dll

COMCTL32.dll

COMCTL32.dll

GetProcessHeap

GetProcessHeap

#*1892 $

#*1892 $

%,3:;4-&

%,3:;4-&

.?AVCActiveXEnum@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

.?AVCWebBrowserUI@DuiLib@@

.?AVCWebBrowserUI@DuiLib@@

3?3

3?3

1-2}2

1-2}2

77t7

77t7

9":,:6:@:

9":,:6:@:

12u2

12u2

9 9$9(9,9094989

9 9$9(9,9094989

0 1@1\1|1

0 1@1\1|1

hXXp://VVV.bing.com/

hXXp://VVV.bing.com/

hXXp://VVV.yahoo.com/

hXXp://VVV.yahoo.com/

hXXp://VVV.google.com/

hXXp://VVV.google.com/

%sconf

%sconf

web/?type=dspp&

web/?type=dspp&

web/?type=dspp

web/?type=dspp

hXXp://VVV.v9.com/

hXXp://VVV.v9.com/

Itemd

Itemd

BrowserAction.dll

BrowserAction.dll

%u_%u

%u_%u

%s_%s

%s_%s

%s_X

%s_X

\\.\PhysicalDrive%d

\\.\PhysicalDrive%d

\\.\Scsi%d:

\\.\Scsi%d:

UrlEdit

UrlEdit

conf.xml

conf.xml

hXXp://v9.com/license_agreement.html

hXXp://v9.com/license_agreement.html

hXXp://v9.com/privacy_policy.html

hXXp://v9.com/privacy_policy.html

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.show.%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s

hXXp://xa.xingcloud.com/v4/searchprotect/%s?action=set.other.%s

%stmp%d.tmp

%stmp%d.tmp

urlmon.dll

urlmon.dll

main.xml

main.xml

explorer.exe

explorer.exe

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

Global\{5F26509F-29FE-4598-8800-FA22CE9CC17F}__Mutex

IeWatchDog.dll

IeWatchDog.dll

BrowerWatchFF.dll

BrowerWatchFF.dll

BrowerWatchCH.dll

BrowerWatchCH.dll

Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)

Global\GUID(6D05BFEC-4307-4649-8963-962A24345DF4)

msimg32.dll

msimg32.dll

User32.dll

User32.dll

WM_KEYDOWN

WM_KEYDOWN

WM_KEYUP

WM_KEYUP

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYUP

WM_SYSKEYUP

0xX

0xX

keyboard

keyboard

msftedit.dll

msftedit.dll

password

password

%s%s%s

%s%s%s

Correct password required

Correct password required

%s\%s

%s\%s

WebBrowser

WebBrowser

transshadow

transshadow

transshadow1

transshadow1

dest='%d,%d,%d,%d'

dest='%d,%d,%d,%d'

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

M-d-d

M-d-d

WebBrowserUI

WebBrowserUI

errorUrl

errorUrl

{D27CDB6E-AE6D-11CF-96B8-444553540000}

{D27CDB6E-AE6D-11CF-96B8-444553540000}

user32.dll

user32.dll

MSPDB110.DLL

MSPDB110.DLL

ADVAPI32.DLL

ADVAPI32.DLL

/c ping 127.0.0.1 -n 2 > nul && del /s/q

/c ping 127.0.0.1 -n 2 > nul && del /s/q

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

%Program Files% (x86)\XTab\skin\

%Program Files% (x86)\XTab\skin\

SupHPNot.exe

SupHPNot.exe

4,0,1,2253

4,0,1,2253

SupHPNty.exe

SupHPNty.exe

PCSUService.exe_604:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

SSSSSh

SSSSSh

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

127.0.0.1

127.0.0.1

C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb

C:\Projects\PCSU-SL\PCSpeedUp\Release\PCSUService.pdb

WS2_32.dll

WS2_32.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

sqlite3_exec

sqlite3_exec

sqlite3_free

sqlite3_free

sqlite3_open16

sqlite3_open16

sqlite3_close

sqlite3_close

sqlite3_extended_result_codes

sqlite3_extended_result_codes

sqlite3.dll

sqlite3.dll

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

RegEnumKeyExW

RegEnumKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegDeleteKeyW

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

OLEAUT32.dll

OLEAUT32.dll

pdh.dll

pdh.dll

WinHttpCloseHandle

WinHttpCloseHandle

WinHttpOpen

WinHttpOpen

WinHttpSetTimeouts

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpConnect

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpSetOption

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpSendRequest

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

WinHttpGetProxyForUrl

WinHttpWriteData

WinHttpWriteData

WinHttpReceiveResponse

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReadData

WINHTTP.dll

WINHTTP.dll

Secur32.dll

Secur32.dll

GetCPInfo

GetCPInfo

PeekNamedPipe

PeekNamedPipe

zcÁ

zcÁ

.PA_W

.PA_W

1&282R2

2,2f2
2,2 3@3g3w3
= =7=?={=
?$?(?,?0?4?8?@?
0(0/04080
0&1,1014181
5#5(575^5
7.747(8?849
8 8$8(8,808
? ?$?(?,?0?4?8?@?
2 2$2(2,20242
srclient.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
PCSUService-Timer.log
Wevtapi.dll
ERROR: GetWindowsBoottimes(): could not load Wevtapi.dll
Subscribing for Microsoft-Windows-Diagnostics-Performance/Operational - Event/System[EventID=100]
Microsoft-Windows-Diagnostics-Performance/Operational
ntdll.dll
ERROR: WaitUntilSystemIdle(): could not load Wevtapi.dll
ERROR: InitializePerformanceCounters(): check the registry keys in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
iexplore.exe
firefox.exe
chrome.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
RemoveExeImageHook(%s)...
DeleteValue failed: %d
DeleteKey failed: %d
registry key is not empty!
HKEY_LOCAL_MACHINE
ERROR: ProcessHelper.Start: hChildProcess != NULL
CreateOutputPipe
CreateInputPipe
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
RegistryHelper::GetValue():RegOpenKeyEx()
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
WinHttpClient
3.9.8.0
dddddd.d000
WindowsBoottimes
|userlogin|
PCSUBootTimes.log
,"LoginToIdle":
INSERT OR REPLACE INTO Boots(Idle, LoginToIdle, WinlogonToIdle, UptimeAtIdle, USBCacheActive) VALUES('
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
/update.aspx?uniqueID=
\PCSpeedUp-Silent-Update.exe
/SP- /VERYSILENT /updateMode=true /LOG=update.log /countryCode=
HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up
ERROR:RegistryHelper::CreateValue(HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up, UpdateChecked):
FileUploader.exe
Checking HKEY_CURRENT_USER\Software\Speedchecker Limited\PC Speed Up key for USBCacheFill value...
DELETE FROM UC_STAT WHERE file LIKE '%.sys';
DELETE FROM UC_STAT WHERE file LIKE '%.tmp' AND read_counter
DELETE FROM UC_STAT WHERE file NOT LIKE '%.exe%' AND file NOT LIKE '%.dll%' AND read_counter=1;
hXXp://VVV.pcspeeduplog.com/1/inputs/http?index=cc9534a2adc111e286841231390e9c34&sourcetype=service
PCSUService: WinHttpClient.SendHttpRequest():
PCSUService: SendHTTPRequestAsync:
PCSUSD.exe
PCSUUCC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Speedchecker Limited\PC Speed Up
PCSUService.exe
PCSUQuickScan.exe
hXXp://qslimit.pcspeedup.co/qs_limit.aspx?productID=1&uniqueID=
SendHttpRequest
PCSUSpeedTest.exe
hXXp://VVV.pcsuapi.com
hXXp://VVV.pcsuapi.net
hXXp://VVV.pcsuservice.com
hXXp://VVV.pcsuapi.info
hXXp://VVV.pcsuapi.org
hXXp://VVV.sdapi.co
hXXp://VVV.sdltdapi.com
hXXp://VVV.sdservice.co
hXXp://VVV.sdltdapi.net
/featurelimit.aspx?productID=1&uniqueID=
PCSUSpeedTestGUI.exe
PCSUSpeedTest.exe /L /S
PCSUSpeedTestWifi.exe
PCSUSpeedTest.exe /L /SL
RegistryHelper.SetValue
RegistryHelper.DeleteValue
RegistryHelper.CreateKey
RegistryHelper.DeleteKey
SysUtils.SetRestorePoint
IOHelper.FileCopy
IOHelper.Delete
Process.Start
The Process.Start didn't receive 7 arguments.
Process.HasExited
The Process.HasExited didn't receive 2 arguments.
Process.Stop
The Process.Stop didn't receive 2 arguments.
Process.Terminate
DB.ExecuteNonQuery
The DB.ExecuteNonQueryEx didn't receive the query/sql to execute.
DB.ExecuteScalar
The DB.ExecuteScalarEx didn't receive the query/sql to execute.
DB.ExecuteReader
The DB.ExecuteReader didn't receive the query/sql to execute.
NetworkHelper.GetAllMACAddresses
Service.Start
Service.Stop
Remove.IFEO
PCSUSD.Scan
PCSUSD.Enable
PCSUSD.Disable
Process.CheckBrowsers
PCSUUCC.Scan
PCSUUCC.Refresh
PCSUUCC.Update
PCSUUCC.Clean
PCSUUCC.Fill
PCSUUCC.Install
PCSpeedUp.sys"
PCSUUCC.Uninstall
PCSUUCC.On
PCSUUCC.Off
PCSUUCC.Status
PCSUUCC.Usage
cmd /c PCSUUCC.exe /usage > CacheUsage.txt
PCSUService.SpeedTest
PCSUService.SpeedTestWifi
HTTP.Send
server_port
PCSUService.conf
service status: PID = %d, state = %s, CheckPoint = %d, WaitHint = %d
EnumDependentServices failed (err=%d)
Stop dependent service "%s"...
OpenService failed (err=%d)
ControlService failed (err=%d)
QueryServiceStatusEx failed (err=%d)
Timeout! (%d sec)
StartService(%s)...
ERROR! OpenSCManager failed! (err=%d)
ERROR! OpenService(%s) failed! (err=%d)
ERROR! StartService failed! (err=%d)
ERROR! QueryServiceStatusEx failed (err=%d)
Current State: %d
Exit Code: %d
Check Point: %d
Wait Hint: %d
StopService(%s)...
Service stop timed out. (%d sec)
ERROR! StopDependentServices failed! (err = %d)
ERROR! ControlService failed (err=%d)
Wait timed out (%d sec)
ExecuteNonQuery: sqlite3_exec:
ExecuteScalar: sqlite3_exec:
ExecuteReader: sqlite3_exec:
LocalExecuteNonQuery: sqlite3_exec:
LocalExecuteScalar: sqlite3_exec:
LocalExecuteReader: sqlite3_exec:
sqlite3_open16:
sqlite3_close:
PRAGMA foreign_keys = ON;
SELECT DISTINCT s.ID, s.ValueName, s.ValueData, l.Path, s.ValueType FROM Startups s, ScanStartupApplications ssa, Locations l WHERE (s.Action = 2) AND (s.ID = ssa.IDStartup) AND (ssa.IDLocation = l.ID) ORDER BY s.ValueType DESC;
hXXp://VVV.safedownloadapi.com
ERROR:CheckUpdateURL():ResponseContent:
%Program Files% (x86)\PC Speed Up\PCSUService.exe
nssCF71.tmp_3176:
.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp
inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp\inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
^2S%S
nse5ACF.tmp
s\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi84CA.tmp
Users\"%CurrentUserName%"\AppData\Local\Temp\nse5ACF.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF71.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
nssCF71.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsi84C8.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
Nullsoft Install System v2.46
SpeedCheckerService.exe_2188_rwx_00D00000_0000F000:
.EelP
x.elP
?.elP
nssCF72.tmp_3656:
.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
portuguese-brazilian
operator
GetProcessWindowStation
C:\dev\src\dl_generic_library\helpers\voping\voping_cpp\Release\voping_cpp.pdb
KERNEL32.dll
HttpSendRequestW
HttpOpenRequestW
WININET.dll
WinHttpCrackUrl
WINHTTP.dll
GetCPInfo
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCF72.tmp
3(3/394@4
8#:0:9:|:
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
,hXXp://sstatic1.histats.com/0.gif?%u&101
DTLite4461-0327.exe_3840:
.text
`.rdata
@.data
.ndata
.rsrc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
ÒHh
.oulj_
yTCP
S%CXm
-0VA}
.text0
`.reloc
@.rsrc
@.reloc
GetProcessHeap
COMDLG32.dll
nsDialogs.dll
InstallOptions.dll
Nullsoft Install System v2.46-Unicode
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|/":
s\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll
s.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp\setuphlp.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso530.tmp
RegPagePaidInfo.ini
disc-soft.com account:
o530.tmp\setuphlp.dll
All Files|*.*
nso530.tmp
fo.ini
Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe"
secure.disc-soft.com/payment/dtLite,1
ted in your e-mail receipt from disc-soft.com or in your disc-soft.com account:
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe"
%Program Files% (x86)\DAEMON Tools Lite
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a
DTLite4461-0327.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nso4E0.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\exe\261dd182d36861fec9a217cc812a9f9a\DTLite4461-0327.exe
470417835
1508098
-1693842398
4129502
Windows Gadget
Integrate with Windows Explorer
SCSI Pass Through Direct (SPTD) layer is needed for Advanced Emulation features.
Windows Gadget for quick access to main DAEMON Tools functionalities from Desktop.
4260574
4326110
4.46.1.0327.0
DAEMON Tools Lite4.46.1.0327.exe
3a3>