mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8f0dd6d56f6866b5ed1effe628d7c71b
SHA1: d0a873671d6d897aa0fad6b58a35ff6f3824d9e1
SHA256: e9fcdfee321934b560bdac6557438ca011de84e4583a12f23e73eea713b0906e
SSDeep: 24576:ExGDhqy1fkXC6jBNrrDT8oQWT5cgvzxP8SCUO:pNqrCQvFjrDCUO
Size: 1079328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2013-10-13 11:19:32
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
aff_setup.exe:2808
thirdpartyinstaller.exe:1176
%original file name%.exe:2008
8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220
pm-standalone-setup.exe:2420
pm-standalone-setup.tmp:888
dd2a5f4929d14f419028f48e1839521d766015.exe:1632
OLBPre.exe:2904
pc-mechanic.exe:2708
The Worm injects its code into the following process(es):
pc-mechanic.exe:2024
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process aff_setup.exe:2808 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1405.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd2a5f4929d14f419028f48e1839521d766015.exe (91153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_1628.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw93A9.tmp (7291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_8198.dat (784 bytes)
The process thirdpartyinstaller.exe:1176 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (176 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
The process %original file name%.exe:2008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-3OBPR.tmp\8f0dd6d56f6866b5ed1effe628d7c71b.tmp (50 bytes)
The process 8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (41394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\aff_setup[1].exe (42672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\checkmark_10x8.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\pcmechanicpm-standalone-setup[1].exe (5665064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\pm-standalone-setup.exe (5425549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #001.txt (23254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\microsoft_partner.bmp (53 bytes)
The process pm-standalone-setup.exe:2420 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J194S.tmp\pm-standalone-setup.tmp (50 bytes)
The process pm-standalone-setup.tmp:888 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L5TB4.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-D42IV.tmp (20504 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-VO3E7.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-LQCTJ.tmp (114305 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-T38DQ.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-4VGDV.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-8MILD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2BQ2S.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-81TR2.tmp (3361 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-C2PRA.tmp (13 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-G88F5.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-MALHE.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-KQQMD.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1EKH1.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-65M8L.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-BQT7R.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-1MPBL.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-3U8HG.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-1HAGF.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8UFQG.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-TT2MJ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #002.txt (460554 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-KV1T1.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-03EBF.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-BI3OR.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-I7C42.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-K89A0.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-4O73U.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-1NT3A.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-DG0QA.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-0LHNU.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-JJR23.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-277QT.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-LQ5K1.tmp (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4UCCP.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-NRGN6.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-E9LUF.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-N1UL8.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-ETSB4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-73U4E.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-4B2SS.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-48U0H.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-IGR6O.tmp (28498 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2B2SF.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8GN06.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\printer.bmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-94UBV.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-RVIJM.tmp (601 bytes)
The process dd2a5f4929d14f419028f48e1839521d766015.exe:1632 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw9FD9.tmp (54650 bytes)
%Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe (35833 bytes)
%Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
%Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
%Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
The process OLBPre.exe:2904 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\OLBPre\state.jdat (428 bytes)
%Program Files% (x86)\OLBPre\aff.jdat (140 bytes)
The process pc-mechanic.exe:2024 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6914 bytes)
The process pc-mechanic.exe:2708 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (825 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6093 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)
Registry activity
The process 8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallerBuiltWithOffers" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "A3 F7 D6 A7 26 77 D0 01"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "A3 F7 D6 A7 26 77 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process pm-standalone-setup.tmp:888 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Icon Group" = "Uniblue\PC Mechanic"
[HKCR\pc-mechanic]
"URL Protocol" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"NoModify" = "1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"EstimatedSize" = "62107"
"InstallDate" = "20150415"
"Comments" = "Uninstall PC Mechanic"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"UnitID" = "4010"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MinorVersion" = "0"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"EcommercePlatform" = "cleverbridge"
[HKCR\pc-mechanic\DefaultIcon]
"(Default)" = "pc-mechanic.exe,1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = ""
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe /SILENT"
"DisplayVersion" = "1.0.5.0"
"URLUpdateInfo" = "http://uniblue.com/software/pcmechanicpm/updates/"
"UninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe"
[HKCR\pc-mechanic]
"(Default)" = "URL:PC-Mechanic Protocol"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MajorVersion" = "1"
"DisplayName" = "PC Mechanic"
"Publisher" = "Uniblue Systems Limited"
"HelpLink" = "http://www.uniblue.com/support/manuals/"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallDate" = "2015-04-15"
[HKCR\pc-mechanic\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe --serial=%1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Setup Version" = "5.5.4 (u)"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl" = "http://www.uniblue.com/cm/marimedia-an/pcmechanicpm/an_row_01/purchase/"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"URLInfoAbout" = "http://www.uniblue.com/support/"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"lang" = "en"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\PC-Mechanic"
The Worm deletes the following value(s) in system registry:
[HKCR\pc-mechanic]
"URL Protocol"
[HKCR\pc-mechanic\DefaultIcon]
"(Default)"
[HKCR\pc-mechanic]
"(Default)"
[HKCR\pc-mechanic\shell\open\command]
"(Default)"
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl"
"InstalledLocation"
The process dd2a5f4929d14f419028f48e1839521d766015.exe:1632 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayVersion" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayName" = "MyPC Backup"
"DisplayIcon" = "%Program Files% (x86)\OLBPre\uninst.exe"
"Publisher" = "MyPC Backup"
"HelpLink" = "http://support.mypcbackup.com"
"URLInfoAbout" = "http://www.mypcbackup.com"
"UninstallString" = "%Program Files% (x86)\OLBPre\uninst.exe"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process pc-mechanic.exe:2024 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
The process pc-mechanic.exe:2708 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| e5cc3997457cd365e43c19f0f9110148 | c:\Program Files (x86)\OLBPre\LinqBridge.dll |
| 40208211ef9aa6fd25712f8f0850c9b2 | c:\Program Files (x86)\OLBPre\OLBPre.exe |
| 660605e24b0cf1068bfbb4a4ec647652 | c:\Program Files (x86)\OLBPre\uninst.exe |
| 2ae42712f67f30dfeb9b7ae8798e1c29 | c:\Program Files (x86)\Uniblue\PC-Mechanic\InstallerExtensions.dll |
| 6de5c66e434a9c1729575763d891c6c2 | c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcp90.dll |
| e7d91d008fe76423962b91c43c88e4eb | c:\Program Files (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\msvcr90.dll |
| 5434e18b933e03f274d8da59fda4c676 | c:\Program Files (x86)\Uniblue\PC-Mechanic\icudt.dll |
| 28888738b5521923a244fac763767db4 | c:\Program Files (x86)\Uniblue\PC-Mechanic\libcef.dll |
| a681d994fefa6865b181937c97688c96 | c:\Program Files (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe |
| 718355a4c81fdae7e890292ed04c0dac | c:\Program Files (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe |
| 5bf98032f3b5ac20ed8160d9a183baff | c:\Program Files (x86)\Uniblue\PC-Mechanic\unins000.exe |
| 6843e5f8e199b000decdb9ef0cb74b3f | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\pcmechanicpm-standalone-setup[1].exe |
| 1880b2782d67fd2a085fb7d100dac569 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\aff_setup[1].exe |
| 1880b2782d67fd2a085fb7d100dac569 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe |
| c40ba3b952382be22efdb2ce180b5233 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd2a5f4929d14f419028f48e1839521d766015.exe |
| 2ae42712f67f30dfeb9b7ae8798e1c29 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\InstallerExtensions.dll |
| 526426126ae5d326d0a24706c77d8c5c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_setup64.tmp |
| 92dc6ef532fbb4a5c3201469a5b5eb63 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_shfoldr.dll |
| 6843e5f8e199b000decdb9ef0cb74b3f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\pm-standalone-setup.exe |
| 62efa7b730eb0523a026ea4325403b77 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
aff_setup.exe:2808
thirdpartyinstaller.exe:1176
%original file name%.exe:2008
8f0dd6d56f6866b5ed1effe628d7c71b.tmp:2220
pm-standalone-setup.exe:2420
pm-standalone-setup.tmp:888
dd2a5f4929d14f419028f48e1839521d766015.exe:1632
OLBPre.exe:2904
pc-mechanic.exe:2708 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_1405.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd2a5f4929d14f419028f48e1839521d766015.exe (91153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_1628.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw93A9.tmp (7291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl93B9.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_8198.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (176 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-3OBPR.tmp\8f0dd6d56f6866b5ed1effe628d7c71b.tmp (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\myPCBackup_dot_com_logo_245x53.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USU4CORO\aff_setup[1].exe (42672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\uniblue_product_logo_50x50_white_background.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\checkmark_10x8.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SH2TVRCI\pcmechanicpm-standalone-setup[1].exe (5665064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\pm-standalone-setup.exe (5425549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #001.txt (23254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\windows8_with_innovation.bmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-6FU40.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J194S.tmp\pm-standalone-setup.tmp (50 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-L5TB4.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-D42IV.tmp (20504 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-VO3E7.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-LQCTJ.tmp (114305 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-T38DQ.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-4VGDV.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-8MILD.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2BQ2S.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-81TR2.tmp (3361 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-C2PRA.tmp (13 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-G88F5.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-MALHE.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-KQQMD.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-1EKH1.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-65M8L.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-BQT7R.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-1MPBL.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-3U8HG.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-1HAGF.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8UFQG.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-TT2MJ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-04-15 #002.txt (460554 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-KV1T1.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-03EBF.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-BI3OR.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-I7C42.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-K89A0.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-4O73U.tmp (4545 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-1NT3A.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-DG0QA.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-0LHNU.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-JJR23.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-277QT.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-LQ5K1.tmp (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-4UCCP.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-NRGN6.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-E9LUF.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-N1UL8.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-ETSB4.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-73U4E.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-4B2SS.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-48U0H.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-IGR6O.tmp (28498 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-2B2SF.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-8GN06.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-EJ8OV.tmp\printer.bmp (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-94UBV.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-RVIJM.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsSCM.dll (13 bytes)
%Program Files% (x86)\OLBPre\it_IT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\OLBPre\uninst.exe (1026 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw9FD9.tmp (54650 bytes)
%Program Files% (x86)\OLBPre\de_DE.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\OLBPre\es_ES.mo (1856 bytes)
%Program Files% (x86)\OLBPre\OLBPre.exe.config (203 bytes)
%Program Files% (x86)\OLBPre\fr_FR.mo (1856 bytes)
%Program Files% (x86)\OLBPre\pt_PT.mo (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl9FE9.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\OLBPre\brand.jdat (17848 bytes)
%Program Files% (x86)\OLBPre\LinqBridge.dll (1856 bytes)
%Program Files% (x86)\OLBPre\state.jdat (428 bytes)
%Program Files% (x86)\OLBPre\aff.jdat (140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (6914 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (825 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Uniblue Systems Limited
Product Name: PC Mechanic
Product Version: 1.0.5.0
Legal Copyright: Copyright (c) Uniblue Systems Limited
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.0
File Description: PC Mechanic Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Uniblue Systems LimitedProduct Name: PC Mechanic Product Version: 1.0.5.0Legal Copyright: Copyright (c) Uniblue Systems LimitedLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.5.0File Description: PC Mechanic Setup Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 61740 | 61952 | 4.43024 | 3a126e478661f20816f9d9285615f98e |
| .itext | 69632 | 2884 | 3072 | 3.97317 | ba48b9b17b3dd8b92da3bd93f20ddb34 |
| .data | 73728 | 3208 | 3584 | 1.55702 | d7fd5f4b562d7961758f3d6a8c834fd0 |
| .bss | 77824 | 22196 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 102400 | 3536 | 3584 | 3.44625 | 93d91a2b90e60bd758fc0c4908856ae1 |
| .tls | 106496 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 110592 | 24 | 512 | 0.14174 | 3dffc444ccc131c9dcee18db49ee6403 |
| .rsrc | 114688 | 240000 | 240128 | 3.69358 | 7e28261598c4cda6808201dd42c647ce |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 159
595f1fc6db9af2f5b74feffe71c7a123
07cb679acc810aa050cc2353509e5393
8643014e30fccffd0048979713cb7001
eb2d058ca6921e2c6d56f35f5502a4d4
e3b5bd3126a441609fa77f52a36ae298
6370fab243594f9a469c66fe6f14eeb3
b49995f511e0b27eba38a7e2b08de623
c0c14fd4f291d6001d09993c25e3825b
5906a85cd27be3d0508bc3f1ec5e62de
b153399713231db375646f1d0f00ab81
ed1a11d0c026c535c9400af0cc285c8d
a4db7fea7fc4bc8ddca8f616d1b44968
a31c60775ffa14da852aebac7b20b350
07c2c6d77dead8e72846174d8f034016
8be396cd92a8dcc0aa3cb8034507ee02
1f22d7f81ed540bd5af17738eadaf9d6
f56a7328f430b18efa42246422615699
eaee4be2373fe1db7128b7367bcab4ca
d4770d5ccb75c91c1909b13ef3fec96c
86fbfc957a5090937eae9aa34297c99e
6f31b53ed4d816e8a9c074763b4e39c6
0d198f08a94a52c1c7562b3d8b30764d
b7848c9100697f733bcb9c8a7ce39d71
0e3565470c38a5b53affaae2aca325e5
5fec4f59585289a6894b58ac06c594b8
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/collect | |
| hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe | |
| hxxp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe | 54.192.46.144 |
| hxxp://backupgrid.jdibackup.netdna-cdn.com/aff_setup.exe | |
| hxxp://splitter-load-balancer-1436536024.us-east-1.elb.amazonaws.com/pm/version.txt?from=1.0.5.0 | |
| hxxp://tracking-uniblue-com-1314478381.eu-west-1.elb.amazonaws.com/v1/track | |
| hxxp://api.uniblue.net/v1/geo/country-code | 54.228.215.241 |
| hxxp://s3-1-w.amazonaws.com/latest_updates/application.txt | |
| hxxp://uniblue.com/api/v1/geo/country-code | 54.228.233.135 |
| hxxp://track.backupgrid.net/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe | 184.154.139.137 |
| hxxp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe | 184.154.139.131 |
| hxxp://backupgrid.jdibackup.netdna-cdn.com/MyPCBackup_ppi_Setup.exe | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f09e3a75e6cdb42 | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4379edd6935cb292 | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.51.123.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.51.123.27 |
| hxxp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt | 54.231.16.185 |
| hxxp://tracking.uniblue.com/v1/collect | 54.247.176.17 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | 23.51.123.27 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f09e3a75e6cdb42 | 87.245.216.25 |
| hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.216.57 |
| hxxp://www.uniblue.com/api/v1/geo/country-code | 54.228.233.135 |
| hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.216.57 |
| hxxp://tracking.uniblue.com/v1/track | 54.247.176.17 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.51.123.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | 23.51.123.27 |
| hxxp://update.uniblue.com/pm/version.txt?from=1.0.5.0 | 54.243.120.72 |
| hxxp://download.uniblue.com/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe | 54.243.120.72 |
| hxxp://crl.verisign.com/pca3.crl | 23.51.117.163 |
| hxxp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe | 94.31.29.237 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.51.123.27 |
| hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.216.57 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= | 23.51.123.27 |
| hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.216.57 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.51.123.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.51.123.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | 23.51.123.27 |
| hxxp://cdn.backupgrid.net/aff_setup.exe | 94.31.29.237 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4379edd6935cb292 | 87.245.216.25 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 301 Moved Permanently
Date: Wed, 15 Apr 2015 02:49:18 GMT
Server: Apache
Set-Cookie: SESSID=d9spekf2n5b71ug4pm2120ms25; path=/; domain=.mypcbackup.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: 748a7624422584634822bd3a2bf604ae=4cfceb115c4a698cc6e6dcfc4ed60f30; expires=Thu, 13-Aug-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com
Set-Cookie: intc=1; expires=Thu, 16-Apr-2015 02:49:18 GMT; path=/; domain=.mypcbackup.com
P3P: CP="We do not have a P3P policy"
location: hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe
Set-Cookie: aff_id=67333; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_name=MaxiDisk1; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hop_id=97175; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: hash=5e234192e97f23d956a71adc69f7cd0d; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: tid=PC-Mechanic; expires=Fri, 15-May-2015 05:59:59 GMT; path=/; domain=mypcbackup.com
Set-Cookie: 9bf5853aunique=true; expires=Tue, 14-Jul-2015 02:49:18 GMT; path=/; domain=mypcbackup.com
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=366969, public, no-transform, must-revalidate
Last-Modified: Sun, 12 Apr 2015 08:45:09 GMT
Expires: Sun, 19 Apr 2015 08:45:09 GMT
Date: Wed, 15 Apr 2015 02:52:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150412084509Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150412084509Z....20150419084509Z0...*.H..............>.3..7..M....._........b...A.......).:.!M..._...4<.,...r.g.y5...g.6.u...Z.2'.^?Ic1.t&.-..U...tc.loL....?x.. .G..GHw6....2...sB.i..4..(...I...1...E..5....bfO.`N....58..u;..n Zg(..............Z....|Iu...HC..S.9...|.K.)....csE.?.(.o..H^.z.o.=z..m`...M......X....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDi14wrtdPbNBdjyDxjokeI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=547829, public, no-transform, must-revalidate
Last-Modified: Tue, 14 Apr 2015 11:00:03 GMT
Expires: Tue, 21 Apr 2015 11:00:03 GMT
Date: Wed, 15 Apr 2015 02:52:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150414110003Z0s0q0I0... ...................F....0.yV......{&.K......&.......8....t..............20150414110003Z....20150421110003Z0...*.H...............P.'.-..(.c.tC~J.@m.,..r..T\n.6...H.T....r.Ht#........^.5.N.{...,...)....sf8........<.c..I.....a.....7LZ.c...N....8...........KI^...0V@<........}.bB,.....@e.;.f8"...z8.,d.......l.P.?.D.{.-.u..w.u.j2.^......k.......r...5e....0`..K.......T.. ......9..NET.C.....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 791500626200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 15 Apr 2015 02:51:55 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT..Accept-Ranges: bytes..ETag: "2711f7277076d01:0"..Server: Microsoft-IIS/8.5..VTag: 791500626200000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Wed, 15 Apr 2015 02:51:55 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t...
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?4379edd6935cb292 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
Accept-Ranges: bytes
ETag: "80b4d90ca4fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 48151
Date: Wed, 15 Apr 2015 02:51:55 GMT
Connection: keep-alive
MSCF............,...................I......._.........WFr. .authroot.stl.J..:58..CK...8T.....c.5.}l.s..%D..[R.l...l7iTBWiA..*......D!K.....d....*s.....<..s.;.93..~....g.....Y.......q.....9........;..2..^....Y%,..,8......Wf.Q;s.....n&v<;.Wcs....AB..BD]].].p.....|.z$.......?..*../.."$... ..P.."..K9.P>.g.mt...q.yqT.......[...%wX.]..(";...*..x....;.gt...W..pH[.*.A.]..J.......<z'X..%..GV.7......2Z8q.OU?.Y=....%ln..A.P.....c=D...=h..Z..78G....].........Z...0.O..!.B(.0a....rv<..K.Z......[.PJ."6...(...p....ffV&6,........#.^^.y.....C.]...`U..;].....7.;..<\.2w|.`v.......v.|.xD.G.'..4z....1..A.5.h.. .p.@.@.#h..T;......z..Y*..)...Is..y....W..z..XP*LU..........4.q.....\...|.F.".[.l9.3.o....>,...y.K....&..B...^.cA#......q.976?.E..i...g...s.....K$&...(.[......J..a.z4......5,wk.....L.9..=.j..r........Z........U`..;....5.&.X..h<Uw.F.ifP...r....A=..N...._...R........`B.......re...X....U....a..._...XU.z..s..>lt.9..W..4..r.w...I...C....L.&..l.,...`.S.A#.P.d. ...?N.qUd....#....l......6v.F..<V...#..X...;-|...da...O#.....C.........3`..X....I.S'.>."*.X.z.V..0.........j.oO..xRnL.....X...q.[..[,XF..L.j....D..=..N..[....G7...l.Hi!.i.p@....,"..E.;...8f."....y.......<..........h.a.b..|....<f..8,....6...k..T".|:.....zm.........n..I..x.....1.=....q..I.6....;...O.....rf.1..H.a..|....zk..c.5.A&~o...R.......V...:..c...:....<Z....3..I1.B..%.9.3....:.X...Elk.3.b..>*../.{..O.=......7..}...._...@..F.p.7|iQ.....G...A..3...B...0A*@I.[.....4...\..?..R.c.(.8(..h..w.s.....X ........>r|...?._..%..O.d.,.....
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
Accept-Ranges: bytes
ETag: "a1132b8ef65d01:0"
Server: Microsoft-IIS/8.0
VTag: 438176043100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 15 Apr 2015 02:51:25 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150323204828Z..150622090828Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......)0... .....7......150621205828Z0...*.H.................k...#......w..^L1........r...B..gLX..G.. 4...6.e..^..s=... o..nz..`..z...5..5.01.........w..v...M...<.....,...}&I......].g...>.?.L.(.`....*^5J...y. ....`.y8Il.V\mS..p..V....>,....OR%.r0.)Po\j.C.kE...EGF.Z....gcP....d.6.edP...f.?.......&Y8.Z...".'.X.$g.TP....,.....{.wd.h...N7..^{.#...@[..U....{.*.~.d)... ...!...c.@Qy.C........}......?...j....?%..x.. -.%....qNX.B...7E4...-[...;Z....,..>x..K......r....-x..8.2)...W..M ....j..s.Y_....V6......e..............2..%....aq.U..!...r...b.>.'....3..........jT...H.=......
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 438569342300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Wed, 15 Apr 2015 02:51:25 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.5
VTag: 438481415700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Wed, 15 Apr 2015 02:51:25 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=551815, public, no-transform, must-revalidate
Last-Modified: Tue, 14 Apr 2015 12:05:24 GMT
Expires: Tue, 21 Apr 2015 12:05:24 GMT
Date: Wed, 15 Apr 2015 02:52:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150414120524Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150414120524Z....20150421120524Z0...*.H.............I....V.W.{..^>..#./.......%.....w..k8..........W........../P..............Y.?F/..'.g4v..D...Z..@4t.I.Y!.p(.~Rx.........P.....(.ftCy....?.....7 ..:..l....f..|]...K......S"h.{V1?..K.1..n.`.H.p .......,..1.........\..Vl...L.u.0......Y.).N.<.1........r.....Q.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /aff_setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: cdn.backupgrid.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 02:48:55 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
x-amz-id-2: anR9HUoOMrBxJsv8rYV6HyE1PYWBM5fKI67JOW9Tc8613XuTvoQEdNhdH4sYmkim9K/Xad7PP88=
x-amz-request-id: 9AEF7D8D6192CF39
Last-Modified: Wed, 15 Apr 2015 02:22:52 GMT
ETag: W/"1880b2782d67fd2a085fb7d100dac569"
Server: NetDNA-cache/2.2
X-Cache: HIT
Content-Encoding: gzip
500a..............{|T..?...0...$. ...........@&....2...1..3.$f.....8....k{l....4...z...b....$(*...........i.......L@O{....{?..'......Z.Y.m=..w..yV0..`DPUA..........F..[^.-.........&.................u..q..A..V.Z..vY..Uzg...d.....e.<&V...&..........o...J<'.}.z ..y.'..... D.......%.$a....J...f.(]. <......y.........zm...t.C...*D...8....*....2.=AA.K..A..."./...a...G..$.&.....Cx=....1.g...f5T.K.........U......,.L.<.z.Da*.&.......U..<.....`........4.m.Z$...............%.....`c.Y..o..H....2-J..b..Zdt..E.SU..f.x..D.@2\n%....c...(Z...._.9R...Z^)......OP&..P7 ..y_.r.>...R.S...f..:..C.../.....P..Y.}KK./.3C...JPc.....r..%..p....L.}.Q.aG.3T<.f,B7AG.1.Hwj.......UNWO........7...|r.*y..s..%...A..DiL..<]...M].f.C.p.@.....PLNWrV".QOk....s.TQxt.r3*y..(...N.ID..Ym.<z..EP.d...........P[.GY.7...K.........(./P..>J..B.I1.t.%...I..Fi....-G%k.2.i.G).....Pg{/.Y.D5....X....F..^.L)1...W.P.2....5|......J.i.^..[.*%g.X.*2.ep$........LSx.N1..)>.r.SP..Fy.@.]2....N...g....$jA9....."G...`.. }.l.....R.=.....8.5xT.Zj..7L..m x.....I.aF.i.(.....6.....|cH2..b...!}Q............R.HZ..!Hn.s..G.O(....c.v&7Sz(.}.C.!j.......&.....%...w..x.x....?...U..M.V:.s.......MGx..7..{_J....A#.hm.....c6.Ja..%.8...P.@..M..^..X".@..HY..O9......".....:.........V...:.i..F{Ql.".m./.3.% U...%]xd.....Sx..e.m.e..s...S.......i....4~..Y.VP.[c.#..4.....jX5.....2$...s.sT!DM.2....&O.....U..S_.T).QJ.*.).A..>..R:?N1...........`..............*2.WV..3..2..gv.}..`:zV...G.......WPQ..V.r.r.[.t.iPS5....[6hn.j...a....#..}.*d.o.[\D.[..n............T\}.....z7
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=552895, public, no-transform, must-revalidate
Last-Modified: Tue, 14 Apr 2015 12:25:08 GMT
Expires: Tue, 21 Apr 2015 12:25:08 GMT
Date: Wed, 15 Apr 2015 02:52:31 GMT
Connection: keep-alive
0..........0..... .....0......0...0........C...4N...@..6...v...20150414122508Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150414122508Z....20150421122508Z0...*.H.............nr.3...bK.....r.......e....A...tF..uTPG..5.....R.4..........U....>{.p.....g......Qz....G...r.....e.....$..Om.3.r....m...........h..Ra>F..P..z.........j..........U.Y.Cppv..B...V...Z.ka0.w.T.....l..*.....9.=n......p... ..o..../j....9V....J.t*....J.W*..B'.......50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=601588, public, no-transform, must-revalidate
Last-Modified: Wed, 15 Apr 2015 01:55:09 GMT
Expires: Wed, 22 Apr 2015 01:55:09 GMT
Date: Wed, 15 Apr 2015 02:52:31 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....20150415015509Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150415015509Z....20150422015509Z0...*.H...............ny.*..<biwZX.....V....$`*...Y.Hs.....?./k.7.....i...R.rW.FxvW6D...0}.-.a.......>....~NG.M...T....y.....Q..A3..........)....D.........j..'ox...q@.}.....9;d....6n.."....`#Su1V(.H......).EU%.eO..........h..)G.). .\:......R...T..Ip.=f.h6..]......../.....A.......0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Cla..
POST /v1/track HTTP/1.1
Accept-Encoding: identity
Content-Length: 111
Host: tracking.uniblue.com
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7
{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_completed", "client_id": ""}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:32 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: Close
{. "status": "OK".}..
GET /MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: cdn.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 02:48:59 GMT
Content-Type: application/octet-stream
Content-Length: 1119486
Connection: close
x-amz-id-2: B2Z6KnHVyIRktoKQruR3484H8tUq eQY r8AbD5BtFthUxD2LTN49un8X3yTRASaK5dxCU0vrSc=
x-amz-request-id: B93EA96792185D31
Last-Modified: Tue, 14 Apr 2015 23:57:04 GMT
ETag: "c40ba3b952382be22efdb2ce180b5233"
Server: NetDNA-cache/2.2
X-Cache: HIT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...^..K.................b...........6............@..........................P.......................................................p...............................................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata.......p...........................rsrc........p......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....cB..H.P.u..u..u...T.@..B...SV.5.cB..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.[B.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$..(cB...Si.....VW.T.....tO.q.3.;5,cB.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5,cB.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 301 Moved Permanently
Date: Wed, 15 Apr 2015 02:49:17 GMT
Server: Apache
Set-Cookie: SESSID=3esumcv6st2sv6bl836ot9ran6; path=/; domain=.backupgrid.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net
Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net
Set-Cookie: LC_CURRENCY=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net
Set-Cookie: ?uva6aT*=US; expires=Sat, 25-Apr-2015 02:49:17 GMT; path=/; domain=.backupgrid.net
location: hXXp://track.mypcbackup.com/?partner_id=1&hash=9bf5853a&tid=PC-Mechanic&dl=MyPCBackup_ppi_Setup.exe
Content-Length: 0
Content-Type: text/html; charset=UTF-8
POST /v1/track HTTP/1.1
Accept-Encoding: identity
Content-Length: 111
Host: tracking.uniblue.com
Content-Type: application/json
Connection: close
User-Agent: Python-urllib/2.7
{"recipient": "uniblue.pm-1_0_5_0.web", "event": "prod.pm.mypcbackup_offer_install_initiated", "client_id": ""}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:28 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: Close
{. "status": "OK".}..
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1f09e3a75e6cdb42 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
Accept-Ranges: bytes
ETag: "804047d4e66d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6384
Date: Wed, 15 Apr 2015 02:51:24 GMT
Connection: keep-alive
MSCF............,...................O........"........wFK. .disallowedcert.stl.j......"CK...8T...g...d.B..1.Z.N.Y.Vv..[..".B.ml..e....$[....DZ......=.../..>.....f..9.=g......{...Nr*.(...:(..H.l$..0(.E.P..I..a\d....$.. ."..Yj(...@Bs.-9....E..C\ ....7.....q..C.H.>...$D..G....@.H.4...DQ...F..vh.Uf>.A.........,......a.>p.3.Qx..u....... _.o. .D.9<..Y..-.H4W..Y......... .....}A6~.P*..V7....w.FS..:......5...P.r. ....8.J6.,.OK>%g.d..ozf"C.....N<qM.Y.Ez;.sh.C....LgM..p...pv.............|.>[..p.K..86.dJ.I..g./.}."6Y,.....j:@W_6.R.t..n....sW.|......E<.a..H.u..sC.......J?.-g........J.b.w....s.=..p..#..J.....W.....&....}%.cu ;...#.z.y....(."..a.5.... .../..o/..., .7...>.....Y..:#cF..../.....e...d.S....&...7>...A.%...r...t...(..s {...^...6.a..A...d..6.xA.....q.... ..lq.|.c..!)..\.....|.t..K...u...9j@.?.....R.......FA6._Sb..w.j........o......z..U.$..~.2.=.%..cE.j..-uew..]b..............A.8.Y..[..2..>......S1...|...x.}.P...f..3.J-..s.0...~...=h...4\.'..F.P.l.v"<."...\......2.@......5.r9....@..Z.Q5..c\.2|.... ...G.......2....!...._..i.`-2*...rq......}..e..B..Sp..c......l..-E..,..N....pI/f9..}.J...b.tg.(.Wl.`....3..9.j.R...z.tS......)*K0.m.sk7........._....m.p!.......f..8..I.u1.'5ro....q...........o..A...r..x....4...w..../..h.<pX=.u.r.djAb..W..\....&...,...... vK..[5....<..A=.qi.i.=.28K.............j...;.-X. ....u7L.U\wB.H.1..d.$.9B...0..4I..eJ|....V P.....R(.I...;".7A...L..X.&.A.Bmv.........b$i..R.P.9..{z..x.n.P......x.z:...<}.<}N.\H...$..p.}..;..\.].N....}.|q.G\Ho.j../IS1.,.B.
<<< skipped >>>
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 141
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.third_party_offer_not_shown","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:59 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:59 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 129
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:01 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:52:01 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}..
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 130
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:17 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:52:17 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 131
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.standalone","client_id":"","event":"prod.pm.install_completed","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:25 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:52:25 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}..
GET /pm/version.txt?from=1.0.5.0 HTTP/1.1
Accept-Encoding: identity
Host: update.uniblue.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 302 Found
Cache-Control: max-age=600
Content-Type: text/plain
Date: Wed, 15 Apr 2015 02:49:16 GMT
Location: hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt
Server: openresty/1.5.8.1
Content-Length: 69
Connection: Close
hXXp://pm.uniblue.com.s3.amazonaws.com/latest_updates/application.txt..
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 132
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_accepted","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:20 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:20 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 143
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_download_initiated","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:09 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:52:09 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 132
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_included","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:09 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:09 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 130
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_shown","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:15 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:15 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 133
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.third_party_offer_accepted","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:20 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:20 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 142
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_started","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:21 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:21 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 142
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_download_initiated","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:09 GMT
Server: ngx_openresty/1.2.6.6
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:52:09 GMT..Server: ngx_openresty/1.2.6.6..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}..
GET /api/v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: VVV.uniblue.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 200 OK
Cache-Control: max-age=7200
Content-Type: text/plain
Date: Wed, 15 Apr 2015 02:49:17 GMT
Server: ngx_openresty
Content-Length: 3
Connection: Close
UA...
GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: download.uniblue.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Wed, 15 Apr 2015 02:48:26 GMT
Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe
Server: openresty/1.5.8.1
Content-Length: 166
Connection: keep-alive
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>openresty/1.5.8.1</center>..</body>..</html>..HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Date: Wed, 15 Apr 2015 02:48:26 GMT..Location: hXXp://d21bsqatndqkg8.cloudfront.net/product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe..Server: openresty/1.5.8.1..Content-Length: 166..Connection: keep-alive..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>openresty/1.5.8.1</center>..</body>..</html>....
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=400136, public, no-transform, must-revalidate
Last-Modified: Sun, 12 Apr 2015 18:00:33 GMT
Expires: Sun, 19 Apr 2015 18:00:33 GMT
Date: Wed, 15 Apr 2015 02:52:13 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150412180033Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20150412180033Z....20150419180033Z0...*.H.............i...h.Z.RiX ..=....~.L....... hHG..p.x.!.4.q...Lb...@...C.b....P.kX....].H....F..#...T...YaR.....t(...<.b<YF.E.3...o.Sh]...gL....4p.*..,O.d....px%.i..{...^.s.._.x.=..Q..q.."X.5..%:.......&&M]S...b-.`<.f..|....$..$.JJ..6....K.y.m...(.fH..>...A.e).Z_.L..O..1...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010
<<< skipped >>>
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 123
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_launched","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:39 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:39 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 129
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.mypcbackup_offer_shown","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:45 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:45 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 122
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_started","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:51:49 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:51:49 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
POST /v1/collect HTTP/1.1
Connection: Keep-Alive
Content-Type: application/json; Charset=UTF-8
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 144
Host: tracking.uniblue.com
{"recipient":"uniblue.pm-1_0_5_0.web","client_id":"","event":"prod.pm.install_standalone_download_completed","buildtest_id":"","unit_id":"4010"}
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 15 Apr 2015 02:52:24 GMT
Server: ngx_openresty
Content-Length: 20
Connection: keep-alive
{. "status": "OK".}HTTP/1.1 200 OK..Content-Type: application/json..Date: Wed, 15 Apr 2015 02:52:24 GMT..Server: ngx_openresty..Content-Length: 20..Connection: keep-alive..{. "status": "OK".}....
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "4313801b45e80b5b006d195679f28274:1427247615"
Last-Modified: Wed, 25 Mar 2015 01:40:15 GMT
Date: Wed, 15 Apr 2015 02:52:10 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..150318000000Z..150630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H..............aI...vc...*.d...i...MF..8.........._4h.. ..'mY%...Mt...6.FK.". ..h.G#.0.$ .?.x8)....T.pQB....Y......9.j...T.}.r.....z.......h.HTTP/1.1 200 OK..Server: Apache..ETag: "4313801b45e80b5b006d195679f28274:1427247615"..Last-Modified: Wed, 25 Mar 2015 01:40:15 GMT..Date: Wed, 15 Apr 2015 02:52:10 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..150318000000Z..150630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=347790, public, no-transform, must-revalidate
Last-Modified: Sun, 12 Apr 2015 03:24:51 GMT
Expires: Sun, 19 Apr 2015 03:24:51 GMT
Date: Wed, 15 Apr 2015 02:52:09 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150412032451Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150412032451Z....20150419032451Z0...*.H.............fqZ.m..:.1..o.2.-......K..v....oAJu. /_#.$...X ..O..z........:F.I#$W.~.T|.f........Nt...P.=.`.i|..'.B....w.S..l.bp.;.W...@=.yCU./z&`....w.K5.}..........8..jq.6.....|..f..*...0c.#..A...[........v6../8...".u.3o.`.4.Q.0e... ...d.w..c.N. ..4..!........8..&y>.g....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=381927, public, no-transform, must-revalidate
Last-Modified: Sun, 12 Apr 2015 12:55:22 GMT
Expires: Sun, 19 Apr 2015 12:55:22 GMT
Date: Wed, 15 Apr 2015 02:52:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150412125522Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150412125522Z....20150419125522Z0...*.H..............BU$.cve..io'...N..O.....X4...6.>...3...._.y....U...>{....~.9.6.M.I..^..X.K..'.........zM......<........E....4ob/.)*....G\.L;O..H.../......XG.L9....%*.%.0.yS......q...J4.....M...oU2.x.......e.!......E=....O..#.i..!."....L!..L:a....z.T.$.......O...U....7y.F...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>
GET /api/v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: uniblue.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Wed, 15 Apr 2015 02:49:17 GMT
Location: hXXp://VVV.uniblue.com/api/v1/geo/country-code
Server: ngx_openresty
Content-Length: 178
Connection: Close
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=536559, public, no-transform, must-revalidate
Last-Modified: Tue, 14 Apr 2015 07:54:56 GMT
Expires: Tue, 21 Apr 2015 07:54:56 GMT
Date: Wed, 15 Apr 2015 02:52:17 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150414075456Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150414075456Z....20150421075456Z0...*.H..............@..F.V...>5...B.hdp.~..$9...d...Tx\.....<9i..m?...W..!.#.....b...4.e...:..3...6p.L.U...s.y.8.....(e.. ........,....-.C.........).6..qb..E..B.. .aJ....So.^.U...{.z.GD5..}0...z.M..'...i5...m.)L.qT....op....P|'S..7.......U.P..6.{jk..z.J..-.9d.."[...u05.WE}_....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /latest_updates/application.txt HTTP/1.1
Accept-Encoding: identity
Host: pm.uniblue.com.s3.amazonaws.com
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 200 OK
x-amz-id-2: SoJghxWLedS/9C4NrB7rOj0hzmQ7JK8P9h/Vqt2M51Pf4Fs8aGl3xt6XoK68r6U7aSuQtVdQzgQ=
x-amz-request-id: 3464D2CED7A40B3E
Date: Wed, 15 Apr 2015 02:49:18 GMT
Cache-Control: max-age=86400, public
Last-Modified: Tue, 24 Mar 2015 09:46:29 GMT
ETag: "7afc8227ca4783a30e4f834d1815a2fe"
Accept-Ranges: bytes
Content-Type: text/plain
Content-Length: 7
Server: AmazonS3
1.0.5.0..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=566269, public, no-transform, must-revalidate
Last-Modified: Tue, 14 Apr 2015 16:10:00 GMT
Expires: Tue, 21 Apr 2015 16:10:00 GMT
Date: Wed, 15 Apr 2015 02:52:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20150414161000Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20150414161000Z....20150421161000Z0...*.H.............d.9. SV.a)Jt..5..\..qe.`8..C!yX.OY.~Y<...p.|.5*..U.p.:1....h....V. 3#`..&\.Z.o.DI{...rCJ.W.2.dS....YZS..y.......Lb..&........Y..6uc....s....U.Z.....J.V.]...W.$........$D..02&.L&L..F/P........|.a.?. SN..^.........hh.9........@..*P.8...M`......KX[....z...r......0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..........k
<<< skipped >>>
GET /v1/geo/country-code HTTP/1.1
Accept-Encoding: identity
Host: api.uniblue.net
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Wed, 15 Apr 2015 02:52:40 GMT
Location: hXXp://uniblue.com/api/v1/geo/country-code
Server: nginx/1.1.19
Content-Length: 161
Connection: Close
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx/1.1.19</center>..</body>..</html>....
GET /product/pm/1.0.5.0/pcmechanicpm-standalone-setup.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Connection: Keep-Alive
Host: d21bsqatndqkg8.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 18839984
Connection: keep-alive
Date: Wed, 18 Mar 2015 10:47:04 GMT
Cache-Control: max-age=86400, public
Last-Modified: Wed, 18 Mar 2015 10:32:55 GMT
ETag: "6843e5f8e199b000decdb9ef0cb74b3f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 70625
X-Cache: Hit from cloudfront
Via: 1.1 3634ed11ef3267122afd0504d98e1154.cloudfront.net (CloudFront)
X-Amz-Cf-Id: zs_A_t7uG_wvmesVxe0Cn64uv7H25O7VX_HWxljXIFa4km12Jrc50w==
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....WZR..................................... ....@..........................p...................@..................................................H`..h............................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@....................................@..@..................................................................................................................................................................@...AnsiChar............@...string(.@...AnsiString......@...............................@......... 9@.(9@..9@..9@..9@..9@..9@..9@.,8@.H8@..8@..TObject.%..A....%..A....%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A....%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A...S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
pc-mechanic.exe_2024:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
tCPV
tCPV
USER32.dll
USER32.dll
MSVCR90.dll
MSVCR90.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
_crt_debugger_hook
_crt_debugger_hook
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
windows_exe
windows_exe
%s\%s
%s\%s
PYTHON27.DLL
PYTHON27.DLL
zlib.pyd
zlib.pyd
ZLIB.PYD
ZLIB.PYD
Not enough space for new sys.path
Not enough space for new sys.path
no mem for late sys.path
no mem for late sys.path
PY2EXE_VERBOSE
PY2EXE_VERBOSE
PyImport_ImportModule
PyImport_ImportModule
PyExc_ImportError
PyExc_ImportError
PyImport_AddModule
PyImport_AddModule
undefined symbol %s -> exit(-1)
undefined symbol %s -> exit(-1)
Importer which can load extension modules from memory
Importer which can load extension modules from memory
s#sss:import_module
s#sss:import_module
MemoryLoadLibrary failed loading %s
MemoryLoadLibrary failed loading %s
Could not find function %s
Could not find function %s
import_module
import_module
import_module(code, initfunc, dllname[, finder]) -> module
import_module(code, initfunc, dllname[, finder]) -> module
_memimporter
_memimporter
%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat
%Program Files% (x86)\Uniblue\PC-Mechanic\library.dat
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe
%Program Files% (x86)\Uniblue\PC-Mechanic
%Program Files% (x86)\Uniblue\PC-Mechanic
pc-mechanic.exe
pc-mechanic.exe
library.dat
library.dat
windows_exet
windows_exet
.logc
.logc
The logfile '%s' could not be opened:
The logfile '%s' could not be opened:
See the logfile '%s' for details(
See the logfile '%s' for details(
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyR
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt
%Program Files% (x86)\Jenkins\jobs\PM\workspace\env\py_venv\lib\site-packages\py2exe-0.6.9-py2.7-win32.egg\py2exe\boot_common.pyt
zipextimportert
zipextimportert
R$
R$
library.dats
library.dats
app.main(
app.main(
joint
joint
__import__t
__import__t
bootstrap_main.pyR$
bootstrap_main.pyR$
332222##
332222##
%%cxaax
%%cxaax
`>>>>=>`
`>>>>=>`
\4544545454545444
\4544545454545444
C.yLF
C.yLF
xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
1.0.5.0
1.0.5.0
pc-mechanic.exe_2024_rwx_2530A000_000F5000:
-Vh}o
-Vh}o