Sample_6c025c909d – Adaware

mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6c025c909d14bf5ec55b5f45e6411902

SHA1: aa74c97bdbf0852f7d4303149239459a0a84b923

SHA256: 6bde167ebaea486ac54d7729c1057151044dd4b522be62f4c136638b71631949

SSDeep: 12288:SSxG0z63smyt888888888888W88888888888Zl IUNr0q5LLQey71mgekpb3DSBe:ZxG8l lr75Xry71BbmOuqCGUVpAt

Size: 1060136 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: Uniblue Systems Limited

Created at: 2013-10-13 11:19:32

Analyzed on: Windows7Ada SP1 64-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

aff_setup.exe:2408
MyPC Backup.exe:880
install.exe:1872
CloudBackup3581.exe:1528
thirdpartyinstaller.exe:3424
vcredist_x64.exe:2348
makecab.exe:2224
TrustedInstaller.exe:3324
pm-standalone-setup.exe:504
pm-standalone-setup.tmp:1440
%original file name%.exe:2944
6c025c909d14bf5ec55b5f45e6411902.tmp:3640
pc-mechanic.exe:4044

The Malware injects its code into the following process(es):

pc-mechanic.exe:3392

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process aff_setup.exe:2408 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff2.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff5.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszA0C3.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff4.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff3.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (491 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\readme.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuA0A3.tmp (10479 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Stuff1.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data3.dat (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszA0C3.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data1.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\data2.dat (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszA0C3.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszA0C3.tmp\nsJSON.dll (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CloudBackup3581.exe (22107 bytes)

The process MyPC Backup.exe:880 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (282 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (208 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (471 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (370 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB9ED.tmp (2784 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (430 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db-journal (39970 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_7DD744F73D87EE469E5BC583C31249E2 (471 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (49 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Sync Folder.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB9EC.tmp (56 bytes)
%Program Files% (x86)\MyPC Backup\log\WAIT_HANDLES.log (540 bytes)
%Program Files% (x86)\MyPC Backup\Database\mpcb_settings.db (3213 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5 (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 (56 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (61 bytes)

The process install.exe:1872 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\bf79ab0483c84e397086a4c13a55087f\install.res.1033.dll (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistUI6086.txt (120910 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VWLBF29.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_vcredistMSI6086.txt (202619 bytes)

The process CloudBackup3581.exe:1528 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk (840 bytes)
%Program Files% (x86)\MyPC Backup\x86\SQLite.Interop.dll (5056 bytes)
%Program Files% (x86)\MyPC Backup\Service Start.exe (14 bytes)
%Program Files% (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll (1696 bytes)
%Program Files% (x86)\MyPC Backup\pt_PT.mo (59 bytes)
%Program Files% (x86)\MyPC Backup\Newtonsoft.Json.dll (2559 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x64.dll (2096 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x86.dll (644 bytes)
%Program Files% (x86)\MyPC Backup\SignupWizard.dll (4674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\AccessControl.dll (20 bytes)
%Program Files% (x86)\MyPC Backup\System.Data.SQLite.DLL (2809 bytes)
%Program Files% (x86)\MyPC Backup\Shared Stack.dll (6442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mpbtrk.log (8 bytes)
%Program Files% (x86)\MyPC Backup\PipeDiff.dll (1414 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\nsRandom.dll (808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStack.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\NSISdl.dll (30 bytes)
%Program Files% (x86)\MyPC Backup\GetText.dll (12 bytes)
%Program Files% (x86)\MyPC Backup\Configuration Updater.exe (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\nsis7z.dll (6536 bytes)
%Program Files% (x86)\MyPC Backup\NativeHashWrapper.dll (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.60.x86.dll (1882 bytes)
%Program Files% (x86)\MyPC Backup\uninst.exe (2301 bytes)
%Program Files% (x86)\MyPC Backup\Updater.exe (1695 bytes)
%Program Files% (x86)\MyPC Backup\MyPC Backup.exe (4808 bytes)
%Program Files% (x86)\MyPC Backup\BackupStackUI.dll (3584 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe (20 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.51.x86.dll (643 bytes)
%Program Files% (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll (1918 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\ObjectListView.dll (3014 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\System.dll (23 bytes)
%Program Files% (x86)\MyPC Backup\mypcbackup.ico (381 bytes)
%Program Files% (x86)\MyPC Backup\AlphaFS.dll (1631 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.52.x64.dll (1303 bytes)
%Program Files% (x86)\MyPC Backup\fr_FR.mo (61 bytes)
%Program Files% (x86)\MyPC Backup\Updater_.dll (1325 bytes)
%Program Files% (x86)\MyPC Backup\Ionic.Zip.dll (3317 bytes)
%Program Files% (x86)\MyPC Backup\syncicon.ico (61 bytes)
%Program Files% (x86)\MyPC Backup\de_DE.mo (60 bytes)
%Program Files% (x86)\MyPC Backup\es_ES.mo (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\DotNetChecker.dll (1597 bytes)
%Program Files% (x86)\MyPC Backup\InstMgr.dll (10 bytes)
%Program Files% (x86)\MyPC Backup\AlphaVSS.Common.dll (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\MyPC Backup\LinqBridge.dll (916 bytes)
%Program Files% (x86)\MyPC Backup\MPCBClient.dll (1596 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe (1856 bytes)
%Program Files% (x86)\MyPC Backup\BplusDotNet.dll (1198 bytes)
%Program Files% (x86)\MyPC Backup\it_IT.mo (57 bytes)
%Program Files% (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\vcredist_x64.exe (323789 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MyPC Backup.7z (268847 bytes)
%Program Files% (x86)\MyPC Backup\UnRegisterExtensions.exe (9 bytes)
%Program Files% (x86)\MyPC Backup\MPCBContextMenu.dll (16984 bytes)
%Program Files% (x86)\MyPC Backup\websocket-sharp.dll (1031 bytes)
%Program Files% (x86)\MyPC Backup\x64\SQLite.Interop.dll (6686 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA563.tmp (16365 bytes)
%Program Files% (x86)\MyPC Backup\Signup Wizard.exe (4132 bytes)

The process thirdpartyinstaller.exe:3424 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (266 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\installer_mypcbackup.log (853 bytes)

The process vcredist_x64.exe:2348 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugCRT.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.ATL.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f (8 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1040.dll (2110 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.DebugMFC.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugOpenMP.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1031.txt (229 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugMFC.cat (236 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1028.txt (3 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.ini (844 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\vc_red.cab (65618 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.CRT.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1041.txt (5 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.3082.dll (989 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs (8 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.exe (13918 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.CRT.cat (630 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.OpenMP.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1042.txt (650 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1033.dll (1452 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.2052.dll (1632 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFCLOC.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1049.txt (13 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\$shtdwn$.req (788 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1028.dll (1130 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.ATL.cat (155 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\vcredist.bmp (5 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.3082.txt (12 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.MFC.cat (658 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\Microsoft.VC90.MFC.cat (9 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.2052.txt (3 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1036.dll (1355 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1031.dll (1160 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1042.dll (1988 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1040.txt (657 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.OpenMP.cat (297 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\vc_red.msi (3176 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1049.dll (1720 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1036.txt (12 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\globdata.ini (1 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\install.res.1041.dll (1126 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\eula.1033.txt (10 bytes)
C:\bf79ab0483c84e397086a4c13a55087f\Program Files(64)\Microsoft Visual Studio 9.0\Vc7\WinSXS\AMD64 catalogs\policy.9.00.Microsoft.VC90.DebugCRT.cat (9 bytes)

The process makecab.exe:2224 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Windows\Temp\cab_2224_6 (8 bytes)
C:\Windows\Temp\cab_2224_4 (564989 bytes)
C:\Windows\Temp\cab_2224_5 (76 bytes)
C:\Windows\Temp\cab_2224_2 (564989 bytes)
C:\Windows\Temp\cab_2224_3 (76 bytes)
C:\Windows\Logs\CBS\CbsPersist_20150130230556.cab (11744 bytes)

The process TrustedInstaller.exe:3324 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (19520 bytes)
C:\Windows\winsxs\Temp\0eb4154fe13cd0013f000000fc0c3808\0eb4154fe13cd00141000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\61d3a54ee13cd00118000000fc0c3808\c134a84ee13cd0011a000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\569c464ee13cd00102000000fc0c3808\569c464ee13cd00103000000fc0c3808_manifest (859 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00131000000fc0c3808_mfc90cht.dll (79 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808 (4 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db1a-917a-11e2-9ef7-000c29a8bd90}.TMContainer00000000000000000002.regtrans-ms (28680 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808\63deb84ee13cd00120000000fc0c3808_mfcm90.dll (670 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00137000000fc0c3808_mfc90ita.dll (129 bytes)
C:\Windows\winsxs\Temp\569c464ee13cd00102000000fc0c3808\569c464ee13cd00105000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00133000000fc0c3808_mfc90esp.dll (130 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808\63deb84ee13cd00121000000fc0c3808_mfc90u.dll (38780 bytes)
C:\Windows\winsxs\Temp\0eb4154fe13cd0013f000000fc0c3808 (4 bytes)
C:\Windows\System32 (824 bytes)
C:\Windows\winsxs\Temp\b268394fe13cd0014c000000fc0c3808\b268394fe13cd0014e000000fc0c3808_catalog (22 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\ca60f44ee13cd00130000000fc0c3808_mfc90chs.dll (78 bytes)
C:\Windows\System32\config\SOFTWARE (63648 bytes)
C:\Windows\System32\config\COMPONENTS (202636 bytes)
C:\Windows\winsxs\Temp\3ea48b4ee13cd0010f000000fc0c3808\3ea48b4ee13cd00111000000fc0c3808_msvcr90.dll (4811 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\569c464ee13cd00102000000fc0c3808 (4 bytes)
C:\Windows\Logs\CBS\CBS.log (86767 bytes)
C:\Windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin (4409 bytes)
C:\Windows\winsxs\Temp\61d3a54ee13cd00118000000fc0c3808 (4 bytes)
C:\Windows\winsxs\Temp\3ea48b4ee13cd0010f000000fc0c3808\3ea48b4ee13cd00110000000fc0c3808_manifest (5 bytes)
C:\Windows\winsxs\Temp\50fc234fe13cd00145000000fc0c3808 (4 bytes)
C:\Windows\winsxs\Temp\3ea48b4ee13cd0010f000000fc0c3808\3ea48b4ee13cd00112000000fc0c3808_msvcp90.dll (7701 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (77937 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\winsxs\Temp\9cfa7a4ee13cd00109000000fc0c3808\9cfa7a4ee13cd0010b000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\b268394fe13cd0014c000000fc0c3808\b268394fe13cd0014d000000fc0c3808_manifest (676 bytes)
C:\Windows\winsxs\Temp\3ea48b4ee13cd0010f000000fc0c3808 (4 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00139000000fc0c3808_mfc90kor.dll (95 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd0013a000000fc0c3808_mfc90rus.dll (127 bytes)
C:\Windows\winsxs\Temp\569c464ee13cd00102000000fc0c3808\569c464ee13cd00104000000fc0c3808_atl90.dll (853 bytes)
C:\Windows\winsxs\Temp\61d3a54ee13cd00118000000fc0c3808\61d3a54ee13cd00119000000fc0c3808_manifest (760 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00132000000fc0c3808_mfc90esn.dll (130 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (1640 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\ca60f44ee13cd0012f000000fc0c3808_manifest (13 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808\c43fbb4ee13cd00122000000fc0c3808_mfc90.dll (38780 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4395 bytes)
C:\Windows\winsxs\Temp\50fc234fe13cd00145000000fc0c3808\50fc234fe13cd00148000000fc0c3808_catalog (22 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808\63deb84ee13cd0011f000000fc0c3808_manifest (6 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00138000000fc0c3808_mfc90jpn.dll (95 bytes)
C:\Windows\winsxs\Temp\3ea48b4ee13cd0010f000000fc0c3808\3ea48b4ee13cd00113000000fc0c3808_msvcm90.dll (1526 bytes)
C:\Windows\winsxs\Temp\3ea48b4ee13cd0010f000000fc0c3808\3ea48b4ee13cd00114000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\9cfa7a4ee13cd00109000000fc0c3808\9cfa7a4ee13cd0010a000000fc0c3808_manifest (760 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00134000000fc0c3808_mfc90deu.dll (670 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (64960 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (15608 bytes)
C:\Windows\winsxs\Temp\28b7e34ee13cd00128000000fc0c3808 (4 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00136000000fc0c3808_mfc90fra.dll (670 bytes)
C:\Windows\winsxs\Temp\28b7e34ee13cd00128000000fc0c3808\28b7e34ee13cd0012a000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808\24a1bd4ee13cd00124000000fc0c3808_catalog (21 bytes)
C:\Windows\System32\config\SYSTEM (3345 bytes)
C:\Windows\System32\config\COMPONENTS.LOG1 (191164 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd0013b000000fc0c3808_catalog (21 bytes)
C:\Windows\winsxs\Temp\50fc234fe13cd00145000000fc0c3808\50fc234fe13cd00147000000fc0c3808_vcomp90.dll (120 bytes)
C:\Windows\winsxs\Temp\50fc234fe13cd00145000000fc0c3808\50fc234fe13cd00146000000fc0c3808_manifest (864 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808 (4 bytes)
C:\Windows\winsxs\Temp\0eb4154fe13cd0013f000000fc0c3808\0eb4154fe13cd00140000000fc0c3808_manifest (766 bytes)
C:\Windows\winsxs\Temp\b268394fe13cd0014c000000fc0c3808 (4 bytes)
C:\Windows\winsxs\Temp\ca60f44ee13cd0012e000000fc0c3808\2ac2f64ee13cd00135000000fc0c3808_mfc90enu.dll (113 bytes)
C:\Windows (288 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (8230 bytes)
C:\Windows\System32\config (592 bytes)
C:\Windows\winsxs\Temp\28b7e34ee13cd00128000000fc0c3808\28b7e34ee13cd00129000000fc0c3808_manifest (760 bytes)
C:\Windows\winsxs\Temp\63deb84ee13cd0011e000000fc0c3808\c43fbb4ee13cd00123000000fc0c3808_mfcm90u.dll (670 bytes)
C:\Windows\winsxs\Temp\9cfa7a4ee13cd00109000000fc0c3808 (4 bytes)

The process pm-standalone-setup.exe:504 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TA980.tmp\pm-standalone-setup.tmp (50 bytes)

The process pm-standalone-setup.tmp:1440 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-IBQ5C.tmp (112 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-1GEN8.tmp (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp\windows8_with_innovation.bmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.dat (30302 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-N9PL0.tmp (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp\license.en.rtf (26 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-5ICMG.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\es\LC_MESSAGES\is-QJ2BK.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-DA0NO.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-DKOGT.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-55FN0.tmp (3361 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\da\LC_MESSAGES\is-5L243.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-VFP0C.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-A3B01.tmp (1281 bytes)
C:\Users\Public\Desktop\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-BKC34.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\sv\LC_MESSAGES\is-3Q6ED.tmp (601 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-C9T7Q.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-1LTQ0.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-01-31 #002.txt (459835 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-K23KM.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-PSFT7.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-DR3V7.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC-Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fr\LC_MESSAGES\is-B51D6.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\pt_BR\LC_MESSAGES\is-9QQL9.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-FT8MB.tmp (28498 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-IT2DN.tmp (10 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-BO9N4.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\nl\LC_MESSAGES\is-E6RTB.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp\printer.bmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe (49 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-UV01E.tmp (35285 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\de\LC_MESSAGES\is-URG36.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-MHV0A.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-0R0I5.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.msg (646 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Microsoft.VC90.CRT\is-NNP27.tmp (524 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locales\is-N7MHM.tmp (4 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\en\LC_MESSAGES\is-8B81S.tmp (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp\InstallerExtensions.dll (715 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-56JFR.tmp (13 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ja\LC_MESSAGES\is-6HRBP.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-4LT1Q.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-N1BQ0.tmp (1281 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-ULURG.tmp (107054 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-MV9VQ.tmp (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\ru\LC_MESSAGES\is-MC22J.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\no\LC_MESSAGES\is-8OV7F.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-5V5K2.tmp (75544 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-TNEM0.tmp (19686 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\it\LC_MESSAGES\is-T8LQT.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\fonts\is-F9HHB.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-L767M.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\locale\fi\LC_MESSAGES\is-QFQDG.tmp (601 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\is-4B0N8.tmp (197872 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe (291 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue\PC Mechanic\Uninstall PC Mechanic.lnk (1 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\Third-party Terms\is-R5JFE.tmp (1 bytes)

The process %original file name%.exe:2944 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-P6RBB.tmp\6c025c909d14bf5ec55b5f45e6411902.tmp (50 bytes)

The process 6c025c909d14bf5ec55b5f45e6411902.tmp:3640 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\pcmechanicpm-standalone-setup[1].exe (1571123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Uniblue\Offers\aff_setup.exe (9242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\aff_setup[1].exe (33950 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\thirdpartyinstaller.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\pm_logo.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\pm-standalone-setup.exe (115616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\license.en.rtf (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\backupmypc_logo.bmp (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\printer.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\InstallerExtensions.dll (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\_isetup\_setup64.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\microsoft_partner.bmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\banner_icon.bmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\backupmypc_check_mark.bmp (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup Log 2015-01-31 #001.txt (21109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GM70U.tmp\windows8_with_innovation.bmp (601 bytes)

The process pc-mechanic.exe:4044 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\Uniblue\PC-Mechanic\icudt.dll (2183 bytes)
C:\Windows\Tasks\PC-Mechanic Startup.job (684 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\settings.dat (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (5943 bytes)
%Program Files% (x86)\Uniblue\PC-Mechanic\libcef.dll (10562 bytes)
C:\Windows\Tasks\PC-Mechanic Maintenance.job (702 bytes)
C:\Windows\Tasks\PC-Mechanic Subscription.job (702 bytes)

The process pc-mechanic.exe:3392 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uniblue\PC-Mechanic\error.log (7539 bytes)

Registry activity

The process MyPC Backup.exe:880 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process CloudBackup3581.exe:1528 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.15, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoA564.tmp\nsSCM.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayName" = "MyPC Backup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"
"Publisher" = "JDi Backup Ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"DisplayIcon" = "%Program Files% (x86)\MyPC Backup\MyPC Backup.exe"
"UninstallString" = "%Program Files% (x86)\MyPC Backup\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MyPC Backup]
"(Default)" = "%Program Files% (x86)\MyPC Backup\BackupStack.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup]
"HelpLink" = "http://support.mypcbackup.com"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process TrustedInstaller.exe:3324 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\COMPONENTS\CanonicalData\Catalogs\333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"S1H" = "14 AA 6E 76 31 91 54 C4 03 11 34 8A 36 B3 FF AB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 0F 8E 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 5A 96 52 01 4B 08 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 B9 C8 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90kor.dll" = "4D 00 46 00 43 00 39 00 30 00 4B 00 4F 00 52 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 00 F9 52 01 E0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll" = "41 54 4C 39 30 2E 64 6C 6C"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"CatalogThumbprint" = "fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3eÃƒË†Ã‚Â"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"S256H" = "24 BE B9 75 C2 7B 1D 95 FD D4 FE 4E 13 54 0E 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 98 E5 52 01 68 13 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"S1H" = "38 09 81 95 0B 31 B2 00 22 13 37 FF CF FB FF 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"CT" = "36 00 64 00 63 00 31 00 62 00 39 00 63 00 33 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"S1H" = "FE 8C 92 2C 75 1D 5B CC FB 3B D3 CB 22 A9 B8 23"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 B0 52 01 C6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"S1H" = "AE 6F 51 9A C7 46 73 82 69 39 92 25 65 46 09 57"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll" = "4D 46 43 39 30 43 48 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90u.dll" = "6D 00 66 00 63 00 39 00 30 00 75 00 2E 00 64 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"S1H" = "76 C9 DC 05 BC 6B 6B 4C A3 FA EB 6F 47 42 95 CE"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4e]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 A5 9E 52 01 3E 08 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"CatalogThumbprint" = "333c3c8a825eb46b5db7da4db82125807c7afa0591882445f186c767af2ac85e"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"S256H" = "26 93 44 15 5C 4C F6 E2 AE DE 35 F5 1F 79 11 C0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"CatalogThumbprint" = "cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322AÃƒË†Ã‚Â"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 24 08 53 01 6C 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90enu.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 4E 00 55 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"
"CatalogThumbprint" = "522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 59 D2 52 01 3F 13 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 42 89 52 01 CD 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"S1H" = "E4 EC 8B 0B 75 55 36 62 51 1D 04 0E 86 AD 97 AC"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Catalogs\fe0fac4e315b16deed38f335d82d54236d1dddb87577f2cadc062421a1e828a3]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90fra.dll" = "4D 00 46 00 43 00 39 00 30 00 46 00 52 00 41 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 87 CD 52 01 D2 04 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90rus.dll" = "4D 00 46 00 43 00 39 00 30 00 52 00 55 00 53 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7d]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 90 0D 53 01 8F 04 00 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 1F 12 53 01 D6 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 74 84 52 01 CE 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"S1H" = "EF 36 D4 10 E0 A9 EA 70 90 91 65 79 2A 07 E7 18"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 E3 A6 52 01 D4 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)]
"UtilizedSpace_MCP_c22d037d" = "F7 22 52 01 00 00 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"c!microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"CT" = "64 00 32 00 63 00 61 00 38 00 66 00 33 00 35 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\CanonicalData\Catalogs\522ed40176b2323ddf1104a8cafa128db5f21bbac59aaf6b48e59ac154a036f7]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"S1H" = "83 EB 34 D7 CE D2 B9 DC 71 DB B8 49 AA 21 EA 78"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"S256H" = "69 55 F7 F5 CC 99 69 B8 69 B9 90 86 6D B9 02 DA"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll" = "4D 46 43 39 30 46 52 41 2E 44 4C 4C"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"c!policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"CT" = "30 00 32 00 34 00 34 00 65 00 61 00 63 00 36 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_3a15284abf58447e]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"CatalogThumbprint" = "95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90ÃƒÂ¬Ã¢â€šÂ¬Ã¢â€šÂ¬ÃƒË†Ã‚Â"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"c!microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.30729.4148]
"S1H" = "DD 16 14 4C C5 08 00 43 4F CC B2 B6 FE 9C 3F 5E"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"S1H" = "AA 99 E7 4A 4B C1 C0 3A D2 57 8D E2 4A 0B 3A 42"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"
"S256H" = "6C E2 C2 01 E1 39 B8 B7 FD D6 B0 15 1A D0 20 DB"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"MCP_c22d037d" = "00 00 00 00 B3 02 53 01 71 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"S1H" = "23 CA 6B 65 00 D5 28 6A FC B4 CD 40 F3 13 09 16"
"sf" = "2"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"S256H" = "34 66 B6 B0 1E 23 20 74 33 3A E8 90 DE BA 8F D9"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esn.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 4E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"f!atl90.dll" = "41 00 54 00 4C 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633]
"CatalogThumbprint" = "4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343ÃƒË†Ã‚Â"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 9F 79 52 01 6B 05 00 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_39e222e84b9e7e6f]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfc90.dll" = "6D 00 66 00 63 00 39 00 30 00 2E 00 64 00 6C 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a]
"c!policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"S1H" = "59 FC 44 3F E4 A9 36 69 AC E0 F5 9F A7 98 6B C9"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 FC BE 52 01 BD 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"MCP_c22d037d" = "00 00 00 00 B7 AB 52 01 D0 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90enu.dll" = "4D 46 43 39 30 45 4E 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90jpn.dll" = "4D 00 46 00 43 00 39 00 30 00 4A 00 50 00 4E 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"CT" = "39 00 35 00 63 00 65 00 30 00 36 00 33 00 38 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"c!microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"c!policy.9.0...ft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_3624aa14c1dce505" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90deu.dll" = "4D 00 46 00 43 00 39 00 30 00 44 00 45 00 55 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"sf" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcp90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_92995f253c01eddb]
"CatalogThumbprint" = "6dc1b9c301d48eb965f7f4cee06ac63e7207040bfa6101252e8cea08a0855d4eÃƒË†Ã‚Â"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.4148]
"S1H" = "4F C7 D7 36 AD BC B2 7C 10 86 7E 21 90 BD D1 34"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"CT" = "34 00 63 00 34 00 31 00 39 00 37 00 31 00 63 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"(Default)" = "6"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"S1H" = "DA 6E 20 D5 AE 2F 76 AF 71 19 31 70 48 42 36 52"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"sf" = "1"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll" = "4D 46 43 39 30 4B 4F 52 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1]
"CT" = "61 00 38 00 30 00 39 00 35 00 65 00 66 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.1]
"CT" = "63 00 63 00 37 00 30 00 61 00 38 00 36 00 31 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"sf" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PublisherPolicyChangeTime" = "Type: REG_QWORD, Length: 8"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 E0 FD 52 01 D3 04 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\v!9.0.30729.1]
"S1H" = "E6 CA F0 F6 A2 0D C9 9F 62 27 42 55 D7 B2 1B 34"
"CT" = "66 00 65 00 30 00 66 00 61 00 63 00 34 00 65 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\v!9.0.30729.1]
"CT" = "35 00 32 00 32 00 65 00 64 00 34 00 30 00 31 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcm90.dll" = "6D 00 73 00 76 00 63 00 6D 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2015/1/30:23:5:57.167 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.1]
"S1H" = "64 21 A7 13 7F 81 51 EC C9 C6 32 1F CB 89 4E ED"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_a5325551f9d85633]
"f!vcomp90.dll" = "76 00 63 00 6F 00 6D 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90esp.dll" = "4D 00 46 00 43 00 39 00 30 00 45 00 53 00 50 00"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"CatalogThumbprint" = "a8095efeef7cae736f55a416d69c2b12e250b764bbf39505a3456a6903d27c7dÃƒâ€¹Ã¢â‚¬Â¢ÃƒË†Ã‚Â"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"S1H" = "CC E5 48 A1 81 09 83 7C D5 26 1A F8 35 AB 54 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esp.dll" = "4D 46 43 39 30 45 53 50 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"S1H" = "74 EA A7 88 4B 21 D7 1F 33 34 94 89 89 7C 0A F6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90ita.dll" = "4D 00 46 00 43 00 39 00 30 00 49 00 54 00 41 00"

[HKLM\COMPONENTS\CanonicalData\Catalogs\95ce0638280a2ff1d3cb1be6be97e25e47ff2be6f7c987e85530957c3751bf90]
"c!microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_951ab4128654b0c9" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"(Default)" = "6"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90cht.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 54 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll" = "4D 46 43 39 30 45 53 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcp90.dll" = "6D 00 73 00 76 00 63 00 70 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"c!policy.9.0...vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_330b958c9268999d" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097\v!9.0.30729.4148]
"S1H" = "80 93 28 44 A9 44 70 27 55 3E C3 07 5D F5 63 DF"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088\9.0]
"9.0.30729.1" = "01"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4940]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Catalogs\4c41971c13d332f75376e357800f14c8671cabe1762b1395ecb015bdaebe1343]
"c!microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_a5325551f9d85633" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS]
"StoreDirty" = "01"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\v!9.0.30729.4148]
"S1H" = "31 95 AA CA BF 6A 85 7B 8A 02 CC 29 B3 F8 BA 35"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1]
"MCP_c22d037d" = "00 00 00 00 4D B5 52 01 AF 09 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8]
"(Default)" = "10"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"S256H" = "08 8C D1 14 A3 5A A0 03 0F 8A C8 09 40 2C 7C 22"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"CT" = "33 00 33 00 33 00 63 00 33 00 63 00 38 00 61 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"Identity" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_3a15284abf58447e]
"CatalogThumbprint" = "d2ca8f3588969dd145bf8b1a7124f0754cebffde0e20d205e2e767ee4bf69d2a"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll" = "4D 46 43 39 30 4A 50 4E 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_3624aa14c1dce505]
"S256H" = "8D C0 05 84 25 4A F1 6C 47 CA 9C 96 C9 44 75 51"

[HKLM\COMPONENTS]
"ExecutionState" = "2"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"MCP_c22d037d" = "00 00 00 00 0A 7F 52 01 6A 05 00 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"ClosureFlags" = "3"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_330b958c9268999d]
"S256H" = "FE AE 5D B0 21 40 AA 1D 6C CD 8E EF 81 27 94 DF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_9aefdaaa829eb818]
"S256H" = "EB E1 76 88 C7 DC EA 0B F8 87 58 62 C8 C7 2A 58"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll" = "4D 46 43 39 30 52 55 53 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.4148]
"(Default)" = "10"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"AppID" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 41"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll" = "4D 46 43 39 30 44 45 55 2E 44 4C 4C"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"Identity" = "4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 43"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_99b61f5e8371c1d4]
"i!SIAW_" = "00 00 00 00 1F 00 00 00 43 3A 5C 57 69 6E 64 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee\9.0]
"9.0.30729.1" = "01"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4]
"f!msvcr90.dll" = "6D 00 73 00 76 00 63 00 72 00 39 00 30 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"S1H" = "9E 2C 9A 79 1D 8E C7 78 4A 73 08 8C 2E 1E AF C1"

[HKLM\COMPONENTS\DerivedData\Components\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_39e222e84b9e7e6f]
"S256H" = "0E DF 78 65 CB 6E 59 40 E6 8D 63 1A FE E7 83 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\9.0]
"9.0.21022.8" = "01"

[HKLM\COMPONENTS\CanonicalData\Catalogs\cc70a861e6263ece8ebd924aed1f90031fe1c199ab22cd0f7c7f0a2558cd9322]
"c!policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822" = "Type: REG_BINARY, Length: 0"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.4148]
"S1H" = "E3 17 DA F8 C4 AE B9 52 16 AF B2 EE 85 45 57 D7"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f\v!9.0.21022.8]
"sf" = "1"

[HKLM\COMPONENTS\CanonicalData\Deployments\microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_9aefdaaa829eb818]
"CatalogThumbprint" = "0244eac606f513cdc5623c418d394dd7fdcf005174c9136143ffd57e370c8bba4ÃƒË†Ã‚Â"

[HKLM\COMPONENTS\CanonicalData\Deployments\policy.9.0...ft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_3da38fdebd0e6822]
"AppID" = "70 6F 6C 69 63 79 2E 39 2E 30 2E 4D 69 63 72 6F"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_92995f253c01eddb]
"f!mfc90chs.dll" = "4D 00 46 00 43 00 39 00 30 00 43 00 48 00 53 00"

[HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_951ab4128654b0c9]
"f!mfcm90u.dll" = "6D 00 66 00 63 00 6D 00 39 00 30 00 75 00 2E 00"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll" = "4D 46 43 39 30 43 48 54 2E 44 4C 4C"
"mfc90ita.dll" = "4D 46 43 39 30 49 54 41 2E 44 4C 4C"

The Malware deletes the following registry key(s):

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]

The Malware deletes the following value(s) in system registry:

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90fra.dll"
"mfc90esp.dll"

[HKLM\COMPONENTS]
"PoqexecFailure"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_bbd99e435df8a088]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90rus.dll"
"mfc90enu.dll"

[HKLM\COMPONENTS]
"PendingXmlIdentifier"
"LastScavengeFlags"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_1eef21b42ca2596f]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90esn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809\v!9.0.21022.8\UnstagedFiles]
"vcomp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_bb797aeb5e404097]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d\v!9.0.30729.1\UnstagedFiles]
"atl90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcr90.dll"
"msvcp90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90jpn.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_none_a268ec259de3174d]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90chs.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471\v!9.0.30729.1\UnstagedFiles]
"msvcm90.dll"

[HKLM\COMPONENTS]
"RepairTransactionPended"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90kor.dll"

[HKLM\COMPONENTS]
"LastScavengeCookie"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90deu.dll"

[HKLM\COMPONENTS]
"ExecutionState"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_bb22ca2f5e815913]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfc90u.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_399d052615c6abee]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS]
"StoreDirty"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_none_a2f75f3b9d7989e4\v!9.0.30729.1\UnstagedFiles]
"mfcm90.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90cht.dll"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_none_ba5d016b21242809]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_none_a28692199dcba471]
"SomeUnparsedVersionsExist"

[HKLM\COMPONENTS\DerivedData\VersionedIndex\6.1.7601.17592 (win7sp1_gdr.110408-1631)\ComponentFamilies\amd64_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_none_f0ee8071fb10f4e2\v!9.0.30729.1\UnstagedFiles]
"mfc90ita.dll"

The process pm-standalone-setup.tmp:1440 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Icon Group" = "Uniblue\PC Mechanic"

[HKCR\pc-mechanic]
"URL Protocol" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"NoModify" = "1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"EstimatedSize" = "60952"
"InstallDate" = "20150131"
"Comments" = "Uninstall PC Mechanic"
"MinorVersion" = "0"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"EcommercePlatform" = "cleverbridge"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)" = "pc-mechanic.exe,1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Selected Tasks" = "desktopicon,quicklaunchicon"
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Deselected Tasks" = ""

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstalledLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"QuietUninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe /SILENT"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl" = "http://www.uniblue.com/cm/afterdownload/pcmechanicpm/cast-de-01/purchase/"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"URLUpdateInfo" = "http://uniblue.com/software/pcmechanicpm/updates/"
"UninstallString" = "%Program Files% (x86)\Uniblue\PC-Mechanic\unins000.exe"

[HKCR\pc-mechanic]
"(Default)" = "URL:PC-Mechanic Protocol"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"MajorVersion" = "1"
"DisplayName" = "PC Mechanic"
"Publisher" = "Uniblue Systems Limited"
"HelpLink" = "http://www.uniblue.com/support/manuals/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallDate" = "2015-01-31"

[HKCR\pc-mechanic\shell\open\command]
"(Default)" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe --serial=%1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: Setup Version" = "5.5.4 (u)"
"DisplayIcon" = "%Program Files% (x86)\Uniblue\PC-Mechanic\pc-mechanic.exe"
"InstallLocation" = "%Program Files% (x86)\Uniblue\PC-Mechanic\"
"DisplayVersion" = "1.0.3.2"
"URLInfoAbout" = "http://www.uniblue.com/support/"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"lang" = "en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F88FC5D-4D46-448A-AF59-7061FFC6ABBF}_is1]
"Inno Setup: App Path" = "%Program Files% (x86)\Uniblue\PC-Mechanic"

The Malware deletes the following value(s) in system registry:

[HKCR\pc-mechanic]
"URL Protocol"

[HKCR\pc-mechanic\DefaultIcon]
"(Default)"

[HKCR\pc-mechanic]
"(Default)"

[HKCR\pc-mechanic\shell\open\command]
"(Default)"

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"PurchaseUrl"
"InstalledLocation"

The process 6c025c909d14bf5ec55b5f45e6411902.tmp:3640 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "9D 31 BE 43 E1 3C D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"InstallerBuiltWithOffers" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "9D 31 BE 43 E1 3C D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "9D 31 BE 43 E1 3C D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process pc-mechanic.exe:4044 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Uniblue\PC-Mechanic]
"IsRegistered" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMware User Process" = "%Program Files%\VMware\VMware Tools\vmtoolsd.exe -n vmusr"

"VMware Tools" = "%Program Files%\VMware\VMware Tools\VMwareTray.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM" = "%Program Files% (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher" = "%Program Files% (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched" = "%Program Files% (x86)\Common Files\Java\Java Update\jusched.exe"

The process pc-mechanic.exe:3392 makes changes in the system registry.